removing CODEOWNERS

dist/DA-ESS-ContentUpdate/app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null, 
       "name": "DA-ESS-ContentUpdate", 
-      "version": "4.18.0"
+      "version": "4.19.0"
     }, 
     "author": [
       {

dist/DA-ESS-ContentUpdate/default/app.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-20T17:54:40 UTC
+# On Date: 2024-01-10T18:13:40 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -10,7 +10,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20231220175222
+build = 20240110181028
 
 [triggers]
 reload.analytic_stories = simple
@@ -26,7 +26,7 @@ reload.es_investigations = simple
 
 [launcher]
 author = Splunk
-version = 4.18.0 
+version = 4.19.0 
 description = Explore the Analytic Stories included with ES Content Updates.
 
 [ui]

dist/DA-ESS-ContentUpdate/default/collections.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-20T17:54:40 UTC
+# On Date: 2024-01-10T18:13:40 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -13,6 +13,22 @@ replicate = false
 enforceTypes = false
 replicate = false
 
+[k8s_container_network_io_baseline]
+enforceTypes = false
+replicate = false
+
+[k8s_container_network_io_ratio_baseline]
+enforceTypes = false
+replicate = false
+
+[k8s_process_resource_baseline]
+enforceTypes = false
+replicate = false
+
+[k8s_process_resource_ratio_baseline]
+enforceTypes = false
+replicate = false
+
 [previously_seen_S3_access_from_remote_ip]
 enforceTypes = false
 replicate = false

dist/DA-ESS-ContentUpdate/default/content-version.conf

@@ -1,8 +1,8 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-20T17:54:40 UTC
+# On Date: 2024-01-10T18:13:40 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
 [content-version]
-version = 4.18.0 
+version = 4.19.0 

dist/DA-ESS-ContentUpdate/default/es_investigations.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-20T17:54:40 UTC
+# On Date: 2024-01-10T18:13:40 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############

dist/DA-ESS-ContentUpdate/default/transforms.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-20T17:54:40 UTC
+# On Date: 2024-01-10T18:13:40 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############
@@ -92,6 +92,14 @@ default_match = false
 match_type = WILDCARD(domain)
 min_matches = 1
 
+[char_conversion_matrix]
+filename = char_conversion_matrix.csv
+default_match = false
+case_sensitive_match = true
+# description = A simple conversion matrix for converting to and from UTF8/16 base64/hex/decimal encoding. Created mosty from https://community.splunk.com/t5/Splunk-Search/base64-decoding-in-search/m-p/27572#M177741, with small modifications for UTF16LE parsing for powershell encoding.
+match_type = WILDCARD(data)
+min_matches = 1
+
 [cloud_instances_enough_data]
 collection = cloud_instances_enough_data
 external_type = kvstore
@@ -165,6 +173,30 @@ case_sensitive_match = false
 # description = A full baseline of executable files in Windows\System32 and Windows\Syswow64, including sub-directories from Server 2016 and Windows 10.
 min_matches = 1
 
+[k8s_container_network_io_baseline]
+collection = k8s_container_network_io_baseline
+external_type = kvstore
+# description = A place holder for a list of used Kuberntes Container Network IO
+fields_list = key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen
+
+[k8s_container_network_io_ratio_baseline]
+collection = k8s_container_network_io_ratio_baseline
+external_type = kvstore
+# description = A place holder for a list of used Kuberntes Container Network IO Ratio
+fields_list = key, avg_outbound_network_io, avg_inbound_network_io, stdev_outbound_network_io, stdev_inbound_network_io, count, last_seen
+
+[k8s_process_resource_baseline]
+collection = k8s_process_resource_baseline
+external_type = kvstore
+# description = A place holder for a list of used Kuberntes Process Resource
+fields_list = host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key
+
+[k8s_process_resource_ratio_baseline]
+collection = k8s_process_resource_ratio_baseline
+external_type = kvstore
+# description = A place holder for a list of used Kuberntes Process Ratios
+fields_list = key, avg_cpu:mem, stdev_cpu:mem, avg_cpu:disk, stdev_cpu:disk, avg_mem:disk, stdev_mem:disk, avg_cpu:threads, stdev_cpu:threads, avg_disk:threads, avg_disk:threads, count, last_seen
+
 [legit_domains]
 filename = legit_domains.csv
 # description = A list of legit domains to be used as an ignore list for possible phishing sites

dist/DA-ESS-ContentUpdate/default/workflow_actions.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-20T17:54:40 UTC
+# On Date: 2024-01-10T18:13:40 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: research@splunk.com
 #############