splunk · patel-bhavin · May 9, 2025
@@ -44,9 +44,9 @@ apps:
 - uid: 7404
   title: Cisco Security Cloud
   appid: CiscoSecurityCloud
-  version: 3.1.1
+  version: 3.2.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_311.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_320.tgz
 - uid: 6652
   title: Add-on for Linux Sysmon
   appid: Splunk_TA_linux_sysmon
@@ -101,9 +101,9 @@ apps:
 - uid: 5466
   title: TA for Zeek
   appid: SPLUNK_TA_FOR_ZEEK
-  version: 1.0.8
+  version: 1.0.9
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_108.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_109.tgz
 - uid: 3258
   title: Splunk Add-on for NGINX
   appid: SPLUNK_ADD_ON_FOR_NGINX
@@ -155,9 +155,9 @@ apps:
 - uid: 5556
   title: Splunk Add-on for Google Workspace
   appid: SPLUNK_ADD_ON_FOR_GOOGLE_WORKSPACE
-  version: 3.0.3
+  version: 3.0.4
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_303.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_304.tgz
 - uid: 3110
   title: Splunk Add-on for Microsoft Cloud Services
   appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES

@@ -15,4 +15,4 @@ sourcetype: bro:conn:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.8
+  version: 1.0.9
@@ -16,5 +16,4 @@ sourcetype: bro:dns:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.8
-
+  version: 1.0.9
@@ -17,4 +17,4 @@ sourcetype: bro:files:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.8
+  version: 1.0.9
@@ -16,4 +16,4 @@ sourcetype: bro:http:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.8
+  version: 1.0.9
@@ -15,4 +15,4 @@ sourcetype: bro:loaded_scripts:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.8
+  version: 1.0.9
@@ -15,4 +15,4 @@ sourcetype: bro:ntp:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.8
+  version: 1.0.9
@@ -16,4 +16,4 @@ sourcetype: bro:ocsp:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.8
+  version: 1.0.9
@@ -16,4 +16,4 @@ sourcetype: bro:ssl:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.8
+  version: 1.0.9
@@ -16,4 +16,4 @@ sourcetype: bro:weird:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.8
+  version: 1.0.9
@@ -16,4 +16,4 @@ sourcetype: bro:x509:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.8
+  version: 1.0.9
@@ -10,5 +10,5 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.1.1
+  version: 3.2.0
 fields: null
@@ -3,13 +3,14 @@ id: 18878597-8f8a-4bca-a805-bfbe35e00032
 version: 1
 date: '2025-04-01'
 author: Nasreddine Bencherchali, Splunk
-description: Data source object for raw connection events from Cisco Secure Firewall Threat Defense
+description: Data source object for raw connection events from Cisco Secure Firewall
+  Threat Defense
 source: not_applicable
 sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.1.1
+  version: 3.2.0
 fields:
 - AC_RuleAction
 - action
@@ -115,4 +116,18 @@ output_fields:
 - rule
 - url
 - action
-example_log: '{"EventType":"ConnectionEvent", "FirstPacketSecond":1743500734, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "ConnectionID":259, "AC_RuleAction":"Block", "InitiatorIP":"172.16.3.110", "ResponderIP":"142.250.191.196", "InitiatorPort":62296, "ResponderPort":443, "Protocol":"tcp", "IngressInterface":"inside", "EgressInterface":"outside", "IngressZone":"inside", "EgressZone":"outside", "IngressVRF":"Global", "EgressVRF":"Global", "FirewallPolicy":"default", "FirewallRule":"NasBlock", "PrefilterPolicy":"Default Prefilter Policy", "ClientApplication":"Firefox", "Application":"HTTPS", "WebApplication":"Google", "InitiatorPackets":3, "ResponderPackets":1, "InitiatorBytes":840, "ResponderBytes":66, "NAP_Policy":"Balanced Security and Connectivity", "SSL_Policy":"None", "SSL_FlowStatus":"Success", "SSL_CipherSuite":"Unknown", "SSL_CertFingerprint":"2fcc05c514c4cda4260531f967407cd33974340c", "SSL_Version":"Unknown", "SSL_ServerCertStatus":"Not Checked", "SSL_ActualAction":"Do Not Decrypt", "SSL_ExpectedAction":"Do Not Decrypt", "URL":"https://www.google.com", "NAT_InitiatorPort":62296, "NAT_ResponderPort":443, "NAT_InitiatorIP":"172.16.2.10", "NAT_ResponderIP":"142.250.191.196", "EVE_Fingerprint":"tls/1/(0303)(130113031302c02bc02fcca9cca8c02cc030c00ac009c013c014009c009d002f0035)[(0000)(000500050100000000)(000a000e000c001d00170018001901000101)(000b00020100)(000d0018001604030503060308040805080604010501060102030201)(0010000e000c02683208687474702f312e31)(0012)(0017)(001c00024001)(0022)(0023)(002b00050403040303)(002d00020101)(0033)(fe0d)(ff01)]", "EVE_Process":"firefox browser", "EVE_ProcessConfidencePct":100, "EVE_ThreatConfidencePct":0, "EVE_ThreatConfidenceIndex":1, "ClientAppDetector":"Encrypted Visibility"}'
+example_log: '{"EventType":"ConnectionEvent", "FirstPacketSecond":1743500734, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63",
+  "InstanceID":1, "ConnectionID":259, "AC_RuleAction":"Block", "InitiatorIP":"172.16.3.110",
+  "ResponderIP":"142.250.191.196", "InitiatorPort":62296, "ResponderPort":443, "Protocol":"tcp",
+  "IngressInterface":"inside", "EgressInterface":"outside", "IngressZone":"inside",
+  "EgressZone":"outside", "IngressVRF":"Global", "EgressVRF":"Global", "FirewallPolicy":"default",
+  "FirewallRule":"NasBlock", "PrefilterPolicy":"Default Prefilter Policy", "ClientApplication":"Firefox",
+  "Application":"HTTPS", "WebApplication":"Google", "InitiatorPackets":3, "ResponderPackets":1,
+  "InitiatorBytes":840, "ResponderBytes":66, "NAP_Policy":"Balanced Security and Connectivity",
+  "SSL_Policy":"None", "SSL_FlowStatus":"Success", "SSL_CipherSuite":"Unknown", "SSL_CertFingerprint":"2fcc05c514c4cda4260531f967407cd33974340c",
+  "SSL_Version":"Unknown", "SSL_ServerCertStatus":"Not Checked", "SSL_ActualAction":"Do
+  Not Decrypt", "SSL_ExpectedAction":"Do Not Decrypt", "URL":"https://www.google.com",
+  "NAT_InitiatorPort":62296, "NAT_ResponderPort":443, "NAT_InitiatorIP":"172.16.2.10",
+  "NAT_ResponderIP":"142.250.191.196", "EVE_Fingerprint":"tls/1/(0303)(130113031302c02bc02fcca9cca8c02cc030c00ac009c013c014009c009d002f0035)[(0000)(000500050100000000)(000a000e000c001d00170018001901000101)(000b00020100)(000d0018001604030503060308040805080604010501060102030201)(0010000e000c02683208687474702f312e31)(0012)(0017)(001c00024001)(0022)(0023)(002b00050403040303)(002d00020101)(0033)(fe0d)(ff01)]",
+  "EVE_Process":"firefox browser", "EVE_ProcessConfidencePct":100, "EVE_ThreatConfidencePct":0,
+  "EVE_ThreatConfidenceIndex":1, "ClientAppDetector":"Encrypted Visibility"}'
@@ -3,13 +3,14 @@ id: 19878597-8f8a-4bca-a805-bfbe35e00032
 version: 1
 date: '2025-04-07'
 author: Nasreddine Bencherchali, Splunk
-description: Data source object for raw file events from Cisco Secure Firewall Threat Defense
+description: Data source object for raw file events from Cisco Secure Firewall Threat
+  Defense
 source: not_applicable
 sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.1.1
+  version: 3.2.0
 fields:
 - app
 - Application
@@ -90,4 +91,13 @@ output_fields:
 - FileType
 - file_hash
 - SHA_Disposition
-example_log: '{"EventType":"FileEvent", "EventSecond":1741199882, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "FirstPacketSecond":1741199881, "ConnectionID":10092, "InitiatorIP":"172.16.3.158", "ResponderIP":"85.215.35.144", "InitiatorPort":55988, "ResponderPort":80, "Protocol":"tcp", "FileDirection":"Download", "FileAction":"Malware Cloud Lookup", "FileSHA256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "SHA_Disposition":"Malware", "SperoDisposition":"Spero detection not performed on file", "ThreatName":"EICAR", "ThreatScore":76, "FileName":"csm-eicar.gif", "FileType":"EICAR", "FileSize":68, "Application":"HTTP", "ClientApplication":"Wget", "WebApplication":"Web Browsing", "FilePolicy":"Test", "FileStorageStatus":"File Size Is Too Small", "FileSandboxStatus":"File Size Is Too Small", "URI":"/csm-eicar.gif", "IngressVRF":"Global", "EgressVRF":"Global", "Device":"172.16.0.10", "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D"}'
+example_log: '{"EventType":"FileEvent", "EventSecond":1741199882, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63",
+  "InstanceID":1, "FirstPacketSecond":1741199881, "ConnectionID":10092, "InitiatorIP":"172.16.3.158",
+  "ResponderIP":"85.215.35.144", "InitiatorPort":55988, "ResponderPort":80, "Protocol":"tcp",
+  "FileDirection":"Download", "FileAction":"Malware Cloud Lookup", "FileSHA256":"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
+  "SHA_Disposition":"Malware", "SperoDisposition":"Spero detection not performed on
+  file", "ThreatName":"EICAR", "ThreatScore":76, "FileName":"csm-eicar.gif", "FileType":"EICAR",
+  "FileSize":68, "Application":"HTTP", "ClientApplication":"Wget", "WebApplication":"Web
+  Browsing", "FilePolicy":"Test", "FileStorageStatus":"File Size Is Too Small", "FileSandboxStatus":"File
+  Size Is Too Small", "URI":"/csm-eicar.gif", "IngressVRF":"Global", "EgressVRF":"Global",
+  "Device":"172.16.0.10", "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D"}'
@@ -3,13 +3,14 @@ id: d11b67ec-1cb2-4f6f-a2d8-a099c7e15b29
 version: 1
 date: '2025-04-16'
 author: Nasreddine Bencherchali, Splunk
-description: Data source object for raw intrusion events from Cisco Secure Firewall Threat Defense
+description: Data source object for raw intrusion events from Cisco Secure Firewall
+  Threat Defense
 source: not_applicable
 sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.1.1
+  version: 3.2.0
 fields:
 - Application
 - Classification
@@ -156,4 +157,31 @@ output_fields:
 - rule
 - transport
 - app
-example_log: '"EventType":"IntrusionEvent", "EventSecond":1744752707, "EventMicrosecond":709756, "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "FirstPacketSecond":1744752707, "ConnectionID":27798, "InitiatorIP":"146.75.78.172", "ResponderIP":"172.16.3.110", "InitiatorPort":80, "ResponderPort":2604, "Protocol":"tcp", "IngressInterface":"outside", "EgressInterface":"inside", "IngressZone":"outside", "EgressZone":"inside", "PriorityID":1, "GeneratorID":1, "SignatureID":11192, "SignatureRevision":20, "Impact":5, "IntrusionRuleMessage":"FILE-EXECUTABLE download of executable content", "Classification":"Potential Corporate Policy Violation", "WebApplication":"Microsoft Update", "ClientApplication":"Parallels", "Application":"HTTP", "IntrusionPolicy":"default", "FirewallPolicy":"default", "FirewallRule":"Permit Outbound", "NAP_Policy":"Balanced Security and Connectivity", "InlineResult":"Would block", "InlineResultReason":"Intrusion Policy in \"Detection\" Inspection Mode", "IngressVRF":"Global", "EgressVRF":"Global", "HTTP_Hostname":"au.download.windowsupdate.com", "HTTP_URI":"/d/msdownload/update/software/defu/2025/04/am_delta_patch_1.427.242.0_5ac0bd95663c4357097204f23072019d82f2e8ce.exe", "SnortRuleGroups":"Rule Categories>File>Executable", "MitreAttackGroups":"MITRE>ATT&CK Framework>Enterprise>Execution>User Execution>Malicious File", "ApplicationID":676, "ApplicationProductivityIndex":3, "ApplicationRiskIndex":1, "ClientApplicationID":2802, "ClientApplicationProductivityIndex":4, "ClientApplicationRiskIndex":2, "Device":"172.16.0.10", "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D", "EgressInterfaceUUID":"efbb6160-f60a-11ef-a955-43d7eeccc024", "EgressZoneUUID":"efbcd7ac-f60a-11ef-a955-43d7eeccc024", "EventID":195, "FirewallPolicyUUID":"00000000-0000-0000-0000-000067fece37", "FirewallRuleID":268434433, "Hostname":"ip-172-16-0-50.us-east-2.compute.internal", "IngressInterfaceUUID":"ef9a2180-f60a-11ef-a955-43d7eeccc024", "IngressZoneUUID":"ef9c7c64-f60a-11ef-a955-43d7eeccc024", "InitiatorContinent":"North America", "InitiatorContinentCode":"na", "InitiatorCountry":"United States", "InitiatorCountryCode":"usa", "InitiatorCountryID":840, "InlineResultID":5, "InlineResultReasonID":2, "IntrusionPolicyRevUUID":"c1fab45a-f615-11ef-bd70-44d7eeccc024", "IntrusionPolicyUUID":"0210b9f5-95a7-0ed3-0000-004294971142", "NAP_PolicyUUID":"a6738542-f604-11ef-8765-a4eeeeccc024", "ProtocolID":6, "RealmID":0, "RealmName":"Invalid ID", "SensorID":2, "SnortVersionID":3, "UserID":9999997, "WebApplicationHTTP":"Microsoft Update", "WebApplicationID":731, "WebApplicationProductivityIndex":2}'
+example_log: '"EventType":"IntrusionEvent", "EventSecond":1744752707, "EventMicrosecond":709756,
+  "DeviceUUID":"11bc8e94-f604-11ef-bcfe-eeb1de9c8a63", "InstanceID":1, "FirstPacketSecond":1744752707,
+  "ConnectionID":27798, "InitiatorIP":"146.75.78.172", "ResponderIP":"172.16.3.110",
+  "InitiatorPort":80, "ResponderPort":2604, "Protocol":"tcp", "IngressInterface":"outside",
+  "EgressInterface":"inside", "IngressZone":"outside", "EgressZone":"inside", "PriorityID":1,
+  "GeneratorID":1, "SignatureID":11192, "SignatureRevision":20, "Impact":5, "IntrusionRuleMessage":"FILE-EXECUTABLE
+  download of executable content", "Classification":"Potential Corporate Policy Violation",
+  "WebApplication":"Microsoft Update", "ClientApplication":"Parallels", "Application":"HTTP",
+  "IntrusionPolicy":"default", "FirewallPolicy":"default", "FirewallRule":"Permit
+  Outbound", "NAP_Policy":"Balanced Security and Connectivity", "InlineResult":"Would
+  block", "InlineResultReason":"Intrusion Policy in \"Detection\" Inspection Mode",
+  "IngressVRF":"Global", "EgressVRF":"Global", "HTTP_Hostname":"au.download.windowsupdate.com",
+  "HTTP_URI":"/d/msdownload/update/software/defu/2025/04/am_delta_patch_1.427.242.0_5ac0bd95663c4357097204f23072019d82f2e8ce.exe",
+  "SnortRuleGroups":"Rule Categories>File>Executable", "MitreAttackGroups":"MITRE>ATT&CK
+  Framework>Enterprise>Execution>User Execution>Malicious File", "ApplicationID":676,
+  "ApplicationProductivityIndex":3, "ApplicationRiskIndex":1, "ClientApplicationID":2802,
+  "ClientApplicationProductivityIndex":4, "ClientApplicationRiskIndex":2, "Device":"172.16.0.10",
+  "DeviceIP":"172.16.0.10", "DeviceSerialNumber":"9AD5V8FSS0D", "EgressInterfaceUUID":"efbb6160-f60a-11ef-a955-43d7eeccc024",
+  "EgressZoneUUID":"efbcd7ac-f60a-11ef-a955-43d7eeccc024", "EventID":195, "FirewallPolicyUUID":"00000000-0000-0000-0000-000067fece37",
+  "FirewallRuleID":268434433, "Hostname":"ip-172-16-0-50.us-east-2.compute.internal",
+  "IngressInterfaceUUID":"ef9a2180-f60a-11ef-a955-43d7eeccc024", "IngressZoneUUID":"ef9c7c64-f60a-11ef-a955-43d7eeccc024",
+  "InitiatorContinent":"North America", "InitiatorContinentCode":"na", "InitiatorCountry":"United
+  States", "InitiatorCountryCode":"usa", "InitiatorCountryID":840, "InlineResultID":5,
+  "InlineResultReasonID":2, "IntrusionPolicyRevUUID":"c1fab45a-f615-11ef-bd70-44d7eeccc024",
+  "IntrusionPolicyUUID":"0210b9f5-95a7-0ed3-0000-004294971142", "NAP_PolicyUUID":"a6738542-f604-11ef-8765-a4eeeeccc024",
+  "ProtocolID":6, "RealmID":0, "RealmName":"Invalid ID", "SensorID":2, "SnortVersionID":3,
+  "UserID":9999997, "WebApplicationHTTP":"Microsoft Update", "WebApplicationID":731,
+  "WebApplicationProductivityIndex":2}'
@@ -14,43 +14,42 @@ mitre_components:
 source: http:gsuite
 sourcetype: gsuite:drive:json
 supported_TA:
-  - name: Splunk Add-on for Google Workspace
-    url: https://splunkbase.splunk.com/app/5556
-    version: 3.0.3
+- name: Splunk Add-on for Google Workspace
+  url: https://splunkbase.splunk.com/app/5556
+  version: 3.0.4
 fields:
-  - _time
-  - email
-  - host
-  - index
-  - ip_address
-  - linecount
-  - name
-  - parameters.actor_is_collaborator_account
-  - parameters.billable
-  - parameters.doc_id
-  - parameters.doc_title
-  - parameters.doc_type
-  - parameters.is_encrypted
-  - parameters.new_value{}
-  - parameters.old_value{}
-  - parameters.old_visibility
-  - parameters.originating_app_id
-  - parameters.owner
-  - parameters.owner_is_shared_drive
-  - parameters.owner_is_team_drive
-  - parameters.primary_event
-  - parameters.target_user
-  - parameters.visibility
-  - parameters.visibility_change
-  - punct
-  - source
-  - sourcetype
-  - splunk_server
-  - timestamp
-  - type
-  - unique_id
-example_log:
-  '{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event":
+- _time
+- email
+- host
+- index
+- ip_address
+- linecount
+- name
+- parameters.actor_is_collaborator_account
+- parameters.billable
+- parameters.doc_id
+- parameters.doc_title
+- parameters.doc_type
+- parameters.is_encrypted
+- parameters.new_value{}
+- parameters.old_value{}
+- parameters.old_visibility
+- parameters.originating_app_id
+- parameters.owner
+- parameters.owner_is_shared_drive
+- parameters.owner_is_team_drive
+- parameters.primary_event
+- parameters.target_user
+- parameters.visibility
+- parameters.visibility_change
+- punct
+- source
+- sourcetype
+- splunk_server
+- timestamp
+- type
+- unique_id
+example_log: '{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event":
   true, "billable": true, "visibility_change": "none", "target_user": "alberto@internal_test_email.com",
   "old_value": ["none"], "new_value": ["can_edit"], "old_visibility": "private", "doc_id":
   "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", "doc_type": "spreadsheet", "is_encrypted":