diff --git a/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml b/baselines/deprecated/baseline_of_cloud_infrastructure_api_calls_per_user.yml similarity index 98% rename from baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml rename to baselines/deprecated/baseline_of_cloud_infrastructure_api_calls_per_user.yml index 7c9164b602..5dfd478484 100644 --- a/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml +++ b/baselines/deprecated/baseline_of_cloud_infrastructure_api_calls_per_user.yml @@ -1,10 +1,10 @@ name: Baseline Of Cloud Infrastructure API Calls Per User id: 1da5d5ea-4382-447d-98a9-87c358c95fcb -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: David Dorsey, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model diff --git a/baselines/baseline_of_cloud_instances_destroyed.yml b/baselines/deprecated/baseline_of_cloud_instances_destroyed.yml similarity index 98% rename from baselines/baseline_of_cloud_instances_destroyed.yml rename to baselines/deprecated/baseline_of_cloud_instances_destroyed.yml index e5ee3f44e0..737e874a46 100644 --- a/baselines/baseline_of_cloud_instances_destroyed.yml +++ b/baselines/deprecated/baseline_of_cloud_instances_destroyed.yml @@ -1,10 +1,10 @@ name: Baseline Of Cloud Instances Destroyed id: a2f701f8-5296-4d74-829c-0b7eb346d549 -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: David Dorsey, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are destroyed in the environment. By default, the search diff --git a/baselines/baseline_of_cloud_instances_launched.yml b/baselines/deprecated/baseline_of_cloud_instances_launched.yml similarity index 98% rename from baselines/baseline_of_cloud_instances_launched.yml rename to baselines/deprecated/baseline_of_cloud_instances_launched.yml index 126f90a4f1..b1b65e765b 100644 --- a/baselines/baseline_of_cloud_instances_launched.yml +++ b/baselines/deprecated/baseline_of_cloud_instances_launched.yml @@ -1,10 +1,10 @@ name: Baseline Of Cloud Instances Launched id: b01bd274-f661-4f9c-bd9f-cf23ff6ae0bc -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: David Dorsey, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are created in the environment. By default, the search uses diff --git a/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml b/baselines/deprecated/baseline_of_cloud_security_group_api_calls_per_user.yml similarity index 97% rename from baselines/baseline_of_cloud_security_group_api_calls_per_user.yml rename to baselines/deprecated/baseline_of_cloud_security_group_api_calls_per_user.yml index 288e115ded..f6bc14fc18 100644 --- a/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml +++ b/baselines/deprecated/baseline_of_cloud_security_group_api_calls_per_user.yml @@ -1,10 +1,10 @@ name: Baseline Of Cloud Security Group API Calls Per User id: 67b84d51-8329-4909-849f-8d38ce54260a -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: David Dorsey, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls for security groups are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt diff --git a/baselines/baseline_of_command_line_length___mltk.yml b/baselines/deprecated/baseline_of_command_line_length___mltk.yml similarity index 98% rename from baselines/baseline_of_command_line_length___mltk.yml rename to baselines/deprecated/baseline_of_command_line_length___mltk.yml index 98a45f7865..ccd517f506 100644 --- a/baselines/baseline_of_command_line_length___mltk.yml +++ b/baselines/deprecated/baseline_of_command_line_length___mltk.yml @@ -1,10 +1,10 @@ name: Baseline of Command Line Length - MLTK id: d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459 -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: Rico Valdez, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. diff --git a/baselines/baseline_of_dns_query_length___mltk.yml b/baselines/deprecated/baseline_of_dns_query_length___mltk.yml similarity index 97% rename from baselines/baseline_of_dns_query_length___mltk.yml rename to baselines/deprecated/baseline_of_dns_query_length___mltk.yml index c763df2efd..ad1905c0db 100644 --- a/baselines/baseline_of_dns_query_length___mltk.yml +++ b/baselines/deprecated/baseline_of_dns_query_length___mltk.yml @@ -1,10 +1,10 @@ name: Baseline of DNS Query Length - MLTK id: c914844c-0ff5-4efc-8d44-c063443129ba -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: Rico Valdez, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the DNS queries for each DNS record type observed diff --git a/baselines/baseline_of_smb_traffic___mltk.yml b/baselines/deprecated/baseline_of_smb_traffic___mltk.yml similarity index 98% rename from baselines/baseline_of_smb_traffic___mltk.yml rename to baselines/deprecated/baseline_of_smb_traffic___mltk.yml index 5748c3eda0..8a0177c059 100644 --- a/baselines/baseline_of_smb_traffic___mltk.yml +++ b/baselines/deprecated/baseline_of_smb_traffic___mltk.yml @@ -1,10 +1,10 @@ name: Baseline of SMB Traffic - MLTK id: df98763b-0b08-4281-8ef9-08db7ac572a9 -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: Rico Valdez, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of diff --git a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml b/detections/deprecated/abnormally_high_number_of_cloud_infrastructure_api_calls.yml similarity index 99% rename from detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml rename to detections/deprecated/abnormally_high_number_of_cloud_infrastructure_api_calls.yml index fd172d6310..819754f06a 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml +++ b/detections/deprecated/abnormally_high_number_of_cloud_infrastructure_api_calls.yml @@ -3,7 +3,7 @@ id: 0840ddf1-8c89-46ff-b730-c8d6722478c0 version: 11 date: '2026-02-25' author: David Dorsey, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization's cloud environment. data_source: diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/deprecated/abnormally_high_number_of_cloud_instances_destroyed.yml similarity index 99% rename from detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml rename to detections/deprecated/abnormally_high_number_of_cloud_instances_destroyed.yml index caae424eb0..543e8133f5 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml +++ b/detections/deprecated/abnormally_high_number_of_cloud_instances_destroyed.yml @@ -3,7 +3,7 @@ id: ef629fc9-1583-4590-b62a-f2247fbf7bbf version: 8 date: '2026-02-25' author: David Dorsey, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies an abnormally high number of cloud instances being destroyed within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to detect outliers. This activity is significant for a SOC because a sudden spike in destroyed instances could indicate malicious activity, such as an insider threat or a compromised account attempting to disrupt services. If confirmed malicious, this could lead to significant operational disruptions, data loss, and potential financial impact due to the destruction of critical cloud resources. data_source: diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/deprecated/abnormally_high_number_of_cloud_instances_launched.yml similarity index 99% rename from detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml rename to detections/deprecated/abnormally_high_number_of_cloud_instances_launched.yml index aba1107d79..b65d82bf3e 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml +++ b/detections/deprecated/abnormally_high_number_of_cloud_instances_launched.yml @@ -3,7 +3,7 @@ id: f2361e9f-3928-496c-a556-120cd4223a65 version: 9 date: '2026-02-25' author: David Dorsey, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic detects an abnormally high number of cloud instances launched within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to identify outliers based on historical data. This activity is significant for a SOC because a sudden spike in instance creation could indicate unauthorized access or misuse of cloud resources. If confirmed malicious, this behavior could lead to resource exhaustion, increased costs, or provide attackers with additional compute resources to further their objectives. data_source: diff --git a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml b/detections/deprecated/abnormally_high_number_of_cloud_security_group_api_calls.yml similarity index 99% rename from detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml rename to detections/deprecated/abnormally_high_number_of_cloud_security_group_api_calls.yml index f868ae7a5e..4ba26e47f8 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml +++ b/detections/deprecated/abnormally_high_number_of_cloud_security_group_api_calls.yml @@ -3,7 +3,7 @@ id: d4dfb7f3-7a37-498a-b5df-f19334e871af version: 10 date: '2026-02-25' author: David Dorsey, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls. data_source: diff --git a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml b/detections/deprecated/detect_dga_domains_using_pretrained_model_in_dsdl.yml similarity index 99% rename from detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml rename to detections/deprecated/detect_dga_domains_using_pretrained_model_in_dsdl.yml index 45fa505511..95920f4008 100644 --- a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml +++ b/detections/deprecated/detect_dga_domains_using_pretrained_model_in_dsdl.yml @@ -3,7 +3,7 @@ id: 92e24f32-9b9a-4060-bba2-2a0eb31f3493 version: 6 date: '2026-02-25' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies Domain Generation Algorithm (DGA) generated domains using a pre-trained deep learning model. It leverages the Network Resolution data model to analyze domain names and detect unusual character sequences indicative of DGA activity. This behavior is significant as adversaries often use DGAs to generate numerous domain names for command-and-control servers, making it harder to block malicious traffic. If confirmed malicious, this activity could enable attackers to maintain persistent communication with compromised systems, evade detection, and execute further malicious actions. data_source: [] diff --git a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml similarity index 99% rename from detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml rename to detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml index 644f6f3403..4b250abc17 100644 --- a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml +++ b/detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml @@ -2,7 +2,7 @@ name: Detect DNS Data Exfiltration using pretrained model in DSDL id: 92f65c3a-168c-11ed-71eb-0242ac120012 version: 7 date: '2026-02-25' -status: experimental +status: deprecated author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly data_source: [] diff --git a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml b/detections/deprecated/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml similarity index 99% rename from detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml rename to detections/deprecated/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml index 0ae70bedad..187725104d 100644 --- a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml +++ b/detections/deprecated/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml @@ -3,7 +3,7 @@ id: 92f65c3a-968c-11ed-a1eb-0242ac120002 version: 7 date: '2026-02-25' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies suspicious DNS TXT records using a pre-trained deep learning model. It leverages DNS response data from the Network Resolution data model, categorizing TXT records into known types via regular expressions. Records that do not match known patterns are flagged as suspicious. This activity is significant as DNS TXT records can be used for data exfiltration or command-and-control communication. If confirmed malicious, attackers could use these records to covertly transfer data or receive instructions, posing a severe threat to network security. data_source: [] diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/deprecated/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml similarity index 99% rename from detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml rename to detections/deprecated/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index c83cd93331..31e9841807 100644 --- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/detections/deprecated/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -4,7 +4,7 @@ version: 8 date: '2026-02-25' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly -status: experimental +status: deprecated data_source: - Sysmon EventID 1 description: The following analytic identifies suspicious process names using a pre-trained Deep Learning model. It leverages Endpoint Detection and Response (EDR) telemetry to analyze process names and predict their likelihood of being malicious. The model, a character-level Recurrent Neural Network (RNN), classifies process names as benign or suspicious based on a threshold score of 0.5. This detection is significant as it helps identify malware, such as TrickBot, which often uses randomly generated filenames to evade detection. If confirmed malicious, this activity could indicate the presence of malware capable of propagating across the network and executing harmful actions. diff --git a/detections/network/dns_query_length_outliers___mltk.yml b/detections/deprecated/dns_query_length_outliers___mltk.yml similarity index 99% rename from detections/network/dns_query_length_outliers___mltk.yml rename to detections/deprecated/dns_query_length_outliers___mltk.yml index 5e9aeef268..90ada45316 100644 --- a/detections/network/dns_query_length_outliers___mltk.yml +++ b/detections/deprecated/dns_query_length_outliers___mltk.yml @@ -3,7 +3,7 @@ id: 85fbcfe8-9718-4911-adf6-7000d077a3a9 version: 9 date: '2026-02-25' author: Rico Valdez, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems. data_source: [] diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/deprecated/potentially_malicious_code_on_commandline.yml similarity index 99% rename from detections/endpoint/potentially_malicious_code_on_commandline.yml rename to detections/deprecated/potentially_malicious_code_on_commandline.yml index e89cece1a1..5a5f2d31eb 100644 --- a/detections/endpoint/potentially_malicious_code_on_commandline.yml +++ b/detections/deprecated/potentially_malicious_code_on_commandline.yml @@ -1,9 +1,9 @@ name: Potentially malicious code on commandline id: 9c53c446-757e-11ec-871d-acde48001122 -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-02-25' author: Michael Hart, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic detects potentially malicious command lines using a pretrained machine learning text classifier. It identifies unusual keyword combinations in command lines, such as "streamreader," "webclient," "mutex," "function," and "computehash," which are often associated with adversarial PowerShell code execution for C2 communication. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command lines longer than 200 characters. This activity is significant as it can indicate an attempt to execute malicious scripts, potentially leading to unauthorized code execution, data exfiltration, or further system compromise. data_source: diff --git a/detections/network/smb_traffic_spike___mltk.yml b/detections/deprecated/smb_traffic_spike___mltk.yml similarity index 99% rename from detections/network/smb_traffic_spike___mltk.yml rename to detections/deprecated/smb_traffic_spike___mltk.yml index 822346a3d6..a91a2c203f 100644 --- a/detections/network/smb_traffic_spike___mltk.yml +++ b/detections/deprecated/smb_traffic_spike___mltk.yml @@ -3,7 +3,7 @@ id: d25773ba-9ad8-48d1-858e-07ad0bbeb828 version: 10 date: '2026-02-25' author: Rico Valdez, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network. data_source: [] diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/deprecated/unusually_long_command_line___mltk.yml similarity index 99% rename from detections/endpoint/unusually_long_command_line___mltk.yml rename to detections/deprecated/unusually_long_command_line___mltk.yml index 4aace61db3..8d85e99b56 100644 --- a/detections/endpoint/unusually_long_command_line___mltk.yml +++ b/detections/deprecated/unusually_long_command_line___mltk.yml @@ -3,7 +3,7 @@ id: 57edaefa-a73b-45e5-bbae-f39c1473f941 version: 8 date: '2026-02-25' author: Rico Valdez, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies unusually long command lines executed on hosts, which may indicate malicious activity. It leverages the Machine Learning Toolkit (MLTK) to detect command lines with lengths that deviate from the norm for a given user. This is significant for a SOC as unusually long command lines can be a sign of obfuscation or complex malicious scripts. If confirmed malicious, this activity could allow attackers to execute sophisticated commands, potentially leading to unauthorized access, data exfiltration, or further compromise of the system. data_source: diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 2ad27b0c34..00a22a111b 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -1,4 +1,40 @@ detections: + - content: Abnormally High Number Of Cloud Infrastructure API Calls + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Abnormally High Number Of Cloud Instances Destroyed + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Abnormally High Number Of Cloud Instances Launched + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Abnormally High Number Of Cloud Security Group API Calls + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Detect DNS Data Exfiltration using pretrained model in DSDL + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: DNS Query Length Outliers - MLTK + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: SMB Traffic Spike - MLTK + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Unusually Long Command Line - MLTK + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Detect DGA domains using pretrained model in DSDL + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Detect suspicious DNS TXT records using pretrained model in DSDL + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Detect suspicious processnames using pretrained model in DSDL + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Potentially malicious code on commandline + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) - content: Linux apt-get Privilege Escalation removed_in_version: 5.24.0 reason: Detection has been deprecated in favor of a more broad and generic logic that aims to reduce overhead and increase coverage. @@ -389,8 +425,6 @@ detections: removed_in_version: 5.2.0 reason: Detections updated to use the new search logic and field names due to the TA update - replacement_content: - - Abnormally High Number Of Cloud Security Group API Calls - content: Office Product Spawning BITSAdmin removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity @@ -716,8 +750,6 @@ detections: removed_in_version: 5.2.0 reason: Detections updated to use the new search logic and field names due to the TA update - replacement_content: - - Abnormally High Number Of Cloud Instances Launched - content: EC2 Instance Modified With Previously Unseen User removed_in_version: 5.2.0 reason: Detections updated to use the new search logic and field names due to the @@ -741,8 +773,6 @@ detections: removed_in_version: 5.2.0 reason: Detections updated to use the new search logic and field names due to the TA update - replacement_content: - - Abnormally High Number Of Cloud Instances Destroyed - content: Web Fraud - Account Harvesting removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity @@ -800,8 +830,6 @@ detections: removed_in_version: 5.2.0 reason: Detections updated to use the new search logic and field names due to the TA update - replacement_content: - - Abnormally High Number Of Cloud Infrastructure API Calls - content: Suspicious Powershell Command-Line Arguments removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity @@ -878,6 +906,27 @@ detections: removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity baselines: + - content: Baseline Of Cloud Infrastructure API Calls Per User + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline Of Cloud Instances Destroyed + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline Of Cloud Instances Launched + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline Of Cloud Security Group API Calls Per User + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline of Command Line Length - MLTK + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline of DNS Query Length - MLTK + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline of SMB Traffic - MLTK + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' - content: Previously Seen AWS Cross Account Activity removed_in_version: 5.4.0 reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.'