From 65ca9db19d88bf038560c0aa4f3649b6ef671632 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 25 Feb 2026 22:56:51 +0530 Subject: [PATCH 1/6] adding to deprecated --- ...high_number_of_cloud_instances_destroyed_deprecated.yml} | 6 +++--- ..._high_number_of_cloud_instances_launched_deprecated.yml} | 6 +++--- ...a_domains_using_pretrained_model_in_dsdl_deprecated.yml} | 6 +++--- ...iltration_using_pretrained_model_in_dsdl_deprecated.yml} | 6 +++--- ...t_records_using_pretrained_model_in_dsdl_deprecated.yml} | 6 +++--- .../dns_query_length_outliers___mltk_deprecated.yml} | 6 +++--- ...otentially_malicious_code_on_commandline_deprecated.yml} | 6 +++--- .../smb_traffic_spike___mltk_deprecated.yml} | 6 +++--- .../unusually_long_command_line___mltk_deprecated.yml} | 6 +++--- ...spicious_processnames_using_pretrained_model_in_dsdl.yml | 6 +++--- 10 files changed, 30 insertions(+), 30 deletions(-) rename detections/{cloud/abnormally_high_number_of_cloud_instances_destroyed.yml => deprecated/abnormally_high_number_of_cloud_instances_destroyed_deprecated.yml} (98%) rename detections/{cloud/abnormally_high_number_of_cloud_instances_launched.yml => deprecated/abnormally_high_number_of_cloud_instances_launched_deprecated.yml} (98%) rename detections/{network/detect_dga_domains_using_pretrained_model_in_dsdl.yml => deprecated/detect_dga_domains_using_pretrained_model_in_dsdl_deprecated.yml} (98%) rename detections/{network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml => deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_deprecated.yml} (98%) rename detections/{network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml => deprecated/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_deprecated.yml} (98%) rename detections/{network/dns_query_length_outliers___mltk.yml => deprecated/dns_query_length_outliers___mltk_deprecated.yml} (98%) rename detections/{endpoint/potentially_malicious_code_on_commandline.yml => deprecated/potentially_malicious_code_on_commandline_deprecated.yml} (99%) rename detections/{network/smb_traffic_spike___mltk.yml => deprecated/smb_traffic_spike___mltk_deprecated.yml} (98%) rename detections/{endpoint/unusually_long_command_line___mltk.yml => deprecated/unusually_long_command_line___mltk_deprecated.yml} (98%) diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/deprecated/abnormally_high_number_of_cloud_instances_destroyed_deprecated.yml similarity index 98% rename from detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml rename to detections/deprecated/abnormally_high_number_of_cloud_instances_destroyed_deprecated.yml index 1d36071ca8..f3c402b10b 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml +++ b/detections/deprecated/abnormally_high_number_of_cloud_instances_destroyed_deprecated.yml @@ -1,9 +1,9 @@ name: Abnormally High Number Of Cloud Instances Destroyed id: ef629fc9-1583-4590-b62a-f2247fbf7bbf -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-25' author: David Dorsey, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies an abnormally high number of cloud instances being destroyed within a 4-hour period. It leverages cloud infrastructure diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/deprecated/abnormally_high_number_of_cloud_instances_launched_deprecated.yml similarity index 98% rename from detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml rename to detections/deprecated/abnormally_high_number_of_cloud_instances_launched_deprecated.yml index 93d678f8de..fc133ce546 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml +++ b/detections/deprecated/abnormally_high_number_of_cloud_instances_launched_deprecated.yml @@ -1,9 +1,9 @@ name: Abnormally High Number Of Cloud Instances Launched id: f2361e9f-3928-496c-a556-120cd4223a65 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-25' author: David Dorsey, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic detects an abnormally high number of cloud instances launched within a 4-hour period. It leverages cloud infrastructure logs and applies diff --git a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml b/detections/deprecated/detect_dga_domains_using_pretrained_model_in_dsdl_deprecated.yml similarity index 98% rename from detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml rename to detections/deprecated/detect_dga_domains_using_pretrained_model_in_dsdl_deprecated.yml index 6c9c2e2f60..e2a4b7cd50 100644 --- a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml +++ b/detections/deprecated/detect_dga_domains_using_pretrained_model_in_dsdl_deprecated.yml @@ -1,9 +1,9 @@ name: Detect DGA domains using pretrained model in DSDL id: 92e24f32-9b9a-4060-bba2-2a0eb31f3493 -version: 5 -date: '2025-05-02' +version: 6 +date: '2026-02-25' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies Domain Generation Algorithm (DGA) generated domains using a pre-trained deep learning model. It leverages the Network Resolution diff --git a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_deprecated.yml similarity index 98% rename from detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml rename to detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_deprecated.yml index 3757f228fe..45cbeb2aaa 100644 --- a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml +++ b/detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_deprecated.yml @@ -1,8 +1,8 @@ name: Detect DNS Data Exfiltration using pretrained model in DSDL id: 92f65c3a-168c-11ed-71eb-0242ac120012 -version: 6 -date: '2026-01-20' -status: experimental +version: 7 +date: '2026-02-25' +status: deprecated author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly data_source: [] diff --git a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml b/detections/deprecated/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_deprecated.yml similarity index 98% rename from detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml rename to detections/deprecated/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_deprecated.yml index 2a02d63d49..f44a6c3ff5 100644 --- a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml +++ b/detections/deprecated/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_deprecated.yml @@ -1,9 +1,9 @@ name: Detect suspicious DNS TXT records using pretrained model in DSDL id: 92f65c3a-968c-11ed-a1eb-0242ac120002 -version: 6 -date: '2026-01-20' +version: 7 +date: '2026-02-25' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies suspicious DNS TXT records using a pre-trained deep learning model. It leverages DNS response data from the Network diff --git a/detections/network/dns_query_length_outliers___mltk.yml b/detections/deprecated/dns_query_length_outliers___mltk_deprecated.yml similarity index 98% rename from detections/network/dns_query_length_outliers___mltk.yml rename to detections/deprecated/dns_query_length_outliers___mltk_deprecated.yml index b9f1bf58ae..ef0799e592 100644 --- a/detections/network/dns_query_length_outliers___mltk.yml +++ b/detections/deprecated/dns_query_length_outliers___mltk_deprecated.yml @@ -1,9 +1,9 @@ name: DNS Query Length Outliers - MLTK id: 85fbcfe8-9718-4911-adf6-7000d077a3a9 -version: 8 -date: '2026-01-22' +version: 9 +date: '2026-02-25' author: Rico Valdez, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/deprecated/potentially_malicious_code_on_commandline_deprecated.yml similarity index 99% rename from detections/endpoint/potentially_malicious_code_on_commandline.yml rename to detections/deprecated/potentially_malicious_code_on_commandline_deprecated.yml index a3e8f8d010..7b2a7e246a 100644 --- a/detections/endpoint/potentially_malicious_code_on_commandline.yml +++ b/detections/deprecated/potentially_malicious_code_on_commandline_deprecated.yml @@ -1,9 +1,9 @@ name: Potentially malicious code on commandline id: 9c53c446-757e-11ec-871d-acde48001122 -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-02-25' author: Michael Hart, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic detects potentially malicious command lines using a pretrained machine learning text classifier. It identifies unusual keyword combinations diff --git a/detections/network/smb_traffic_spike___mltk.yml b/detections/deprecated/smb_traffic_spike___mltk_deprecated.yml similarity index 98% rename from detections/network/smb_traffic_spike___mltk.yml rename to detections/deprecated/smb_traffic_spike___mltk_deprecated.yml index dca4f8663b..0fa62af0a9 100644 --- a/detections/network/smb_traffic_spike___mltk.yml +++ b/detections/deprecated/smb_traffic_spike___mltk_deprecated.yml @@ -1,9 +1,9 @@ name: SMB Traffic Spike - MLTK id: d25773ba-9ad8-48d1-858e-07ad0bbeb828 -version: 9 -date: '2026-01-22' +version: 10 +date: '2026-02-25' author: Rico Valdez, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/deprecated/unusually_long_command_line___mltk_deprecated.yml similarity index 98% rename from detections/endpoint/unusually_long_command_line___mltk.yml rename to detections/deprecated/unusually_long_command_line___mltk_deprecated.yml index 76bf6deeb6..bd09f67c58 100644 --- a/detections/endpoint/unusually_long_command_line___mltk.yml +++ b/detections/deprecated/unusually_long_command_line___mltk_deprecated.yml @@ -1,9 +1,9 @@ name: Unusually Long Command Line - MLTK id: 57edaefa-a73b-45e5-bbae-f39c1473f941 -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-25' author: Rico Valdez, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies unusually long command lines executed on hosts, which may indicate malicious activity. It leverages the Machine Learning diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index cb4be84838..024cee9c35 100644 --- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -1,10 +1,10 @@ name: Detect suspicious processnames using pretrained model in DSDL id: a15f8977-ad7d-4669-92ef-b59b97219bf5 -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-25' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly -status: experimental +status: deprecated data_source: - Sysmon EventID 1 description: The following analytic identifies suspicious process names using a pre-trained From 6c05f12e36440eeb783daa07c10ec9c0d0fd2efd Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 25 Feb 2026 23:03:34 +0530 Subject: [PATCH 2/6] updating filename --- ...ml => abnormally_high_number_of_cloud_instances_destroyed.yml} | 0 ...yml => abnormally_high_number_of_cloud_instances_launched.yml} | 0 ....yml => detect_dga_domains_using_pretrained_model_in_dsdl.yml} | 0 ...tect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml} | 0 ...suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml} | 0 ...__mltk_deprecated.yml => dns_query_length_outliers___mltk.yml} | 0 ...precated.yml => potentially_malicious_code_on_commandline.yml} | 0 ...c_spike___mltk_deprecated.yml => smb_traffic_spike___mltk.yml} | 0 ...mltk_deprecated.yml => unusually_long_command_line___mltk.yml} | 0 9 files changed, 0 insertions(+), 0 deletions(-) rename detections/deprecated/{abnormally_high_number_of_cloud_instances_destroyed_deprecated.yml => abnormally_high_number_of_cloud_instances_destroyed.yml} (100%) rename detections/deprecated/{abnormally_high_number_of_cloud_instances_launched_deprecated.yml => abnormally_high_number_of_cloud_instances_launched.yml} (100%) rename detections/deprecated/{detect_dga_domains_using_pretrained_model_in_dsdl_deprecated.yml => detect_dga_domains_using_pretrained_model_in_dsdl.yml} (100%) rename detections/deprecated/{detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_deprecated.yml => detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml} (100%) rename detections/deprecated/{detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_deprecated.yml => detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml} (100%) rename detections/deprecated/{dns_query_length_outliers___mltk_deprecated.yml => dns_query_length_outliers___mltk.yml} (100%) rename detections/deprecated/{potentially_malicious_code_on_commandline_deprecated.yml => potentially_malicious_code_on_commandline.yml} (100%) rename detections/deprecated/{smb_traffic_spike___mltk_deprecated.yml => smb_traffic_spike___mltk.yml} (100%) rename detections/deprecated/{unusually_long_command_line___mltk_deprecated.yml => unusually_long_command_line___mltk.yml} (100%) diff --git a/detections/deprecated/abnormally_high_number_of_cloud_instances_destroyed_deprecated.yml b/detections/deprecated/abnormally_high_number_of_cloud_instances_destroyed.yml similarity index 100% rename from detections/deprecated/abnormally_high_number_of_cloud_instances_destroyed_deprecated.yml rename to detections/deprecated/abnormally_high_number_of_cloud_instances_destroyed.yml diff --git a/detections/deprecated/abnormally_high_number_of_cloud_instances_launched_deprecated.yml b/detections/deprecated/abnormally_high_number_of_cloud_instances_launched.yml similarity index 100% rename from detections/deprecated/abnormally_high_number_of_cloud_instances_launched_deprecated.yml rename to detections/deprecated/abnormally_high_number_of_cloud_instances_launched.yml diff --git a/detections/deprecated/detect_dga_domains_using_pretrained_model_in_dsdl_deprecated.yml b/detections/deprecated/detect_dga_domains_using_pretrained_model_in_dsdl.yml similarity index 100% rename from detections/deprecated/detect_dga_domains_using_pretrained_model_in_dsdl_deprecated.yml rename to detections/deprecated/detect_dga_domains_using_pretrained_model_in_dsdl.yml diff --git a/detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_deprecated.yml b/detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml similarity index 100% rename from detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl_deprecated.yml rename to detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml diff --git a/detections/deprecated/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_deprecated.yml b/detections/deprecated/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml similarity index 100% rename from detections/deprecated/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl_deprecated.yml rename to detections/deprecated/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml diff --git a/detections/deprecated/dns_query_length_outliers___mltk_deprecated.yml b/detections/deprecated/dns_query_length_outliers___mltk.yml similarity index 100% rename from detections/deprecated/dns_query_length_outliers___mltk_deprecated.yml rename to detections/deprecated/dns_query_length_outliers___mltk.yml diff --git a/detections/deprecated/potentially_malicious_code_on_commandline_deprecated.yml b/detections/deprecated/potentially_malicious_code_on_commandline.yml similarity index 100% rename from detections/deprecated/potentially_malicious_code_on_commandline_deprecated.yml rename to detections/deprecated/potentially_malicious_code_on_commandline.yml diff --git a/detections/deprecated/smb_traffic_spike___mltk_deprecated.yml b/detections/deprecated/smb_traffic_spike___mltk.yml similarity index 100% rename from detections/deprecated/smb_traffic_spike___mltk_deprecated.yml rename to detections/deprecated/smb_traffic_spike___mltk.yml diff --git a/detections/deprecated/unusually_long_command_line___mltk_deprecated.yml b/detections/deprecated/unusually_long_command_line___mltk.yml similarity index 100% rename from detections/deprecated/unusually_long_command_line___mltk_deprecated.yml rename to detections/deprecated/unusually_long_command_line___mltk.yml From f05b7341ec8d99cf74d97bb93e4146936ecfd86f Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 25 Feb 2026 23:17:11 +0530 Subject: [PATCH 3/6] adding two more --- ...rmally_high_number_of_cloud_infrastructure_api_calls.yml | 6 +++--- ...rmally_high_number_of_cloud_security_group_api_calls.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) rename detections/{cloud => deprecated}/abnormally_high_number_of_cloud_infrastructure_api_calls.yml (98%) rename detections/{cloud => deprecated}/abnormally_high_number_of_cloud_security_group_api_calls.yml (98%) diff --git a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml b/detections/deprecated/abnormally_high_number_of_cloud_infrastructure_api_calls.yml similarity index 98% rename from detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml rename to detections/deprecated/abnormally_high_number_of_cloud_infrastructure_api_calls.yml index bdfe336b65..0fb26645b5 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml +++ b/detections/deprecated/abnormally_high_number_of_cloud_infrastructure_api_calls.yml @@ -1,9 +1,9 @@ name: Abnormally High Number Of Cloud Infrastructure API Calls id: 0840ddf1-8c89-46ff-b730-c8d6722478c0 -version: 10 -date: '2026-01-14' +version: 11 +date: '2026-02-25' author: David Dorsey, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and diff --git a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml b/detections/deprecated/abnormally_high_number_of_cloud_security_group_api_calls.yml similarity index 98% rename from detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml rename to detections/deprecated/abnormally_high_number_of_cloud_security_group_api_calls.yml index 85b1eb0a07..7431009d69 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml +++ b/detections/deprecated/abnormally_high_number_of_cloud_security_group_api_calls.yml @@ -1,9 +1,9 @@ name: Abnormally High Number Of Cloud Security Group API Calls id: d4dfb7f3-7a37-498a-b5df-f19334e871af -version: 9 -date: '2026-01-14' +version: 10 +date: '2026-02-25' author: David Dorsey, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, From 8a24db86c229f33ddbba03b00565a120ca3108ec Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 26 Feb 2026 11:00:07 +0530 Subject: [PATCH 4/6] removing associated baselines --- .../baseline_of_cloud_infrastructure_api_calls_per_user.yml | 6 +++--- .../baseline_of_cloud_instances_destroyed.yml | 6 +++--- .../baseline_of_cloud_instances_launched.yml | 6 +++--- .../baseline_of_cloud_security_group_api_calls_per_user.yml | 6 +++--- .../baseline_of_command_line_length___mltk.yml | 6 +++--- .../baseline_of_dns_query_length___mltk.yml | 6 +++--- .../{ => deprecated}/baseline_of_smb_traffic___mltk.yml | 6 +++--- 7 files changed, 21 insertions(+), 21 deletions(-) rename baselines/{ => deprecated}/baseline_of_cloud_infrastructure_api_calls_per_user.yml (98%) rename baselines/{ => deprecated}/baseline_of_cloud_instances_destroyed.yml (98%) rename baselines/{ => deprecated}/baseline_of_cloud_instances_launched.yml (98%) rename baselines/{ => deprecated}/baseline_of_cloud_security_group_api_calls_per_user.yml (97%) rename baselines/{ => deprecated}/baseline_of_command_line_length___mltk.yml (98%) rename baselines/{ => deprecated}/baseline_of_dns_query_length___mltk.yml (97%) rename baselines/{ => deprecated}/baseline_of_smb_traffic___mltk.yml (98%) diff --git a/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml b/baselines/deprecated/baseline_of_cloud_infrastructure_api_calls_per_user.yml similarity index 98% rename from baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml rename to baselines/deprecated/baseline_of_cloud_infrastructure_api_calls_per_user.yml index 7c9164b602..5dfd478484 100644 --- a/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml +++ b/baselines/deprecated/baseline_of_cloud_infrastructure_api_calls_per_user.yml @@ -1,10 +1,10 @@ name: Baseline Of Cloud Infrastructure API Calls Per User id: 1da5d5ea-4382-447d-98a9-87c358c95fcb -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: David Dorsey, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt weekly. The model diff --git a/baselines/baseline_of_cloud_instances_destroyed.yml b/baselines/deprecated/baseline_of_cloud_instances_destroyed.yml similarity index 98% rename from baselines/baseline_of_cloud_instances_destroyed.yml rename to baselines/deprecated/baseline_of_cloud_instances_destroyed.yml index e5ee3f44e0..737e874a46 100644 --- a/baselines/baseline_of_cloud_instances_destroyed.yml +++ b/baselines/deprecated/baseline_of_cloud_instances_destroyed.yml @@ -1,10 +1,10 @@ name: Baseline Of Cloud Instances Destroyed id: a2f701f8-5296-4d74-829c-0b7eb346d549 -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: David Dorsey, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are destroyed in the environment. By default, the search diff --git a/baselines/baseline_of_cloud_instances_launched.yml b/baselines/deprecated/baseline_of_cloud_instances_launched.yml similarity index 98% rename from baselines/baseline_of_cloud_instances_launched.yml rename to baselines/deprecated/baseline_of_cloud_instances_launched.yml index 126f90a4f1..b1b65e765b 100644 --- a/baselines/baseline_of_cloud_instances_launched.yml +++ b/baselines/deprecated/baseline_of_cloud_instances_launched.yml @@ -1,10 +1,10 @@ name: Baseline Of Cloud Instances Launched id: b01bd274-f661-4f9c-bd9f-cf23ff6ae0bc -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: David Dorsey, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many instances are created in the environment. By default, the search uses diff --git a/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml b/baselines/deprecated/baseline_of_cloud_security_group_api_calls_per_user.yml similarity index 97% rename from baselines/baseline_of_cloud_security_group_api_calls_per_user.yml rename to baselines/deprecated/baseline_of_cloud_security_group_api_calls_per_user.yml index 288e115ded..f6bc14fc18 100644 --- a/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml +++ b/baselines/deprecated/baseline_of_cloud_security_group_api_calls_per_user.yml @@ -1,10 +1,10 @@ name: Baseline Of Cloud Security Group API Calls Per User id: 67b84d51-8329-4909-849f-8d38ce54260a -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: David Dorsey, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model for how many API calls for security groups are performed by each user. By default, the search uses the last 90 days of data to build the model and the model is rebuilt diff --git a/baselines/baseline_of_command_line_length___mltk.yml b/baselines/deprecated/baseline_of_command_line_length___mltk.yml similarity index 98% rename from baselines/baseline_of_command_line_length___mltk.yml rename to baselines/deprecated/baseline_of_command_line_length___mltk.yml index 98a45f7865..ccd517f506 100644 --- a/baselines/baseline_of_command_line_length___mltk.yml +++ b/baselines/deprecated/baseline_of_command_line_length___mltk.yml @@ -1,10 +1,10 @@ name: Baseline of Command Line Length - MLTK id: d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459 -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: Rico Valdez, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the command lines observed for each user in the environment. diff --git a/baselines/baseline_of_dns_query_length___mltk.yml b/baselines/deprecated/baseline_of_dns_query_length___mltk.yml similarity index 97% rename from baselines/baseline_of_dns_query_length___mltk.yml rename to baselines/deprecated/baseline_of_dns_query_length___mltk.yml index c763df2efd..ad1905c0db 100644 --- a/baselines/baseline_of_dns_query_length___mltk.yml +++ b/baselines/deprecated/baseline_of_dns_query_length___mltk.yml @@ -1,10 +1,10 @@ name: Baseline of DNS Query Length - MLTK id: c914844c-0ff5-4efc-8d44-c063443129ba -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: Rico Valdez, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the length of the DNS queries for each DNS record type observed diff --git a/baselines/baseline_of_smb_traffic___mltk.yml b/baselines/deprecated/baseline_of_smb_traffic___mltk.yml similarity index 98% rename from baselines/baseline_of_smb_traffic___mltk.yml rename to baselines/deprecated/baseline_of_smb_traffic___mltk.yml index 5748c3eda0..8a0177c059 100644 --- a/baselines/baseline_of_smb_traffic___mltk.yml +++ b/baselines/deprecated/baseline_of_smb_traffic___mltk.yml @@ -1,10 +1,10 @@ name: Baseline of SMB Traffic - MLTK id: df98763b-0b08-4281-8ef9-08db7ac572a9 -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-25' author: Rico Valdez, Splunk type: Baseline -status: production +status: deprecated description: This search is used to build a Machine Learning Toolkit (MLTK) model to characterize the number of SMB connections observed each hour for every day of From b117d0b4eb07f0a93b6073b61bd31b3e7714c1d6 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 26 Feb 2026 11:26:27 +0530 Subject: [PATCH 5/6] dsdl --- ...ect_suspicious_processnames_using_pretrained_model_in_dsdl.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename detections/{endpoint => deprecated}/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml (100%) diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/deprecated/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml similarity index 100% rename from detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml rename to detections/deprecated/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml From e73a188e41c9fe005962e378239cff39865bd4da Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 26 Feb 2026 14:12:38 +0530 Subject: [PATCH 6/6] updating file names --- ...tration_using_pretrained_model_in_dsdl.yml | 2 +- removed/deprecation_mapping.YML | 65 ++++++++++++++++--- 2 files changed, 58 insertions(+), 9 deletions(-) diff --git a/detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml index 644f6f3403..4b250abc17 100644 --- a/detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml +++ b/detections/deprecated/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml @@ -2,7 +2,7 @@ name: Detect DNS Data Exfiltration using pretrained model in DSDL id: 92f65c3a-168c-11ed-71eb-0242ac120012 version: 7 date: '2026-02-25' -status: experimental +status: deprecated author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly data_source: [] diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 2ad27b0c34..00a22a111b 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -1,4 +1,40 @@ detections: + - content: Abnormally High Number Of Cloud Infrastructure API Calls + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Abnormally High Number Of Cloud Instances Destroyed + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Abnormally High Number Of Cloud Instances Launched + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Abnormally High Number Of Cloud Security Group API Calls + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Detect DNS Data Exfiltration using pretrained model in DSDL + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: DNS Query Length Outliers - MLTK + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: SMB Traffic Spike - MLTK + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Unusually Long Command Line - MLTK + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Detect DGA domains using pretrained model in DSDL + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Detect suspicious DNS TXT records using pretrained model in DSDL + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Detect suspicious processnames using pretrained model in DSDL + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) + - content: Potentially malicious code on commandline + removed_in_version: 5.26.0 + reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit) - content: Linux apt-get Privilege Escalation removed_in_version: 5.24.0 reason: Detection has been deprecated in favor of a more broad and generic logic that aims to reduce overhead and increase coverage. @@ -389,8 +425,6 @@ detections: removed_in_version: 5.2.0 reason: Detections updated to use the new search logic and field names due to the TA update - replacement_content: - - Abnormally High Number Of Cloud Security Group API Calls - content: Office Product Spawning BITSAdmin removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity @@ -716,8 +750,6 @@ detections: removed_in_version: 5.2.0 reason: Detections updated to use the new search logic and field names due to the TA update - replacement_content: - - Abnormally High Number Of Cloud Instances Launched - content: EC2 Instance Modified With Previously Unseen User removed_in_version: 5.2.0 reason: Detections updated to use the new search logic and field names due to the @@ -741,8 +773,6 @@ detections: removed_in_version: 5.2.0 reason: Detections updated to use the new search logic and field names due to the TA update - replacement_content: - - Abnormally High Number Of Cloud Instances Destroyed - content: Web Fraud - Account Harvesting removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity @@ -800,8 +830,6 @@ detections: removed_in_version: 5.2.0 reason: Detections updated to use the new search logic and field names due to the TA update - replacement_content: - - Abnormally High Number Of Cloud Infrastructure API Calls - content: Suspicious Powershell Command-Line Arguments removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity @@ -878,6 +906,27 @@ detections: removed_in_version: 5.2.0 reason: Detection deprecated as it no longer effectively identifies the intended malicious activity baselines: + - content: Baseline Of Cloud Infrastructure API Calls Per User + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline Of Cloud Instances Destroyed + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline Of Cloud Instances Launched + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline Of Cloud Security Group API Calls Per User + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline of Command Line Length - MLTK + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline of DNS Query Length - MLTK + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' + - content: Baseline of SMB Traffic - MLTK + removed_in_version: 5.26.0 + reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.' - content: Previously Seen AWS Cross Account Activity removed_in_version: 5.4.0 reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.'