Skip to content

fix weird attack data links #3437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
May 5, 2025
Merged

fix weird attack data links #3437

merged 8 commits into from
May 5, 2025

Conversation

pyth0n1c
Copy link
Collaborator

@pyth0n1c pyth0n1c commented Apr 1, 2025

These are a number of minor issues with attack_data links that should be fixed.
First, some of them refer to RAW, non-log files, such as .txt files. Those files
should be converted to LOG files so that they are available in gitlfs.

Second, some of the files use a slightly different path, such as a path
that includes /refs/, when they should not.

This is true for a handful of production detections as well as non-production detections,
such as experimental content.

However, even if something is experimental or deprecated, if it has an attack_data link, that link
should be validated to be correct. Right now, those are missed because that validation only happens
for tested content at contentctl test runtime.

When possible, we will move this validation to contentctl validate time when a local copy of the
attack_data repo is present.

@pyth0n1c
fix dataset links for more detections. Note that one of the searches …
e00a0b2 
…actually does not have a valid dataset - it pointed to one that does not exist. that dataset also did not exist in the git history for attack_data.
pyth0n1c
pyth0n1c commented Apr 1, 2025
View reviewed changes
detections/endpoint/active_directory_privilege_escalation_identified.yml Outdated
- name: True Positive Test
attack_data:
- data:
https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1484/privesc/priv_esc.log
Copy link
Collaborator Author

@pyth0n1c pyth0n1c Apr 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot find a fitting file for this in the current git repo or the git history. At one point this detection pointed at the following file, which does exist, but it is not correct. The name of the Analytic Story the search references, Active Directory Privilege Escalation, does not appear in ANY raw content in the attack_data repo (including old history, as far as I can tell).
https://github.com/splunk/security_content/blame/62e859ba7b7407a9418d9b64f1869f579ffe8dd4/detections/endpoint/active_directory_privilege_escalation_identified.yml#L56

Since test data is optional for correlation searches, this test data has been removed.

@ljstella
Copy link
Contributor

ljstella commented May 2, 2025
edited
Loading

Okay, we're still failing, but we're failing because the link we've updated to changes in splunk/attack_data#975 and that hasn't landed yet.

Edit: Now its passing after that landed.

@pyth0n1c
Bump versions for every detection, since everything will have a diffe…
d996056 
…rent conf stanza due to added fields. Don't re-bump things that already had their version bumped after the last release - this is a check that now causes a contentctl inspect failure. Finally, update all of the versions to today since this is the last time that the contents of the stanza is different.
@ljstella
Copy link
Contributor

ljstella commented May 5, 2025

CI here times out after 6 hours so...

Full package unit test results, from AWS:

summary:
  mode: All
  enable_integration_testing: false
  success: false
  total_detections: 1764
  total_tested_detections: 1572
  total_pass: 1571
  total_fail: 1
  total_skipped: 192
  total_untested: 0
  total_production: 1622
  total_experimental: 136
  total_deprecated: 6
  total_manual: 38
  success_rate: 99.9%

Only failure is a known issue at the moment (see #3311)

@patel-bhavin
Copy link
Contributor

LGTM! :shipit:

@patel-bhavin patel-bhavin merged commit 78f52c4 into develop May 5, 2025
3 of 4 checks passed
@patel-bhavin patel-bhavin deleted the fix_bad_attack_data_paths branch May 5, 2025 16:50
@patel-bhavin patel-bhavin added this to the v5.5.0 milestone May 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Assignees
No one assigned
Labels
Detections
Projects
None yet
Milestone
v5.5.0
Development

Successfully merging this pull request may close these issues.
3 participants
@pyth0n1c @ljstella @patel-bhavin