Add Zeek TA, fix detection source list

delgado-jacob · delgado-jacob · commit 6488af7c5774 · 2025-03-18T14:29:30.000-07:00
diff --git a/data_sources/bro_conn.yml b/data_sources/bro_conn.yml
@@ -12,4 +12,7 @@ mitre_components:
 - Application Log Content
 source: bro:conn:json
 sourcetype: bro:conn:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+  url: https://splunkbase.splunk.com/app/5466
+  version: 1.0.8
diff --git a/data_sources/bro_dns.yml b/data_sources/bro_dns.yml
@@ -13,4 +13,8 @@ mitre_components:
 - Response Metadata
 source: bro:dns:json
 sourcetype: bro:dns:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+  url: https://splunkbase.splunk.com/app/5466
+  version: 1.0.8
+
diff --git a/data_sources/bro_files.yml b/data_sources/bro_files.yml
@@ -14,4 +14,7 @@ mitre_components:
 - Application Log Content
 source: bro:files:json
 sourcetype: bro:files:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+  url: https://splunkbase.splunk.com/app/5466
+  version: 1.0.8
diff --git a/data_sources/bro_http.yml b/data_sources/bro_http.yml
@@ -13,4 +13,7 @@ mitre_components:
 - Application Log Content
 source: bro:http:json
 sourcetype: bro:http:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+  url: https://splunkbase.splunk.com/app/5466
+  version: 1.0.8
diff --git a/data_sources/bro_loaded_scripts.yml b/data_sources/bro_loaded_scripts.yml
@@ -12,4 +12,7 @@ mitre_components:
 - OS API Execution
 source: bro:loaded_scripts:json
 sourcetype: bro:loaded_scripts:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+  url: https://splunkbase.splunk.com/app/5466
+  version: 1.0.8
diff --git a/data_sources/bro_ntp.yml b/data_sources/bro_ntp.yml
@@ -12,4 +12,7 @@ mitre_components:
 - Application Log Content
 source: bro:ntp:json
 sourcetype: bro:ntp:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+  url: https://splunkbase.splunk.com/app/5466
+  version: 1.0.8
diff --git a/data_sources/bro_ocsp.yml b/data_sources/bro_ocsp.yml
@@ -13,4 +13,7 @@ mitre_components:
 - Application Log Content
 source: bro:ocsp:json
 sourcetype: bro:ocsp:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+  url: https://splunkbase.splunk.com/app/5466
+  version: 1.0.8
diff --git a/data_sources/bro_ssl.yml b/data_sources/bro_ssl.yml
@@ -13,4 +13,7 @@ mitre_components:
 - Application Log Content
 source: bro:ssl:json
 sourcetype: bro:ssl:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+  url: https://splunkbase.splunk.com/app/5466
+  version: 1.0.8
diff --git a/data_sources/bro_weird.yml b/data_sources/bro_weird.yml
@@ -13,4 +13,7 @@ mitre_components:
 - Host Status
 source: bro:weird:json
 sourcetype: bro:weird:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+  url: https://splunkbase.splunk.com/app/5466
+  version: 1.0.8
diff --git a/data_sources/bro_x509.yml b/data_sources/bro_x509.yml
@@ -13,4 +13,7 @@ mitre_components:
 - Host Status
 source: bro:x509:json
 sourcetype: bro:x509:json
-supported_TA: []
+supported_TA:
+- name: TA for Zeek
+  url: https://splunkbase.splunk.com/app/5466
+  version: 1.0.8
diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml
@@ -13,10 +13,7 @@ description: The following analytic identifies outbound LDAP traffic to external
   this to access sensitive directory information, leading to data breaches or further
   network compromise.
 data_source:
-- Bro conn
 - Palo Alto Network Traffic
-- Splunk Stream TCP
-- Splunk Stream IP
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic
   where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip
