removing CODEOWNERS

Author: research bot

CODEOWNERS

@@ -5,7 +5,7 @@
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
-      "version": "4.16.0"
+      "version": "4.17.0"
     }, 
     "author": [
       {

dist/DA-ESS-ContentUpdate/app.manifest

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-16T20:58:41 UTC
+# On Date: 2023-12-06T21:36:36 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
@@ -10,7 +10,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20231116205612
+build = 20231206213413
 
 [triggers]
 reload.analytic_stories = simple
@@ -26,7 +26,7 @@ reload.es_investigations = simple
 
 [launcher]
 author = Splunk
-version = 4.16.0 
+version = 4.17.0 
 description = Explore the Analytic Stories included with ES Content Updates.
 
 [ui]

dist/DA-ESS-ContentUpdate/default/analyticstories.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-16T20:58:41 UTC
+# On Date: 2023-12-06T21:36:36 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/app.conf

@@ -1,8 +1,8 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-16T20:58:41 UTC
+# On Date: 2023-12-06T21:36:36 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
 [content-version]
-version = 4.16.0 
+version = 4.17.0 

dist/DA-ESS-ContentUpdate/default/collections.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-16T20:58:41 UTC
+# On Date: 2023-12-06T21:36:36 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/content-version.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-11-16T20:58:41 UTC
+# On Date: 2023-12-06T21:36:36 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
@@ -233,6 +233,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[splunk_rce_via_user_xslt_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [splunk_reflected_xss_in_the_templates_lists_radio_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -965,6 +969,22 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[o365_advanced_audit_disabled_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_application_registration_owner_added_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_applicationimpersonation_role_assigned_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_block_user_consent_for_risky_apps_disabled_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [o365_bypass_mfa_via_trusted_ip_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -981,14 +1001,62 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[o365_file_permissioned_application_consent_granted_by_user_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_high_number_of_failed_authentications_for_user_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_high_privilege_role_granted_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_mail_permissioned_application_consent_granted_by_user_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_mailbox_inbox_folder_shared_with_all_users_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_mailbox_read_access_granted_to_application_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_multi_source_failed_authentications_spike_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_multiple_appids_and_useragents_authentication_spike_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_multiple_failed_mfa_requests_for_user_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_multiple_users_failing_to_authenticate_from_ip_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [o365_new_federated_domain_added_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[o365_new_mfa_method_registered_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [o365_pst_export_alert_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[o365_service_principal_new_client_credentials_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [o365_suspicious_admin_email_forwarding_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -1001,6 +1069,18 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[o365_tenant_wide_admin_consent_granted_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_user_consent_blocked_for_risky_application_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[o365_user_consent_denied_for_oauth_application_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [risk_rule_for_dev_sec_ops_by_repository_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -3133,6 +3213,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[powershell_remote_services_add_trustedhost_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [powershell_remote_thread_to_known_windows_process_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -3949,6 +4033,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_archive_collected_data_via_rar_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_autoit3_execution_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -4049,6 +4137,14 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_credentials_from_password_stores_creation_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[windows_credentials_from_password_stores_deletion_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_credentials_from_password_stores_query_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -4081,6 +4177,26 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_defender_asr_audit_events_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[windows_defender_asr_block_events_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[windows_defender_asr_registry_modification_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[windows_defender_asr_rule_disabled_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[windows_defender_asr_rules_stacking_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_defender_exclusion_registry_entry_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -4357,6 +4473,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_indicator_removal_via_rmdir_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_indirect_command_execution_via_forfiles_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -4453,6 +4573,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_masquerading_msdtc_process_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_mimikatz_binary_execution_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -4461,6 +4585,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_modify_registry_authenticationleveloverride_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_modify_registry_auto_minor_updates_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -4489,6 +4617,14 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_modify_registry_disableremotedesktopantialias_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[windows_modify_registry_disablesecuritysettings_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_modify_registry_disabling_wer_settings_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -4501,6 +4637,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_modify_registry_dontshowui_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_modify_registry_enablelinkedconnections_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -4521,6 +4661,14 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_modify_registry_proxyenable_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
+[windows_modify_registry_proxyserver_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_modify_registry_qakbot_binary_data_registry_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -4681,6 +4829,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[windows_parent_pid_spoofing_with_explorer_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [windows_password_managers_discovery_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -5617,6 +5769,10 @@ description = Update this macro to limit the output results to filter out false
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
 
+[web_remote_shellservlet_access_filter]
+definition = search *
+description = Update this macro to limit the output results to filter out false positives.
+
 [web_spring4shell_http_request_class_module_filter]
 definition = search *
 description = Update this macro to limit the output results to filter out false positives.
@@ -5878,6 +6034,10 @@ description = customer specific splunk configurations(eg- index, source, sourcet
 definition = (Processes.process_name IN ("sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh", "tcsh", "ion", "eshell"))
 description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.
 
+[ms_defender]
+definition = source="WinEventLog:Microsoft-Windows-Windows Defender/Operational"
+description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.
+
 [msexchange_management]
 definition = sourcetype=MSExchange:management
 description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.
@@ -5894,6 +6054,10 @@ description = This is a list of AWS event names that are associated with Network
 definition = index=notable
 description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.
 
+[o365_graph]
+definition = sourcetype=o365:graph:api
+description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.
+
 [o365_management_activity]
 definition = sourcetype=o365:management:activity
 description = customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent.