diff --git a/bin/replay.py b/bin/replay.py index e705e9a42..01a4c5d24 100644 --- a/bin/replay.py +++ b/bin/replay.py @@ -109,8 +109,50 @@ def send_data_to_splunk(file_path, splunk_host, hec_token, event_host_uuid, headers=headers, verify=False, ) - res.raise_for_status() - print(f":white_check_mark: Sent {file_path} to Splunk HEC") + if res.ok: + print(f":white_check_mark: Sent {file_path} to Splunk HEC") + return + + print( + f":x: Error sending {file_path} to Splunk HEC: " + f"HTTP {res.status_code}" + ) + + try: + response_data = res.json() + hec_code = response_data.get("code") + hec_text = response_data.get("text") + print(f" Splunk HEC response: code={hec_code}, text={hec_text}") + + if hec_code == 7: + print( + " Hint: incorrect index. " + "Use --index-override or create attack_data index." + ) + elif hec_code == 4: + print( + " Hint: invalid HEC token. " + "Verify SPLUNK_HEC_TOKEN and token status in Splunk." + ) + elif hec_code == 6: + print( + " Hint: invalid data format. " + "Check sourcetype/source values and file content." + ) + elif hec_code == 10: + print( + " Hint: data channel missing/invalid. " + "Check HEC indexer acknowledgment settings." + ) + except ValueError: + print(f" Splunk HEC raw response: {res.text.strip()}") + + print(f" URL: {res.url}") + print( + " Metadata: " + f"index={index}, source={source}, sourcetype={sourcetype}, " + f"host={event_host_uuid}" + ) except Exception as e: print(f":x: Error sending {file_path} to Splunk HEC: {e}") diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml index 8db767b2c..d65447000 100644 --- a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml +++ b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/data.yml @@ -1,13 +1,17 @@ author: Generated by dataset_analyzer.py id: 9c17ce79-5056-42e9-a614-4c2087471b67 -date: '2025-08-12' +date: '2026-04-15' description: Automatically categorized datasets in directory windows_event_log_cleared environment: attack_range directory: windows_event_log_cleared mitre_technique: - T1070.001 datasets: -- name: windows-xml - path: /datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log +- name: windows-system + path: /datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-system.log sourcetype: XmlWinEventLog - source: XmlWinEventLog:Microsoft-Windows-Eventlog + source: XmlWinEventLog:System +- name: windows-security + path: /datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-security.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Security diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-security.log b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-security.log new file mode 100644 index 000000000..d7f703117 --- /dev/null +++ b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-security.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd483a9c03b1cf5b10b4cc8b1500abd782da334647e93db61edee7f7040dce87 +size 878 diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-system.log b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-system.log new file mode 100644 index 000000000..d65063e98 --- /dev/null +++ b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-system.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5e5298e558860f09a89cf1a503e34d3412f2e4a6dbeb312ec44282f383d96e6f +size 878 diff --git a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log b/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log deleted file mode 100644 index f666d8815..000000000 --- a/datasets/attack_techniques/T1070.001/windows_event_log_cleared/windows-xml.log +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8720a4878af74ec20fdb87d9c7be80564592dcc4ef0582e8935b3d67ab9863b3 -size 1756 diff --git a/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.log b/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.log new file mode 100644 index 000000000..e7ff83f39 --- /dev/null +++ b/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6dcdb8e7f63ec337464ed69e3e2e197d9bda49339f33c903fc111189ac253d4f +size 5484 diff --git a/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.yml b/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.yml new file mode 100644 index 000000000..9e857498e --- /dev/null +++ b/datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: cd569370-2768-11f1-9dd5-629be353806a +date: '2026-03-24' +description: Generated datasets for remote access reg in attack range. +environment: attack_range +directory: remote_access_reg +mitre_technique: +- T1112 +datasets: +- name: remote_access_reg.log + path: /datasets/attack_techniques/T1112/remote_access_reg/remote_access_reg.log + sourcetype: 'XmlWinEventLog' + source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' \ No newline at end of file diff --git a/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log b/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log index cfb51d779..2beb1442e 100644 --- a/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log +++ b/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d34969d4c57f0b8e5aca752000ecde9a8d58d32c04dee8362f64ac85f0642410 -size 349225 +oid sha256:b0346d6c43ebe1eb1c14c6dd49e1148655310f883424ad40540e32a1ca31a7f8 +size 349769 diff --git a/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_extension.yml b/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_extension.yml new file mode 100644 index 000000000..012e862ad --- /dev/null +++ b/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_extension.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: 9fd9defc-2768-11f1-9dd5-629be353806a +date: '2026-03-24' +description: Generated datasets for random dll extension in attack range. +environment: attack_range +directory: random_dll_extension +mitre_technique: +- T1218.011 +datasets: +- name: random_dll_rundll32.log + path: /datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_rundll32.log + sourcetype: 'XmlWinEventLog' + source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' \ No newline at end of file diff --git a/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_rundll32.log b/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_rundll32.log new file mode 100644 index 000000000..0451f7525 --- /dev/null +++ b/datasets/attack_techniques/T1218.011/random_dll_extension/random_dll_rundll32.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fcab984bb700abbd3fd27a150cbd70b907f608ea177c3487cb04796946f2e614 +size 8253 diff --git a/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_dll_ext.yml b/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_dll_ext.yml new file mode 100644 index 000000000..a3c21d29e --- /dev/null +++ b/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_dll_ext.yml @@ -0,0 +1,13 @@ +author: Teoderick Contreras, Splunk +id: 6845d30e-29e5-11f1-a458-629be353806a +date: '2026-03-27' +description: Generated datasets for rundll32 random dll ext in attack range. +environment: attack_range +directory: rundll32_random_dll_ext +mitre_technique: +- T1218.011 +datasets: +- name: rundll32_random_ext.log + path: /datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_ext.log + sourcetype: 'XmlWinEventLog' + source: 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' \ No newline at end of file diff --git a/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_ext.log b/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_ext.log new file mode 100644 index 000000000..fa9551804 --- /dev/null +++ b/datasets/attack_techniques/T1218.011/rundll32_random_dll_ext/rundll32_random_ext.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:35ff5c023ba0d709145e91fb3623b3563e094fa065c3e5b181b11a0504212d45 +size 5620 diff --git a/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log b/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log index 32b7bf286..1e57d6f0e 100644 --- a/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log +++ b/datasets/attack_techniques/T1546.004/linux_init_profile/sysmon_linux.log @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:59f5610ee967b523d0fce69becd3186d3f09e09d17997ce92b3f2fad3b1f1591 -size 42440575 +oid sha256:f76f57656b91fc280f284466f9e1af286c5afe11f565cb6e1a5d134a848180e0 +size 42441476 diff --git a/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log b/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log new file mode 100644 index 000000000..7b5263d93 --- /dev/null +++ b/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a1ceda0afc580ecf7e761e44aa109e9b1f1d52e529e9c4fe72ad2d950512c227 +size 13001 diff --git a/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.yml b/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.yml new file mode 100644 index 000000000..67a017480 --- /dev/null +++ b/datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.yml @@ -0,0 +1,13 @@ +author: Jake Enea +id: 4a5c3288-8391-4e80-9c3d-9dbb60ed1c45 +date: '2026-03-29' +description: The following data contains simulated bulk Intune "wipe ManagedDevice" events from the Intune admin portal. +environment: attack_range +directory: microsoft_intune_bulk_wipe +mitre_technique: +- T1561.001 +datasets: +- name: microsoft_intune_bulk_wipe + path: /datasets/attack_techniques/T1561.001/microsoft_intune_bulk_wipe/microsoft_intune_bulk_wipe.log + sourcetype: azure:monitor:activity + source: not_applicable \ No newline at end of file diff --git a/datasets/cisco_secure_access/firewall/firewall.yml b/datasets/cisco_secure_access/firewall/firewall.yml new file mode 100644 index 000000000..b701f0e3a --- /dev/null +++ b/datasets/cisco_secure_access/firewall/firewall.yml @@ -0,0 +1,33 @@ +author: Bhavin Patel, Splunk +id: 1fc537db-5e0b-4a2e-a768-27e08eff0c70 +date: '2026-03-19' +description: | + Generated datasets for Cisco Secure Access Firewall EventType by manual /atomic-red team simulations in a K8s cluster running Tetragon +environment: custom +directory: cisco_secure_access/firewall +mitre_technique: [] +datasets: +- name: firewall + path: /datasets/cisco_secure_access/firewall/rdp_brute_force.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall +- name: large_icmp + path: /datasets/cisco_secure_access/firewall/large_icmp.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall +- name: ldap + path: /datasets/cisco_secure_access/firewall/ldap.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall +- name: outbound_smb + path: /datasets/cisco_secure_access/firewall/outbound_smb.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall +- name: nmap + path: /datasets/cisco_secure_access/firewall/nmap.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall +- name: smb + path: /datasets/cisco_secure_access/firewall/smb.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall diff --git a/datasets/cisco_secure_access/firewall/large_icmp.log b/datasets/cisco_secure_access/firewall/large_icmp.log new file mode 100644 index 000000000..ece48f82c --- /dev/null +++ b/datasets/cisco_secure_access/firewall/large_icmp.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b7494c86cf3fad8ea5a8f37bb3d21b4d7c4aba694e1973f4f5a9207389786690 +size 428 diff --git a/datasets/cisco_secure_access/firewall/ldap.log b/datasets/cisco_secure_access/firewall/ldap.log new file mode 100644 index 000000000..065af34d7 --- /dev/null +++ b/datasets/cisco_secure_access/firewall/ldap.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d6d0b9e48e08b0932650e5580c60c1bf5f5deb7223868456b96d37e7c43f488a +size 427 diff --git a/datasets/cisco_secure_access/firewall/nmap.log b/datasets/cisco_secure_access/firewall/nmap.log new file mode 100644 index 000000000..1986398a0 --- /dev/null +++ b/datasets/cisco_secure_access/firewall/nmap.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5fb3007ad740d51c5af4b6e7b5e5750e9ef833ace9d2c14d325179f834c05981 +size 135478 diff --git a/datasets/cisco_secure_access/firewall/outbound_smb.log b/datasets/cisco_secure_access/firewall/outbound_smb.log new file mode 100644 index 000000000..e7561ff12 --- /dev/null +++ b/datasets/cisco_secure_access/firewall/outbound_smb.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1285ed5919c3395964f748be9289448a510baf931c16e7f46666f60c143b695a +size 9337 diff --git a/datasets/cisco_secure_access/firewall/rdp_brute_force.log b/datasets/cisco_secure_access/firewall/rdp_brute_force.log new file mode 100644 index 000000000..4690ad636 --- /dev/null +++ b/datasets/cisco_secure_access/firewall/rdp_brute_force.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:82fc54be49df5a1635be5c8b101c56ae68347e0e7f91f8c39439e5b673030e88 +size 4605 diff --git a/datasets/cisco_secure_access/firewall/smb.log b/datasets/cisco_secure_access/firewall/smb.log new file mode 100644 index 000000000..fed144ab3 --- /dev/null +++ b/datasets/cisco_secure_access/firewall/smb.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:63fdafa661f342f1869f7ea2d3ac1c95fd85533928f90af66a72b6d9b3be14f7 +size 879