Update Suricata TA and Related Analytics

contentctl.yml

@@ -93,11 +93,11 @@ apps:
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-iis_130.tgz
 - uid: 4242
-  title: TA for Suricata
+  title: CCX Add-on for Suricata
   appid: SPLUNK_TA_FOR_SURICATA
-  version: 2.3.4
+  version: 1.0.1
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-suricata_234.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ccx-add-on-for-suricata_101.tgz
 - uid: 5466
   title: TA for Zeek
   appid: SPLUNK_TA_FOR_ZEEK

data_sources/suricata.yml

@@ -1,7 +1,7 @@
 name: Suricata
 id: 64b245d4-a4d1-4865-a718-c83d3b939f2e
-version: 2
-date: '2025-01-23'
+version: 3
+date: '2026-03-26'
 author: Patrick Bareiss, Splunk
 description: Logs network traffic and security events detected by Suricata, including
   details about connections, protocol metadata, and potential threats.
@@ -11,12 +11,12 @@ mitre_components:
 - Network Connection Creation
 - Malware Metadata
 - Application Log Content
-source: suricata
+source: not_applicable
 sourcetype: suricata
 supported_TA:
-- name: Splunk TA for Suricata
-  url: https://splunkbase.splunk.com/app/2760
-  version: 2.3.3
+- name: CCX Add-on for Suricata
+  url: https://splunkbase.splunk.com/app/6994
+  version: 1.0.1
 field_mappings:
 - data_model: cim
   data_set: Web
@@ -30,7 +30,31 @@ field_mappings:
     src_ip: Web.src
 fields:
 - _time
+- action
+- alert_gid
+- alert_rev
+- alert.action
+- alert.category
+- alert.gid
+- alert.metadata.created_at{}
+- alert.metadata.former_category{}
+- alert.metadata.signature_severity{}
+- alert.metadata.updated_at{}
+- alert.rev
+- alert.severity
+- alert.signature
+- alert.signature_id
+- answer
+- app
 - app_proto
+- body
+- bytes
+- bytes_in
+- bytes_out
+- capture_kernel_drops
+- capture_kernel_packets
+- category
+- cookie
 - date_hour
 - date_mday
 - date_minute
@@ -39,9 +63,106 @@ fields:
 - date_wday
 - date_year
 - date_zone
+- decoder_avg_pkt_size
+- decoder_bytes
+- decoder_erspan
+- decoder_ethernet
+- decoder_gre
+- decoder_icmpv4
+- decoder_invalid
+- decoder_ipraw_invalid_ip_version
+- decoder_ipv4
+- decoder_ipv4_in_ipv6
+- decoder_ipv6
+- decoder_ipv6_in_ipv6
+- decoder_ltnull_pkt_too_small
+- decoder_ltnull_unspported_type
+- decoder_max_pkt_size
+- decoder_mpls
+- decoder_null
+- decoder_pkts
+- decoder_ppp
+- decoder_pppoe
+- decoder_raw
+- decoder_sctp
+- decoder_ssl
+- decoder_tcp
+- decoder_teredo
+- decoder_udp
+- decoder_vlan
+- decoder_vlan_qinq
+- decoer_icmpv6
+- defrag_ipv4_fragments
+- defrag_ipv4_reassembled
+- defrag_ipv4_timeouts
+- defrag_ipv6_fragments
+- defrag_ipv6_reassembled
+- defrag_max_frag_hits
+- description
+- dest
 - dest_ip
 - dest_port
+- detect_alert
+- dfrag_ipv6_timeouts
+- dns_memcap_global
+- dns_memcap_state
+- dns_memuse
+- dns.aa
+- dns.answers{}.rdata
+- dns.answers{}.rrname
+- dns.answers{}.rrtype
+- dns.answers{}.ttl
+- dns.authorities{}.rrname
+- dns.authorities{}.rrtype
+- dns.authorities{}.soa.expire
+- dns.authorities{}.soa.minimum
+- dns.authorities{}.soa.mname
+- dns.authorities{}.soa.refresh
+- dns.authorities{}.soa.retry
+- dns.authorities{}.soa.rname
+- dns.authorities{}.soa.serial
+- dns.authorities{}.ttl
+- dns.flags
+- dns.grouped.A{}
+- dns.id
+- dns.opcode
+- dns.qr
+- dns.ra
+- dns.rcode
+- dns.rd
+- dns.rrname
+- dns.rrtype
+- dns.tx_id
+- dns.type
+- dns.version
+- duration
+- dvc
+- endtime
 - event_type
+- eventtype
+- field
+- file_rx_id
+- file_size
+- file_state
+- file_stored
+- file_tx_id
+- fileinfo.filename
+- fileinfo.gaps
+- fileinfo.size
+- fileinfo.state
+- fileinfo.stored
+- fileinfo.tx_id
+- filename
+- flow_emerg_mode_entered
+- flow_emerg_mode_over
+- flow_id
+- flow_memcap
+- flow_memuse
+- flow_mgr_closed_pruned
+- flow_mgr_est_pruned
+- flow_mgr_new_pruned
+- flow_spare
+- flow_tcp_reuse
 - flow.age
 - flow.alerted
 - flow.bytes_toclient
@@ -52,18 +173,100 @@ fields:
 - flow.reason
 - flow.start
 - flow.state
-- flow_id
 - host
+- http_content_type
+- http_memcap
+- http_memuse
+- http_method
+- http_protocol
+- http_referrer
+- http_user_agent
+- http.hostname
+- http.http_content_type
+- http.http_method
+- http.http_port
+- http.http_user_agent
+- http.length
+- http.protocol
+- http.redirect
+- http.request_headers{}.name
+- http.request_headers{}.value
+- http.response_headers{}.name
+- http.response_headers{}.value
+- http.status
+- http.url
+- http.xff
+- ids_type
 - in_iface
 - index
 - linecount
+- message_type
+- packets_in
+- packets_out
+- pcap_cnt
+- pkt_src
+- product
 - proto
 - punct
+- query
+- reason
+- reply_code
+- severity
+- severity_id
+- signature
 - source
 - sourcetype
 - splunk_server
+- splunk_server_group
+- src
 - src_ip
 - src_port
+- ssh_client_software
+- ssh_client_version
+- ssh_server_software
+- ssh_server_version
+- ssl_issuer_common_name
+- ssl_publickey
+- ssl_server_name_indication
+- ssl_subject_common_name
+- ssl_version
+- starttime
+- state
+- status
+- stream_3whs_ack_in_wrong_dir
+- stream_3whs_async_wrong_seq
+- stream_3whs_right_seq_wrong_ack_evasion
+- suricata_signature_id
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- tcp_ack
+- tcp_cwr
+- tcp_ecn
+- tcp_fin
+- tcp_flag
+- tcp_flag_hex
+- tcp_flag_hex_to_client
+- tcp_flag_hex_to_server
+- tcp_flag_to_client
+- tcp_flag_to_server
+- tcp_invalid_checksum
+- tcp_memuse
+- tcp_no_flow
+- tcp_pseudo
+- tcp_pseudo_failed
+- tcp_psh
+- tcp_reassembly_gap
+- tcp_reassembly_memuse
+- tcp_rst
+- tcp_segment_memcap_drop
+- tcp_sessions
+- tcp_ssn_memcap_drop
+- tcp_state
+- tcp_stream_depth_reached
+- tcp_syn
+- tcp_synack
 - tcp.ack
 - tcp.fin
 - tcp.psh
@@ -75,4 +278,17 @@ fields:
 - timeendpos
 - timestamp
 - timestartpos
+- transaction_id
+- transport
+- ttl
+- tx_id
+- type
+- uptime
+- url
+- url_domain
+- vendor
+- vendor_gid
+- vendor_product
+- vendor_rev
+- vendor_sid
 example_log: '{"timestamp":"2023-10-17T01:24:52.149017+0000","flow_id":721124494649885,"in_iface":"ens5","event_type":"flow","src_ip":"192.0.2.1","src_port":30880,"dest_ip":"192.0.2.2","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":640,"bytes_toclient":660,"start":"2023-10-17T01:20:23.829981+0000","end":"2023-10-17T01:22:11.831172+0000","age":108,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}}'

detections/web/ivanti_sentry_authentication_bypass.yml → detections/deprecated/ivanti_sentry_authentication_bypass.yml

@@ -1,9 +1,9 @@
 name: Ivanti Sentry Authentication Bypass
 id: b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-27'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
 data_source:
     - Suricata

detections/endpoint/disable_schedule_task.yml

@@ -42,7 +42,7 @@ rba:
     risk_objects:
         - field: dest
           type: system
-          score: 50
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/endpoint/wscript_or_cscript_suspicious_child_process.yml

@@ -43,10 +43,10 @@ rba:
     risk_objects:
         - field: dest
           type: system
-          score: 50
+          score: 20
         - field: user
           type: user
-          score: 50
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/network/dns_kerberos_coercion.yml

@@ -64,7 +64,7 @@ tests:
     - name: True Positive Test
       attack_data:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.004/kerberos_coercion/suricata.log
-          source: Suricata
+          source: not_applicable
           sourcetype: suricata
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.004/kerberos_coercion/sysmon.log
           source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

detections/network/http_c2_framework_user_agent.yml

@@ -71,4 +71,4 @@ tests:
       attack_data:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_c2.log
           sourcetype: suricata
-          source: suricata
+          source: not_applicable

detections/network/http_malware_user_agent.yml

@@ -65,4 +65,4 @@ tests:
       attack_data:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_malware.log
           sourcetype: suricata
-          source: suricata
+          source: not_applicable

detections/network/http_pua_user_agent.yml

@@ -63,4 +63,4 @@ tests:
       attack_data:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_pua.log
           sourcetype: suricata
-          source: suricata
+          source: not_applicable

detections/network/http_rmm_user_agent.yml

@@ -62,4 +62,4 @@ tests:
       attack_data:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_rmm.log
           sourcetype: suricata
-          source: suricata
+          source: not_applicable

detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml

@@ -59,5 +59,5 @@ tests:
     - name: True Positive Test
       attack_data:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/ivanti_bookmark_web_access.log
-          source: suricata
+          source: not_applicable
           sourcetype: suricata