Merge branch 'develop' into remove_v5.4.0

Author: pyth0n1c

data_sources/aws_cloudtrail_deleteguardrail.yml

@@ -0,0 +1,121 @@
+name: AWS CloudTrail DeleteGuardrail
+id: 2f6e9d7a-1c53-48b1-be57-33a91e0f8c42
+version: 1
+date: '2023-10-15'
+author: Bhavin Patel, Splunk
+description: Logs an event when a guardrail is deleted within the AWS CloudTrail.
+mitre_components:
+- Cloud Service Modification
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+separator_value: DeleteGuardrail
+supported_TA:
+- name: Splunk Add-on for AWS
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.9.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- direction
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- protocol
+- protocol_code
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.guardrailId
+- responseElements.requestId
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_ip_range
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "principalId":
+  "AROAIJIESMXKGCJRCTPR6:[email protected]", "arn": "arn:aws:sts::111111111111:assumed-role/admin_role/[email protected]",
+  "accountId": "111111111111", "accessKeyId": "ASIAYTOGP2RLXXXXXXXX", "sessionContext":
+  {"sessionIssuer": {"type": "Role", "principalId": "AROAIJIESMXKGCJRCTPR6", "arn":
+  "arn:aws:iam::111111111111:role/admin_role", "accountId": "111111111111", "userName":
+  "admin_role"}, "webIdFederationData": {}, "attributes": {"mfaAuthenticated":
+  "false", "creationDate": "2023-10-15T08:36:15Z"}}}, "eventTime": "2023-10-15T08:49:49Z",
+  "eventSource": "bedrock.amazonaws.com", "eventName": "DeleteGuardrail", "awsRegion":
+  "us-east-1", "sourceIPAddress": "192.0.2.1", "userAgent": "aws-cli/2.9.15", 
+  "requestParameters": {"guardrailId": "grail-12345abcdef"}, 
+  "responseElements": {"requestId": "97b40da9-9291-4a92-8e9e-892b6887ffc9"}, 
+  "requestID": "97b40da9-9291-4a92-8e9e-892b6887ffc9", "eventID":
+  "46fe04b8-d007-4933-8bb8-c8b65c1121fa", "readOnly": false, "eventType": "AwsApiCall",
+  "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
+output_fields:
+- dest
+- user
+- user_agent
+- src
+- vendor_account
+- vendor_region
+- vendor_product 

data_sources/aws_cloudtrail_deleteknowledgebase.yml

@@ -0,0 +1,108 @@
+name: AWS CloudTrail DeleteKnowledgeBase
+id: a8c47f25-5693-4d1a-9f8b-6e94d15ac2d9
+version: 1
+date: '2023-10-15'
+author: Bhavin Patel, Splunk
+description: Logs an event when a knowledge base is deleted within the AWS CloudTrail.
+mitre_components:
+- Cloud Service Modification
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+separator_value: DeleteKnowledgeBase
+supported_TA:
+- name: Splunk Add-on for AWS
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.9.1
+fields:
+- _time
+- action
+- app
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- direction
+- dvc
+- errorCode
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- index
+- linecount
+- managementEvent
+- msg
+- object_category
+- product
+- protocol
+- protocol_code
+- punct
+- readOnly
+- recipientAccountId
+- region
+- requestID
+- requestParameters.knowledgeBaseId
+- responseElements.requestId
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- src
+- src_ip
+- src_ip_range
+- start_time
+- status
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.09", "userIdentity": {"type": "AssumedRole", "principalId": "AROA:[email protected]", "arn": "arn:aws:sts::111111111:assumed-role/daftpunk/[email protected]", "accountId": "111111111", "accessKeyId": "ASIAYTOGP2RLLIVGGYLX", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROA", "arn": "arn:aws:iam::111111111:role/aws-reserved/sso.amazonaws.com/us-west-2/daftpunk", "accountId": "111111111", "userName": "daftpunk"}, "attributes": {"creationDate": "2025-04-03T21:50:08Z", "mfaAuthenticated": "false"}}}, "eventTime": "2025-04-03T23:49:06Z", "eventSource": "bedrock.amazonaws.com", "eventName": "DeleteKnowledgeBase", "awsRegion": "us-west-2", "sourceIPAddress": "23.93.242.200", "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36", "requestParameters": {"knowledgeBaseId": "T9PFUXGAPO"}, "responseElements": {"Access-Control-Expose-Headers": "x-amzn-Apigw-id,x-amzn-ErrorMessage,x-amzn-RequestId,x-amzn-ErrorType,x-amzn-Trace-id,refreshtoken,Date", "knowledgeBaseId": "T9PFUXGAPO", "status": "DELETING"}, "requestID": "9dfbaf92-e781-4837-ad53-d72e20be1ac2", "eventID": "bff5a344-3908-41f0-bb57-d57a01014ff3", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111", "eventCategory": "Management"}'
+output_fields:
+- dest
+- user
+- user_agent
+- src
+- vendor_account
+- vendor_region
+- vendor_product 

data_sources/aws_cloudtrail_deletemodelinvocationloggingconfiguration.yml

@@ -0,0 +1,132 @@
+name: AWS CloudTrail DeleteModelInvocationLoggingConfiguration
+id: fe2b3a52-1c8d-4e17-9f74-76c531a87e21
+version: 1
+date: '2023-10-15'
+author: Bhavin Patel, Splunk
+description: Logs an event when a model invocation logging configuration is deleted within the AWS CloudTrail.
+mitre_components:
+- Cloud Service Modification
+source: aws_cloudtrail
+sourcetype: aws:cloudtrail
+separator: eventName
+separator_value: DeleteModelInvocationLoggingConfiguration
+supported_TA:
+- name: Splunk Add-on for AWS
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.9.1
+fields:
+- _time
+- action
+- app
+- authentication_method
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dest_ip_range
+- dest_port_range
+- direction
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- image_id
+- index
+- instance_type
+- linecount
+- managementEvent
+- msg
+- object
+- object_attrs
+- object_category
+- object_id
+- object_path
+- product
+- protocol
+- protocol_code
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestID
+- requestParameters
+- responseElements
+- result
+- result_id
+- rule_action
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_ip_range
+- src_port_range
+- src_user
+- src_user_id
+- src_user_name
+- src_user_role
+- src_user_type
+- start_time
+- status
+- tag
+- tag::action
+- tag::eventtype
+- tag::object_category
+- temp_access_key
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.type
+- userIdentity.userName
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_role
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+example_log: '{"eventVersion": "1.09", "userIdentity": {"type": "IAMUser", "principalId": "AAAAAAA", "arn": "arn:aws:iam::111111111111:user/daftpunk", "accountId": "111111111111", "accessKeyId": "AKIAAAAAAAA", "userName": "daftpunk"}, "eventTime": "2025-04-03T17:16:02Z", "eventSource": "bedrock.amazonaws.com", "eventName": "DeleteModelInvocationLoggingConfiguration", "awsRegion": "us-west-2", "sourceIPAddress": "23.93.242.200", "userAgent": "aws-cli/2.24.22 md/awscrt#0.23.8 ua/2.1 os/macos#24.3.0 md/arch#arm64 lang/python#3.12.9 md/pyimpl#CPython cfg/retry-mode#standard md/installer#source md/prompt#off md/command#bedrock.delete-model-invocation-logging-configuration", "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:iam::111111111111:user/daftpunk is not authorized to perform: bedrock:DeleteModelInvocationLoggingConfiguration because no identity-based policy allows the bedrock:DeleteModelInvocationLoggingConfiguration action", "requestParameters": null, "responseElements": null, "requestID": "11519ac6-2761-4434-813a-585547a59096", "eventID": "1f7bd76f-13fb-4dff-b9bb-95a466217721", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "bedrock.us-west-2.amazonaws.com"}}'
+output_fields:
+- dest
+- user
+- user_agent
+- src
+- vendor_account
+- vendor_region
+- vendor_product