Initial creation

Co-Authored-By: OutpostSecurity <72515718+OutpostSecurity@users.noreply.github.com>
Co-Authored-By: Haylee Mills <12771156+7thdrxn@users.noreply.github.com>

.github/ISSUE_TEMPLATE/01-bug-report.yml

@@ -0,0 +1,53 @@
+name: Report a bug
+description: Something is not working? Report a bug
+labels:
+  - bug
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Bug description
+      description: >-
+        Please give a detailed description of the issue. Be as specific as
+        possible. If you have found a workaround or a fix for the problem,
+        please let us know. Include screenshots (if applicable).
+    validations:
+      required: true
+
+  # - type: textarea
+  #   id: related-links
+  #   attributes:
+  #     label: Related links
+  #     description: >-
+  #       Please list all links to the sections of
+  #       [the documentation](#placeholder) that
+  #       are relevant to the bug in order to show that you have consulted and
+  #       thoroughly read it. Additionally, list links to possibly related open
+  #       and closed [issues](https://github.com/rba-community/threat_object_fun/issues).
+  #     value: |-
+  #       - [Example Issue](https://github.com/rba-community/threat_object_fun/issues)
+  #       -
+  #   validations:
+  #     required: true
+
+  - type: input
+    id: ta-version
+    attributes:
+      label: threat_object_fun Version
+      description: >-
+        Which version of this app (threat_object_fun) are you using?
+      placeholder: |-
+        1.0.0
+    validations:
+      required: true
+
+  - type: input
+    id: splunk-version
+    attributes:
+      label: Splunk Version
+      description: >-
+        Which version of Splunk are you using?
+      placeholder: |-
+        9.0.1
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/02-feature-request.yml

@@ -0,0 +1,25 @@
+name: Feature Request
+description: Want to submit an idea? Propose a change or feature request
+labels:
+  - feature request
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: >-
+        Please provide a detailed description of your idea in 2-3 sentences so
+        we can fully understand what change, feature, or the
+        improvement you are proposing.
+    validations:
+      required: true
+
+  - type: textarea
+    id: related-links
+    attributes:
+      label: Related links
+      description: >-
+        (optional) Please list all links to open and closed [issues](https://github.com/rba-community/threat_object_fun/issues) that are relevant to your idea.
+      value: |-
+        - [Feature Request](https://github.com/rba-community/threat_object_fun/issues/)
+        -

.github/workflows/appinspect.yml

@@ -0,0 +1,17 @@
+name: Splunk Appinspect
+on:
+  pull_request:
+    branches:
+      - main
+      - master
+    paths:
+      - "src/**"
+    types: [opened, ready_for_review]
+  workflow_dispatch:
+
+jobs:
+  call-packaging-workflow:
+    uses: ZachChristensen28/splunk-github-wfa/.github/workflows/appinspect.yml@main
+    secrets:
+      API_USER: ${{ secrets.API_USER }}
+      API_PASS: ${{ secrets.API_PASS }}

.github/workflows/release.yml

@@ -0,0 +1,12 @@
+name: release
+on:
+  push:
+    branches:
+      - master
+      - main
+    paths:
+      - 'src/**'
+
+jobs:
+  call-packaging-workflow:
+    uses: ZachChristensen28/splunk-github-wfa/.github/workflows/package-app.yml@main

.gitignore

@@ -0,0 +1,8 @@
+.DS_STORE
+**/local
+local.meta
+__pycache__/
+.vscode
+venv
+.idea
+Pipfile**

LICENSE

@@ -1,21 +1,21 @@
-MIT License
-
-Copyright (c) 2023 The RBA Community
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+MIT License
+
+Copyright (c) 2023 Outpost Security, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,19 @@
+![GitHub](https://img.shields.io/github/license/rba-community/threat_object_fun)
+![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/rba-community/threat_object_fun)
+[![Splunkbase App](https://img.shields.io/badge/Splunkbase-threat__object__fun-blue)](https://splunkbase.splunk.com/app/6917)
+[![Splunk ES Compatibility](https://img.shields.io/badge/Splunk%20ES%20Compatibility->=6.6.0-success)](https://splunkbase.splunk.com/app/263)
+![Splunk Cloud Compatibility](https://img.shields.io/badge/Splunk%20Cloud%20Ready-Victoria%20|%20Classic-informational?logo=splunk)
+
+This app helps illustrate setting and leveraging threat objects with [Risk-Based Alerting (RBA)](https://www.splunk.com/en_us/form/the-essential-guide-to-risk-based-alerting.html).
+
+## About
+
+Info | Description
+------|----------
+threat_object_fun | 1.0.0 - [Splunkbase](https://splunkbase.splunk.com/app/6917) \| [GitHub](https://github.com/rba-community/threat_object_fun/releases)
+App has a web UI | Yes, this app contains dashboards.
+Authors | Haylee Mills, Stuart McIntosh
+
+## Issues or Feature Requests
+
+Please open an issue or feature request on [Github](https://github.com/rba-community/threat_object_fun/issues).

src/threat_object_fun/README.txt

@@ -0,0 +1,4 @@
+threat_object_fun
+
+Copyright (C) 2023 Outpost Security, LLC. All rights reserved.
+

src/threat_object_fun/app.manifest

@@ -0,0 +1,57 @@
+{
+  "schemaVersion": "2.0.0", 
+  "info": {
+    "title": "Threat Object Fun", 
+    "id": {
+      "group": null, 
+      "name": "threat_object_fun", 
+      "version": "1.0.0"
+    }, 
+    "author": [
+      {
+        "name": "Haylee Mills, Stuart McIntosh", 
+        "email": null, 
+        "company": "Outpost Security"
+      }
+    ], 
+    "releaseDate": null, 
+    "description": "An illustrative app for working with Threat Objects.", 
+    "classification": {
+      "intendedAudience": null, 
+      "categories": [], 
+      "developmentStatus": null
+    }, 
+    "commonInformationModels": null, 
+    "license": {
+      "name": null, 
+      "text": null, 
+      "uri": null
+    }, 
+    "privacyPolicy": {
+      "name": null, 
+      "text": null, 
+      "uri": null
+    }, 
+    "releaseNotes": {
+      "name": null, 
+      "text": null, 
+      "uri": null
+    }
+  }, 
+  "dependencies": {
+        "SplunkEnterpriseSecuritySuite": {
+            "version": ">=6.6.0",
+            "optional": false
+        }
+    }, 
+  "tasks": null, 
+  "inputGroups": null, 
+  "incompatibleApps": null, 
+  "platformRequirements": null, 
+  "supportedDeployments": [
+    "_standalone", 
+    "_distributed"
+  ], 
+  "targetWorkloads": ["_search_heads"]
+}
+

src/threat_object_fun/default/app.conf

@@ -0,0 +1,24 @@
+#
+# Splunk app configuration file
+#
+
+[id]
+name = threat_object_fun
+version = 1.0.0
+
+[install]
+is_configured = 0
+
+[ui]
+is_visible = 1
+label = Threat Object Fun
+
+[launcher]
+author = Haylee Mills, Stuart McIntosh, Outpost Security
+description = An illustrative app for working with Threat Objects.
+version = 1.0.0
+
+[package]
+id = threat_object_fun
+check_for_updates = 1
+

src/threat_object_fun/default/data/ui/nav/default.xml

@@ -0,0 +1,8 @@
+<nav search_view="search">
+  <view name="threat_object_overview" default='true' />
+  <view name="threat_object_detail" />
+  <view name="threat_object_soar" />
+  <view name="threat_object_content_dev" />
+  <view name="search" />
+  <view name="dashboards" />
+</nav>

src/threat_object_fun/default/data/ui/panels/content_threat_object_fields.xml

@@ -0,0 +1,46 @@
+<panel>
+  <title>Suggested Threat Object Types</title>
+  <html>
+    <p>These are suggested threat object types based on threat intel fields and potential SOAR fields.</p>
+<div align="center">
+<table style="width: 100%">
+  <tr>
+    <td>certificate_common_name</td>
+    <td>domain</td>
+    <td>process</td>
+    <td>registry_value_name</td>
+  </tr>
+  <tr>
+    <td>certificate_organization</td>
+    <td>email</td>
+    <td>process_name</td>
+    <td>registry_value_text</td>
+  </tr>
+  <tr>
+    <td>certificate_serial</td>
+    <td>email_subject</td>
+    <td>parent_process</td>
+    <td>registry_value_text</td>
+  </tr>
+  <tr>
+    <td>certificate_unit</td>
+    <td>file_hash</td>
+    <td>parent_process_name</td>
+    <td>service</td>
+  </tr>
+  <tr>
+    <td>command</td>
+    <td>file_name</td>
+    <td>process_hash</td>
+    <td>url</td>
+  </tr>
+  <tr>
+    <td></td>
+    <td>http_user_agent</td>
+    <td>registry_path</td>
+    <td></td>
+  </tr>
+</table>
+</div>
+  </html>
+</panel>