splunk
diff --git a/‎baselines/deprecated/.gitkeep b/‎baselines/deprecated/.gitkeep
diff --git a/‎baselines/previously_seen_aws_cross_account_activity___initial.yml ‎baselines/deprecated/previously_seen_aws_cross_account_activity___initial.yml
+1-1 b/‎baselines/previously_seen_aws_cross_account_activity___initial.yml ‎baselines/deprecated/previously_seen_aws_cross_account_activity___initial.yml
+1-1
diff --git a/‎baselines/previously_seen_aws_cross_account_activity___update.yml ‎baselines/deprecated/previously_seen_aws_cross_account_activity___update.yml
+1-1 b/‎baselines/previously_seen_aws_cross_account_activity___update.yml ‎baselines/deprecated/previously_seen_aws_cross_account_activity___update.yml
+1-1
diff --git a/‎contentctl.yml
+4-4 b/‎contentctl.yml
+4-4
diff --git a/‎data_sources/asl_aws_cloudtrail.yml
+16-4 b/‎data_sources/asl_aws_cloudtrail.yml
+16-4
diff --git a/‎data_sources/aws_cloudfront.yml
+11-3 b/‎data_sources/aws_cloudfront.yml
+11-3
diff --git a/‎data_sources/aws_cloudtrail.yml
+1-1 b/‎data_sources/aws_cloudtrail.yml
+1-1
diff --git a/‎data_sources/aws_cloudtrail_assumerolewithsaml.yml
+11-4 b/‎data_sources/aws_cloudtrail_assumerolewithsaml.yml
+11-4
diff --git a/‎data_sources/aws_cloudtrail_consolelogin.yml
+11-4 b/‎data_sources/aws_cloudtrail_consolelogin.yml
+11-4
diff --git a/‎data_sources/aws_cloudtrail_copyobject.yml
+10-4 b/‎data_sources/aws_cloudtrail_copyobject.yml
+10-4
diff --git a/‎data_sources/aws_cloudtrail_createaccesskey.yml
+10-4 b/‎data_sources/aws_cloudtrail_createaccesskey.yml
+10-4
diff --git a/‎data_sources/aws_cloudtrail_createkey.yml
+10-4 b/‎data_sources/aws_cloudtrail_createkey.yml
+10-4
diff --git a/‎data_sources/aws_cloudtrail_createloginprofile.yml
+10-4 b/‎data_sources/aws_cloudtrail_createloginprofile.yml
+10-4
diff --git a/‎data_sources/aws_cloudtrail_createnetworkaclentry.yml
+10-4 b/‎data_sources/aws_cloudtrail_createnetworkaclentry.yml
+10-4
diff --git a/‎data_sources/aws_cloudtrail_createpolicyversion.yml
+10-4 b/‎data_sources/aws_cloudtrail_createpolicyversion.yml
+10-4
diff --git a/‎data_sources/aws_cloudtrail_createsnapshot.yml
+10-4 b/‎data_sources/aws_cloudtrail_createsnapshot.yml
+10-4
@@ -4,7 +4,7 @@ version: 1
 date: '2020-08-15'
 author: Rico Valdez, Splunk
 type: Baseline
-status: production
+status: deprecated
 description: This search looks for **AssumeRole** events where the requesting account
   differs from the requested account, then writes these relationships to a lookup
   file.
 
@@ -4,7 +4,7 @@ version: 1
 date: '2020-08-15'
 author: Rico Valdez, Splunk
 type: Baseline
-status: production
+status: deprecated
 description: This search looks for **AssumeRole** events where the requesting account
   differs from the requested account, then writes these relationships to a lookup
   file.
 
@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.1.1
+  version: 5.2.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -218,11 +218,11 @@ apps:
   version: 3.1.0
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-github_310.tgz
-- uid: 2882
+- uid: 3471
   title: Splunk Add-on for AppDynamics
   appid: Splunk_TA_AppDynamics
-  version: 3.1.0
+  version: 3.0.0
   description: The Splunk Add-on for AppDynamics enables you to easily configure data
     inputs to pull data from AppDynamics' REST APIs
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-splunk-add-on-for-appdynamics_310.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-splunk-add-on-for-appdynamics_300.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd
@@ -1,9 +1,22 @@
 name: ASL AWS CloudTrail
 id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898
-version: 1
-date: '2025-01-14'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for ASL AWS CloudTrail 
+description: Represents AWS API dataset data collection from Amazon Security Lake.
+mitre_components:
+- Cloud Service Metadata
+- Cloud Service Modification
+- Cloud Storage Access
+- Instance Creation
+- Instance Deletion
+- Instance Start
+- Instance Stop
+- Instance Modification
+- Cloud Storage Creation
+- Cloud Storage Deletion
+- Cloud Service Enumeration
+- Cloud Storage Enumeration
 source: aws_asl
 sourcetype: aws:asl
 separator: api.operation
@@ -12,7 +25,6 @@ supported_TA:
   url: https://splunkbase.splunk.com/app/1876
   version: 7.9.1
 output_fields:
-- action
 - dest
 - user
 - user_agent
 
@@ -1,9 +1,17 @@
 name: AWS Cloudfront
 id: 780086dc-2384-45b6-ade7-56cb00105464
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS Cloudfront
+description: Logs requests made to AWS CloudFront distributions, including details
+  on client access, response data, and performance metrics.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+- Response Content
+- Logon Session Metadata
+- Cloud Service Metadata
 source: aws
 sourcetype: aws:cloudfront:accesslogs
 supported_TA:
 
@@ -3,7 +3,7 @@ id: e8ace6db-1dbd-4c72-a1fb-334684619a38
 version: 1
 date: '2024-07-24'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail
+description: All AWS CloudTrail events
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
 
@@ -1,12 +1,20 @@
 name: AWS CloudTrail AssumeRoleWithSAML
 id: 1e28f2a6-2db9-405f-b298-18734a293f77
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail AssumeRoleWithSAML
+description: Logs attempts to assume roles via SAML authentication in AWS, including
+  details of identity provider and role mapping.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Cloud Service Metadata
+- Instance Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: AssumeRoleWithSAML
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
@@ -125,7 +133,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "pri
   "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
   "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent
 
@@ -1,12 +1,20 @@
 name: AWS CloudTrail ConsoleLogin
 id: b68b3f26-bd21-4fa8-b593-616fe75ac0ae
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ConsoleLogin
+description: Logs attempts to sign in to the AWS Management Console, including successful
+  and failed login events.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Logon Session Metadata
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: ConsoleLogin
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
@@ -101,7 +109,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "acco
   "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
   "clientProvidedHostHeader": "signin.aws.amazon.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent
 
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CopyObject
 id: 965083f4-64a8-403f-99cc-252e1a6bd3b6
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CopyObject
+description: Logs operations that copy objects within or between AWS S3 buckets, including
+  details of source and destination.
+mitre_components:
+- Cloud Storage Access
+- Cloud Storage Modification
+- Cloud Storage Metadata
+- Instance Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CopyObject
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
@@ -118,7 +125,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111",
   "eventCategory": "Data"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent
 
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateAccessKey
 id: 0460f7da-3254-4d90-b8c0-2ca657d0cea0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateAccessKey
+description: Logs the creation of new AWS access keys, including details of the associated
+  user and permissions.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateAccessKey
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
@@ -102,7 +109,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
   "121521347698"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent
 
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateKey
 id: fcfc1593-b6b5-4a0f-91c5-3c395116a8b9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateKey
+description: Logs the creation of new AWS KMS keys, including details of key properties
+  and associated metadata.
+mitre_components:
+- Cloud Service Creation
+- Cloud Service Metadata
+- Instance Creation
+- Volume Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateKey
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
@@ -149,7 +156,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management",
   "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent
 
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateLoginProfile
 id: 0024fdb1-0d62-4449-970a-746952cf80b6
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateLoginProfile
+description: Logs the creation of login profiles for IAM users, including associated
+  metadata and authentication settings.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Logon Session Metadata
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateLoginProfile
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
@@ -101,7 +108,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
   "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent
 
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateNetworkAclEntry
 id: 45934028-10ec-4ab5-a7b1-a6349b833e67
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateNetworkAclEntry
+description: Logs the creation of new entries in a network ACL, including rules to
+  allow or deny specific network traffic.
+mitre_components:
+- Firewall Rule Modification
+- Network Connection Creation
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateNetworkAclEntry
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
@@ -120,7 +127,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "6d1ce00e-4099-463c-8a4d-2af2fb2178ba", "readOnly": false, "eventType": "AwsApiCall",
   "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent
 
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreatePolicyVersion
 id: f9f0f3da-37ec-4164-9ea0-0ae46645a86b
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreatePolicyVersion
+description: Logs the creation of new versions of IAM policies, including changes
+  to permissions and attached roles or resources.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- User Account Metadata
+- Group Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreatePolicyVersion
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
@@ -105,7 +112,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId":
   "111111111111"}'
 output_fields:
-- action
 - dest
 - user
 - user_agent
 
@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateSnapshot
 id: 514135a2-f4b2-4d32-8f31-d87824887f9f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateSnapshot
+description: Logs the creation of a new snapshot of a cloud resource, such as an Amazon
+  EBS volume, including details about the snapshot ID and resource type.
+mitre_components:
+- Snapshot Creation
+- Snapshot Metadata
+- Volume Metadata
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateSnapshot
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876
@@ -117,7 +124,6 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin
   "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2",
   "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}'
 output_fields:
-- action
 - dest
 - user
 - user_agent