splunk · patel-bhavin · Feb 25, 2026 · Feb 25, 2026 · Feb 25, 2026 · Feb 26, 2026
@@ -1,10 +1,10 @@
 name: Baseline Of Cloud Infrastructure API Calls Per User
 id: 1da5d5ea-4382-447d-98a9-87c358c95fcb
-version: 2
-date: '2026-01-14'
+version: 3
+date: '2026-02-25'
 author: David Dorsey, Splunk
 type: Baseline
-status: production
+status: deprecated
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many API calls are performed by each user. By default, the search uses the
   last 90 days of data to build the model and the model is rebuilt weekly. The model

@@ -1,10 +1,10 @@
 name: Baseline Of Cloud Instances Destroyed
 id: a2f701f8-5296-4d74-829c-0b7eb346d549
-version: 2
-date: '2026-01-14'
+version: 3
+date: '2026-02-25'
 author: David Dorsey, Splunk
 type: Baseline
-status: production
+status: deprecated
 description:
   This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many instances are destroyed in the environment. By default, the search

@@ -1,10 +1,10 @@
 name: Baseline Of Cloud Instances Launched
 id: b01bd274-f661-4f9c-bd9f-cf23ff6ae0bc
-version: 2
-date: '2026-01-14'
+version: 3
+date: '2026-02-25'
 author: David Dorsey, Splunk
 type: Baseline
-status: production
+status: deprecated
 description:
   This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many instances are created in the environment. By default, the search uses

@@ -1,10 +1,10 @@
 name: Baseline Of Cloud Security Group API Calls Per User
 id: 67b84d51-8329-4909-849f-8d38ce54260a
-version: 2
-date: '2026-01-14'
+version: 3
+date: '2026-02-25'
 author: David Dorsey, Splunk
 type: Baseline
-status: production
+status: deprecated
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many API calls for security groups are performed by each user. By default,
   the search uses the last 90 days of data to build the model and the model is rebuilt

@@ -1,10 +1,10 @@
 name: Baseline of Command Line Length - MLTK
 id: d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459
-version: 2
-date: '2026-01-14'
+version: 3
+date: '2026-02-25'
 author: Rico Valdez, Splunk
 type: Baseline
-status: production
+status: deprecated
 description:
   This search is used to build a Machine Learning Toolkit (MLTK) model
   to characterize the length of the command lines observed for each user in the environment.

@@ -1,10 +1,10 @@
 name: Baseline of DNS Query Length - MLTK
 id: c914844c-0ff5-4efc-8d44-c063443129ba
-version: 2
-date: '2026-01-14'
+version: 3
+date: '2026-02-25'
 author: Rico Valdez, Splunk
 type: Baseline
-status: production
+status: deprecated
 description:
   This search is used to build a Machine Learning Toolkit (MLTK) model
   to characterize the length of the DNS queries for each DNS record type observed

@@ -1,10 +1,10 @@
 name: Baseline of SMB Traffic - MLTK
 id: df98763b-0b08-4281-8ef9-08db7ac572a9
-version: 2
-date: '2026-01-14'
+version: 3
+date: '2026-02-25'
 author: Rico Valdez, Splunk
 type: Baseline
-status: production
+status: deprecated
 description:
   This search is used to build a Machine Learning Toolkit (MLTK) model
   to characterize the number of SMB connections observed each hour for every day of

@@ -3,7 +3,7 @@ id: 0840ddf1-8c89-46ff-b730-c8d6722478c0
 version: 11
 date: '2026-02-25'
 author: David Dorsey, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic detects a spike in the number of API calls made to your cloud infrastructure by a user. It leverages cloud infrastructure logs and compares the current API call volume against a baseline probability density function to identify anomalies. This activity is significant because an unusual increase in API calls can indicate potential misuse or compromise of cloud resources. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of cloud services, posing a significant risk to the organization's cloud environment.
 data_source:

@@ -3,7 +3,7 @@ id: ef629fc9-1583-4590-b62a-f2247fbf7bbf
 version: 8
 date: '2026-02-25'
 author: David Dorsey, Splunk
-status: experimental
+status: deprecated
 type: Anomaly
 description: The following analytic identifies an abnormally high number of cloud instances being destroyed within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to detect outliers. This activity is significant for a SOC because a sudden spike in destroyed instances could indicate malicious activity, such as an insider threat or a compromised account attempting to disrupt services. If confirmed malicious, this could lead to significant operational disruptions, data loss, and potential financial impact due to the destruction of critical cloud resources.
 data_source:

@@ -3,7 +3,7 @@ id: f2361e9f-3928-496c-a556-120cd4223a65
 version: 9
 date: '2026-02-25'
 author: David Dorsey, Splunk
-status: experimental
+status: deprecated
 type: Anomaly
 description: The following analytic detects an abnormally high number of cloud instances launched within a 4-hour period. It leverages cloud infrastructure logs and applies a probability density model to identify outliers based on historical data. This activity is significant for a SOC because a sudden spike in instance creation could indicate unauthorized access or misuse of cloud resources. If confirmed malicious, this behavior could lead to resource exhaustion, increased costs, or provide attackers with additional compute resources to further their objectives.
 data_source:

@@ -3,7 +3,7 @@ id: d4dfb7f3-7a37-498a-b5df-f19334e871af
 version: 10
 date: '2026-02-25'
 author: David Dorsey, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic detects a spike in the number of API calls made to cloud security groups by a user. It leverages data from the Change data model, focusing on successful firewall-related changes. This activity is significant because an abnormal increase in security group API calls can indicate potential malicious activity, such as unauthorized access or configuration changes. If confirmed malicious, this could allow an attacker to manipulate security group settings, potentially exposing sensitive resources or disrupting network security controls.
 data_source:

@@ -3,7 +3,7 @@ id: 92e24f32-9b9a-4060-bba2-2a0eb31f3493
 version: 6
 date: '2026-02-25'
 author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk
-status: experimental
+status: deprecated
 type: Anomaly
 description: The following analytic identifies Domain Generation Algorithm (DGA) generated domains using a pre-trained deep learning model. It leverages the Network Resolution data model to analyze domain names and detect unusual character sequences indicative of DGA activity. This behavior is significant as adversaries often use DGAs to generate numerous domain names for command-and-control servers, making it harder to block malicious traffic. If confirmed malicious, this activity could enable attackers to maintain persistent communication with compromised systems, evade detection, and execute further malicious actions.
 data_source: []

@@ -2,7 +2,7 @@ name: Detect DNS Data Exfiltration using pretrained model in DSDL
 id: 92f65c3a-168c-11ed-71eb-0242ac120012
 version: 7
 date: '2026-02-25'
-status: experimental
+status: deprecated
 author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk
 type: Anomaly
 data_source: []

@@ -3,7 +3,7 @@ id: 92f65c3a-968c-11ed-a1eb-0242ac120002
 version: 7
 date: '2026-02-25'
 author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk
-status: experimental
+status: deprecated
 type: Anomaly
 description: The following analytic identifies suspicious DNS TXT records using a pre-trained deep learning model. It leverages DNS response data from the Network Resolution data model, categorizing TXT records into known types via regular expressions. Records that do not match known patterns are flagged as suspicious. This activity is significant as DNS TXT records can be used for data exfiltration or command-and-control communication. If confirmed malicious, attackers could use these records to covertly transfer data or receive instructions, posing a severe threat to network security.
 data_source: []

@@ -4,7 +4,7 @@ version: 8
 date: '2026-02-25'
 author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk
 type: Anomaly
-status: experimental
+status: deprecated
 data_source:
     - Sysmon EventID 1
 description: The following analytic identifies suspicious process names using a pre-trained Deep Learning model. It leverages Endpoint Detection and Response (EDR) telemetry to analyze process names and predict their likelihood of being malicious. The model, a character-level Recurrent Neural Network (RNN), classifies process names as benign or suspicious based on a threshold score of 0.5. This detection is significant as it helps identify malware, such as TrickBot, which often uses randomly generated filenames to evade detection. If confirmed malicious, this activity could indicate the presence of malware capable of propagating across the network and executing harmful actions.

@@ -3,7 +3,7 @@ id: 85fbcfe8-9718-4911-adf6-7000d077a3a9
 version: 9
 date: '2026-02-25'
 author: Rico Valdez, Splunk
-status: experimental
+status: deprecated
 type: Anomaly
 description: The following analytic identifies DNS requests with unusually large query lengths for the record type being requested. It leverages the Network_Resolution data model and applies a machine learning model to detect outliers in DNS query lengths. This activity is significant because unusually large DNS queries can indicate data exfiltration or command-and-control communication attempts. If confirmed malicious, this activity could allow attackers to exfiltrate sensitive data or maintain persistent communication channels with compromised systems.
 data_source: []

@@ -1,9 +1,9 @@
 name: Potentially malicious code on commandline
 id: 9c53c446-757e-11ec-871d-acde48001122
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2026-02-25'
 author: Michael Hart, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic detects potentially malicious command lines using a pretrained machine learning text classifier. It identifies unusual keyword combinations in command lines, such as "streamreader," "webclient," "mutex," "function," and "computehash," which are often associated with adversarial PowerShell code execution for C2 communication. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command lines longer than 200 characters. This activity is significant as it can indicate an attempt to execute malicious scripts, potentially leading to unauthorized code execution, data exfiltration, or further system compromise.
 data_source:

@@ -3,7 +3,7 @@ id: d25773ba-9ad8-48d1-858e-07ad0bbeb828
 version: 10
 date: '2026-02-25'
 author: Rico Valdez, Splunk
-status: experimental
+status: deprecated
 type: Anomaly
 description: The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network.
 data_source: []

@@ -3,7 +3,7 @@ id: 57edaefa-a73b-45e5-bbae-f39c1473f941
 version: 8
 date: '2026-02-25'
 author: Rico Valdez, Splunk
-status: experimental
+status: deprecated
 type: Anomaly
 description: The following analytic identifies unusually long command lines executed on hosts, which may indicate malicious activity. It leverages the Machine Learning Toolkit (MLTK) to detect command lines with lengths that deviate from the norm for a given user. This is significant for a SOC as unusually long command lines can be a sign of obfuscation or complex malicious scripts. If confirmed malicious, this activity could allow attackers to execute sophisticated commands, potentially leading to unauthorized access, data exfiltration, or further compromise of the system.
 data_source:

@@ -1,4 +1,40 @@
 detections:
+  - content: Abnormally High Number Of Cloud Infrastructure API Calls
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
+  - content: Abnormally High Number Of Cloud Instances Destroyed
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
+  - content: Abnormally High Number Of Cloud Instances Launched
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
+  - content: Abnormally High Number Of Cloud Security Group API Calls
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
+  - content: Detect DNS Data Exfiltration using pretrained model in DSDL
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
+  - content: DNS Query Length Outliers - MLTK
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
+  - content: SMB Traffic Spike - MLTK
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
+  - content: Unusually Long Command Line - MLTK
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
+  - content: Detect DGA domains using pretrained model in DSDL
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
+  - content: Detect suspicious DNS TXT records using pretrained model in DSDL
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
+  - content: Detect suspicious processnames using pretrained model in DSDL
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
+  - content: Potentially malicious code on commandline
+    removed_in_version: 5.26.0
+    reason: Detection is deprecated as these do not work with the latest Splunk AI Toolkit and Python for Scientific Computing (for Linux 64-bit)
   - content: Linux apt-get Privilege Escalation
     removed_in_version: 5.24.0
     reason: Detection has been deprecated in favor of a more broad and generic logic that aims to reduce overhead and increase coverage.
@@ -389,8 +425,6 @@ detections:
     removed_in_version: 5.2.0
     reason: Detections updated to use the new search logic and field names due to the
       TA update
-    replacement_content:
-    - Abnormally High Number Of Cloud Security Group API Calls
   - content: Office Product Spawning BITSAdmin
     removed_in_version: 5.2.0
     reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
@@ -716,8 +750,6 @@ detections:
     removed_in_version: 5.2.0
     reason: Detections updated to use the new search logic and field names due to the
       TA update
-    replacement_content:
-    - Abnormally High Number Of Cloud Instances Launched
   - content: EC2 Instance Modified With Previously Unseen User
     removed_in_version: 5.2.0
     reason: Detections updated to use the new search logic and field names due to the
@@ -741,8 +773,6 @@ detections:
     removed_in_version: 5.2.0
     reason: Detections updated to use the new search logic and field names due to the
       TA update
-    replacement_content:
-    - Abnormally High Number Of Cloud Instances Destroyed
   - content: Web Fraud - Account Harvesting
     removed_in_version: 5.2.0
     reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
@@ -800,8 +830,6 @@ detections:
     removed_in_version: 5.2.0
     reason: Detections updated to use the new search logic and field names due to the
       TA update
-    replacement_content:
-    - Abnormally High Number Of Cloud Infrastructure API Calls
   - content: Suspicious Powershell Command-Line Arguments
     removed_in_version: 5.2.0
     reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
@@ -878,6 +906,27 @@ detections:
     removed_in_version: 5.2.0
     reason: Detection deprecated as it no longer effectively identifies the intended malicious activity
 baselines:
+  - content: Baseline Of Cloud Infrastructure API Calls Per User
+    removed_in_version: 5.26.0
+    reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.'
+  - content: Baseline Of Cloud Instances Destroyed 
+    removed_in_version: 5.26.0
+    reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.'
+  - content: Baseline Of Cloud Instances Launched
+    removed_in_version: 5.26.0
+    reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.'
+  - content: Baseline Of Cloud Security Group API Calls Per User
+    removed_in_version: 5.26.0
+    reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.'
+  - content: Baseline of Command Line Length - MLTK
+    removed_in_version: 5.26.0
+    reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.'
+  - content: Baseline of DNS Query Length - MLTK
+    removed_in_version: 5.26.0
+    reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.'
+  - content: Baseline of SMB Traffic - MLTK
+    removed_in_version: 5.26.0
+    reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.'
   - content: Previously Seen AWS Cross Account Activity
     removed_in_version: 5.4.0
     reason: 'All detection(s) which leverage this baseline have been deprecated. As such, this baseline has been deprecated as well.'