diff --git a/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml b/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml index 0383585d30..b536f4a8c4 100644 --- a/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml +++ b/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml @@ -1,7 +1,7 @@ name: Cisco AI Defense Security Alerts by Application Name id: 105e4a69-ec55-49fc-be1f-902467435ea8 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -56,7 +56,7 @@ rba: risk_objects: - field: application_name type: other - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/cisco_asa___aaa_policy_tampering.yml b/detections/application/cisco_asa___aaa_policy_tampering.yml index 2adb498d67..d728f086b7 100644 --- a/detections/application/cisco_asa___aaa_policy_tampering.yml +++ b/detections/application/cisco_asa___aaa_policy_tampering.yml @@ -1,7 +1,7 @@ name: Cisco ASA - AAA Policy Tampering id: 8f2c4e9a-5d3b-4c7e-9a1f-6e8d5b2c3a9f -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -61,7 +61,7 @@ rba: risk_objects: - field: host type: system - score: 40 + score: 20 threat_objects: - field: command type: process diff --git a/detections/application/cisco_asa___device_file_copy_activity.yml b/detections/application/cisco_asa___device_file_copy_activity.yml index 76114e32d7..6db676e790 100644 --- a/detections/application/cisco_asa___device_file_copy_activity.yml +++ b/detections/application/cisco_asa___device_file_copy_activity.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Device File Copy Activity id: 4d7e8f3a-9c2b-4e6f-8a1d-5b9c7e2f4a8c -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -61,7 +61,7 @@ rba: risk_objects: - field: host type: system - score: 50 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml index f8588df770..5ff2eef279 100644 --- a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml +++ b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Device File Copy to Remote Location id: 8a9e5f2b-6d4c-4e7f-9b3a-1c8d7f5e2a9b -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -82,10 +82,10 @@ rba: risk_objects: - field: host type: system - score: 50 + score: 20 - field: user type: user - score: 50 + score: 20 threat_objects: - field: dest type: ip_address diff --git a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml index a4f2e87ec6..48ec774cd7 100644 --- a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml +++ b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Logging Filters Configuration Tampering id: b87b48a8-6d1a-4280-9cf1-16a950dbf901 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -71,10 +71,10 @@ rba: risk_objects: - field: host type: system - score: 60 + score: 20 - field: user type: user - score: 60 + score: 20 threat_objects: - field: command type: process diff --git a/detections/application/cisco_asa___logging_message_suppression.yml b/detections/application/cisco_asa___logging_message_suppression.yml index 6de3fd37fa..74f12e4cfd 100644 --- a/detections/application/cisco_asa___logging_message_suppression.yml +++ b/detections/application/cisco_asa___logging_message_suppression.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Logging Message Suppression id: 4e6c9d2a-8f3b-4c7e-9a5f-2d8b6e1c4a9f -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -56,10 +56,10 @@ rba: risk_objects: - field: host type: system - score: 50 + score: 20 - field: user type: user - score: 50 + score: 20 threat_objects: - field: command type: process diff --git a/detections/application/cisco_asa___new_local_user_account_created.yml b/detections/application/cisco_asa___new_local_user_account_created.yml index 87e96ae0ab..f2e8237315 100644 --- a/detections/application/cisco_asa___new_local_user_account_created.yml +++ b/detections/application/cisco_asa___new_local_user_account_created.yml @@ -1,7 +1,7 @@ name: Cisco ASA - New Local User Account Created id: 9c8e4f2a-7d3b-4e5c-8a9f-1b6d4e8c3f5a -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -51,10 +51,10 @@ rba: risk_objects: - field: host type: system - score: 40 + score: 20 - field: user type: user - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/cisco_asa___packet_capture_activity.yml b/detections/application/cisco_asa___packet_capture_activity.yml index 43bac1730b..d50cbbd62a 100644 --- a/detections/application/cisco_asa___packet_capture_activity.yml +++ b/detections/application/cisco_asa___packet_capture_activity.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Packet Capture Activity id: 7e9c3f8a-4b2d-4c5e-9a1f-6d8e5b3c2a9f -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -56,10 +56,10 @@ rba: risk_objects: - field: host type: system - score: 50 + score: 20 - field: user type: user - score: 50 + score: 20 threat_objects: - field: command type: process diff --git a/detections/application/cisco_asa___reconnaissance_command_activity.yml b/detections/application/cisco_asa___reconnaissance_command_activity.yml index fc2bcca467..24b709fcbc 100644 --- a/detections/application/cisco_asa___reconnaissance_command_activity.yml +++ b/detections/application/cisco_asa___reconnaissance_command_activity.yml @@ -1,7 +1,7 @@ name: Cisco ASA - Reconnaissance Command Activity id: 6e9d4f7a-3c8b-4a9e-8d2f-7b5c9e1a6f3d -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -112,10 +112,10 @@ rba: risk_objects: - field: host type: system - score: 50 + score: 20 - field: user type: user - score: 40 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml index 70c421338c..d7848ab959 100644 --- a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml +++ b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml @@ -1,7 +1,7 @@ name: Cisco ASA - User Account Deleted From Local Database id: 2d4b9e7f-5c3a-4d8e-9b1f-8a6c5e2d4f7a -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -51,10 +51,10 @@ rba: risk_objects: - field: host type: system - score: 40 + score: 20 - field: user type: user - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml index aff22a11c3..efef8a20c1 100644 --- a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml +++ b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml @@ -1,7 +1,7 @@ name: Cisco ASA - User Account Lockout Threshold Exceeded id: 3e8f9c2a-6d4b-4a7e-9c5f-1b8d7e3a9f2c -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -51,10 +51,10 @@ rba: risk_objects: - field: host type: system - score: 40 + score: 20 - field: user type: user - score: 30 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/cisco_asa___user_privilege_level_change.yml b/detections/application/cisco_asa___user_privilege_level_change.yml index 6b096e4b9e..24b2d185f6 100644 --- a/detections/application/cisco_asa___user_privilege_level_change.yml +++ b/detections/application/cisco_asa___user_privilege_level_change.yml @@ -1,7 +1,7 @@ name: Cisco ASA - User Privilege Level Change id: 5f7d8c3e-9a2b-4d6f-8e1c-3b5a9d7f2c4e -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -51,10 +51,10 @@ rba: risk_objects: - field: host type: system - score: 40 + score: 20 - field: user type: user - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/email_attachments_with_lots_of_spaces.yml b/detections/application/email_attachments_with_lots_of_spaces.yml index 7b726706be..d936d31375 100644 --- a/detections/application/email_attachments_with_lots_of_spaces.yml +++ b/detections/application/email_attachments_with_lots_of_spaces.yml @@ -1,7 +1,7 @@ name: Email Attachments With Lots Of Spaces id: 56e877a6-1455-4479-ada6-0550dc1e22f8 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: David Dorsey, Splunk status: experimental type: Anomaly @@ -26,7 +26,7 @@ rba: risk_objects: - field: src_user type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml index 414cb45b72..83d4b4055c 100644 --- a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml +++ b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml @@ -1,7 +1,7 @@ name: Email servers sending high volume traffic to hosts id: 7f5fb3e1-4209-4914-90db-0ec21b556378 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Bhavin Patel, Splunk status: experimental type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/esxi_account_modified.yml b/detections/application/esxi_account_modified.yml index dc0b2d15a4..383c84dae0 100644 --- a/detections/application/esxi_account_modified.yml +++ b/detections/application/esxi_account_modified.yml @@ -1,7 +1,7 @@ name: ESXi Account Modified id: b5e3b024-a7bb-4019-8975-46cf54485e78 -version: 1 -date: '2025-07-01' +version: 2 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 60 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/esxi_download_errors.yml b/detections/application/esxi_download_errors.yml index e38246faa3..2bca13f41d 100644 --- a/detections/application/esxi_download_errors.yml +++ b/detections/application/esxi_download_errors.yml @@ -1,7 +1,7 @@ name: ESXi Download Errors id: 515cccd0-c4d8-4427-92d9-8a8f8b5a71dc -version: 1 -date: '2025-05-12' +version: 2 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -25,7 +25,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/esxi_external_root_login_activity.yml b/detections/application/esxi_external_root_login_activity.yml index 2dbc9d3bb0..663392c7e7 100644 --- a/detections/application/esxi_external_root_login_activity.yml +++ b/detections/application/esxi_external_root_login_activity.yml @@ -1,7 +1,7 @@ name: ESXi External Root Login Activity id: 218bf991-6c63-4c26-a682-6ac1a53ad8f8 -version: 1 -date: '2025-05-13' +version: 2 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -25,10 +25,10 @@ rba: risk_objects: - field: dest type: system - score: 45 + score: 20 - field: SrcIpAddr type: system - score: 45 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/esxi_shared_or_stolen_root_account.yml b/detections/application/esxi_shared_or_stolen_root_account.yml index ba15a69164..df3b1d0967 100644 --- a/detections/application/esxi_shared_or_stolen_root_account.yml +++ b/detections/application/esxi_shared_or_stolen_root_account.yml @@ -1,7 +1,7 @@ name: ESXi Shared or Stolen Root Account id: 1bc8f235-5d7c-457c-95ca-5e92edcb52ea -version: 1 -date: '2025-05-09' +version: 2 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/esxi_ssh_brute_force.yml b/detections/application/esxi_ssh_brute_force.yml index 7d5e4f4bf2..4d1249fc82 100644 --- a/detections/application/esxi_ssh_brute_force.yml +++ b/detections/application/esxi_ssh_brute_force.yml @@ -1,7 +1,7 @@ name: ESXi SSH Brute Force id: 68fe4efa-bbbb-44ee-9f09-d07d2f0f346b -version: 2 -date: '2025-10-14' +version: 3 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -25,7 +25,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/m365_copilot_agentic_jailbreak_attack.yml b/detections/application/m365_copilot_agentic_jailbreak_attack.yml index 80aec7631b..a520aeb546 100644 --- a/detections/application/m365_copilot_agentic_jailbreak_attack.yml +++ b/detections/application/m365_copilot_agentic_jailbreak_attack.yml @@ -1,7 +1,7 @@ name: M365 Copilot Agentic Jailbreak Attack id: e5c7b380-19da-42e9-9e53-0af4cd27aee3 -version: 1 -date: '2025-09-25' +version: 2 +date: '2026-02-26' author: Rod Soto status: experimental type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/m365_copilot_application_usage_pattern_anomalies.yml b/detections/application/m365_copilot_application_usage_pattern_anomalies.yml index adecc2785e..ae6126ca27 100644 --- a/detections/application/m365_copilot_application_usage_pattern_anomalies.yml +++ b/detections/application/m365_copilot_application_usage_pattern_anomalies.yml @@ -1,7 +1,7 @@ name: M365 Copilot Application Usage Pattern Anomalies id: e3308b0c-d1a1-40d5-9486-4500f0d34731 -version: 1 -date: '2025-09-24' +version: 2 +date: '2026-02-26' author: Rod Soto status: production type: Anomaly @@ -50,7 +50,7 @@ rba: risk_objects: - field: user type: user - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/m365_copilot_failed_authentication_patterns.yml b/detections/application/m365_copilot_failed_authentication_patterns.yml index 31ecbea703..d9d0f64981 100644 --- a/detections/application/m365_copilot_failed_authentication_patterns.yml +++ b/detections/application/m365_copilot_failed_authentication_patterns.yml @@ -1,7 +1,7 @@ name: M365 Copilot Failed Authentication Patterns id: 0ae94cdd-021a-4a62-a96d-9cec90b61530 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Rod Soto status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 30 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/m365_copilot_jailbreak_attempts.yml b/detections/application/m365_copilot_jailbreak_attempts.yml index 12d9aeb279..d410673927 100644 --- a/detections/application/m365_copilot_jailbreak_attempts.yml +++ b/detections/application/m365_copilot_jailbreak_attempts.yml @@ -1,7 +1,7 @@ name: M365 Copilot Jailbreak Attempts id: b05a4f25-e07d-436f-ab03-f954afa922c0 -version: 2 -date: '2026-01-13' +version: 3 +date: '2026-02-26' author: Rod Soto status: experimental type: Anomaly @@ -47,7 +47,7 @@ rba: risk_objects: - field: user type: user - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/m365_copilot_non_compliant_devices_accessing_m365_copilot.yml b/detections/application/m365_copilot_non_compliant_devices_accessing_m365_copilot.yml index f3a30b4bda..5a627403f7 100644 --- a/detections/application/m365_copilot_non_compliant_devices_accessing_m365_copilot.yml +++ b/detections/application/m365_copilot_non_compliant_devices_accessing_m365_copilot.yml @@ -1,7 +1,7 @@ name: M365 Copilot Non Compliant Devices Accessing M365 Copilot id: e26bc52d-9cbc-4743-9745-e8781d935042 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Rod Soto status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/m365_copilot_session_origin_anomalies.yml b/detections/application/m365_copilot_session_origin_anomalies.yml index cd3445730a..161bca3fda 100644 --- a/detections/application/m365_copilot_session_origin_anomalies.yml +++ b/detections/application/m365_copilot_session_origin_anomalies.yml @@ -1,7 +1,7 @@ name: M365 Copilot Session Origin Anomalies id: 0caf1c1c-0fba-401e-8ec7-f07cfdeee75b -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Rod Soto status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/okta_idp_lifecycle_modifications.yml b/detections/application/okta_idp_lifecycle_modifications.yml index a73f405327..2faee40561 100644 --- a/detections/application/okta_idp_lifecycle_modifications.yml +++ b/detections/application/okta_idp_lifecycle_modifications.yml @@ -1,7 +1,7 @@ name: Okta IDP Lifecycle Modifications id: e0be2c83-5526-4219-a14f-c3db2e763d15 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Bhavin Patel, Splunk data_source: - Okta @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 81 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/application/okta_multiple_accounts_locked_out.yml b/detections/application/okta_multiple_accounts_locked_out.yml index 498d01c3e5..74ace80660 100644 --- a/detections/application/okta_multiple_accounts_locked_out.yml +++ b/detections/application/okta_multiple_accounts_locked_out.yml @@ -1,7 +1,7 @@ name: Okta Multiple Accounts Locked Out id: a511426e-184f-4de6-8711-cfd2af29d1e1 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Michael Haag, Mauricio Velazco, Splunk data_source: - Okta @@ -42,7 +42,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml index 63625273ce..b50d4af640 100644 --- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: Okta Multiple Failed MFA Requests For User id: 826dbaae-a1e6-4c8c-b384-d16898956e73 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Mauricio Velazco, Splunk data_source: - Okta @@ -35,7 +35,7 @@ rba: risk_objects: - field: src_user type: user - score: 42 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml index 8971fe907f..8898898c1e 100644 --- a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: Okta Multiple Users Failing To Authenticate From Ip id: de365ffa-42f5-46b5-b43f-fa72290b8218 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Michael Haag, Mauricio Velazco, Splunk data_source: - Okta @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 54 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/application/okta_successful_single_factor_authentication.yml b/detections/application/okta_successful_single_factor_authentication.yml index 59b7a232f7..7aa9fc99d0 100644 --- a/detections/application/okta_successful_single_factor_authentication.yml +++ b/detections/application/okta_successful_single_factor_authentication.yml @@ -1,7 +1,7 @@ name: Okta Successful Single Factor Authentication id: 98f6ad4f-4325-4096-9d69-45dc8e638e82 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Bhavin Patel, Splunk data_source: - Okta @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 48 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/okta_suspicious_use_of_a_session_cookie.yml b/detections/application/okta_suspicious_use_of_a_session_cookie.yml index 55c886f2e6..c7f3be4c4d 100644 --- a/detections/application/okta_suspicious_use_of_a_session_cookie.yml +++ b/detections/application/okta_suspicious_use_of_a_session_cookie.yml @@ -1,7 +1,7 @@ name: Okta Suspicious Use of a Session Cookie id: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959e -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk type: Anomaly status: production @@ -32,7 +32,7 @@ rba: risk_objects: - field: user type: user - score: 56 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/okta_threatinsight_threat_detected.yml b/detections/application/okta_threatinsight_threat_detected.yml index fcbf2d3ad5..3647f3d4e2 100644 --- a/detections/application/okta_threatinsight_threat_detected.yml +++ b/detections/application/okta_threatinsight_threat_detected.yml @@ -1,7 +1,7 @@ name: Okta ThreatInsight Threat Detected id: 140504ae-5fe2-4d65-b2bc-a211813fbca6 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: app type: system - score: 25 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/application/okta_unauthorized_access_to_application.yml b/detections/application/okta_unauthorized_access_to_application.yml index 127d8ec769..1535a281db 100644 --- a/detections/application/okta_unauthorized_access_to_application.yml +++ b/detections/application/okta_unauthorized_access_to_application.yml @@ -1,7 +1,7 @@ name: Okta Unauthorized Access to Application id: 5f661629-9750-4cb9-897c-1f05d6db8727 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Bhavin Patel, Splunk data_source: - Okta @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 81 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/application/okta_user_logins_from_multiple_cities.yml b/detections/application/okta_user_logins_from_multiple_cities.yml index 7e3f508b05..c94046209b 100644 --- a/detections/application/okta_user_logins_from_multiple_cities.yml +++ b/detections/application/okta_user_logins_from_multiple_cities.yml @@ -1,7 +1,7 @@ name: Okta User Logins from Multiple Cities id: a3d1df37-c2a9-41d0-aa8f-59f82d6192a8 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Bhavin Patel, Splunk data_source: - Okta @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 81 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/application/ollama_abnormal_network_connectivity.yml b/detections/application/ollama_abnormal_network_connectivity.yml index b54935ba1e..c1bbb67ade 100644 --- a/detections/application/ollama_abnormal_network_connectivity.yml +++ b/detections/application/ollama_abnormal_network_connectivity.yml @@ -1,7 +1,7 @@ name: Ollama Abnormal Network Connectivity id: 19ec30ad-faa2-496a-a6a9-f2e5f778fbdb -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Rod Soto status: experimental type: Anomaly @@ -39,11 +39,11 @@ rba: risk_objects: - field: host type: system - score: 10 + score: 20 threat_objects: - field: src type: system - score: 10 + score: 20 tags: analytic_story: - Suspicious Ollama Activities diff --git a/detections/application/ollama_abnormal_service_crash_availability_attack.yml b/detections/application/ollama_abnormal_service_crash_availability_attack.yml index ceeed48bdb..617038208c 100644 --- a/detections/application/ollama_abnormal_service_crash_availability_attack.yml +++ b/detections/application/ollama_abnormal_service_crash_availability_attack.yml @@ -1,7 +1,7 @@ name: Ollama Abnormal Service Crash Availability Attack id: 327fa152-9b56-4e4e-bc0b-2795d4068afa -version: 1 -date: '2025-10-05' +version: 2 +date: '2026-02-26' author: Rod Soto status: experimental type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: host type: system - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/ollama_excessive_api_requests.yml b/detections/application/ollama_excessive_api_requests.yml index 0dac7e8c2b..c6b53f3d07 100644 --- a/detections/application/ollama_excessive_api_requests.yml +++ b/detections/application/ollama_excessive_api_requests.yml @@ -1,7 +1,7 @@ name: Ollama Excessive API Requests id: 1cfab663-9adc-4169-a88c-6bae29ba3c70 -version: 1 -date: '2025-10-05' +version: 2 +date: '2026-02-26' author: Rod Soto status: experimental type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: src type: system - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/ollama_possible_api_endpoint_scan_reconnaissance.yml b/detections/application/ollama_possible_api_endpoint_scan_reconnaissance.yml index 7ff9c517e7..60ec3bb210 100644 --- a/detections/application/ollama_possible_api_endpoint_scan_reconnaissance.yml +++ b/detections/application/ollama_possible_api_endpoint_scan_reconnaissance.yml @@ -1,7 +1,7 @@ name: Ollama Possible API Endpoint Scan Reconnaissance id: ad3f352a-0347-48ee-86b9-670b5025a548 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Rod Soto status: experimental type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: src type: system - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/ollama_possible_memory_exhaustion_resource_abuse.yml b/detections/application/ollama_possible_memory_exhaustion_resource_abuse.yml index 0007462305..8a18b04f6b 100644 --- a/detections/application/ollama_possible_memory_exhaustion_resource_abuse.yml +++ b/detections/application/ollama_possible_memory_exhaustion_resource_abuse.yml @@ -1,7 +1,7 @@ name: Ollama Possible Memory Exhaustion Resource Abuse id: ca96297f-e82e-4749-8cc9-d1ab555abb57 -version: 1 -date: '2025-10-05' +version: 2 +date: '2026-02-26' author: Rod Soto status: experimental type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: host type: system - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/ollama_possible_model_exfiltration_data_leakage.yml b/detections/application/ollama_possible_model_exfiltration_data_leakage.yml index c31e9e72cf..e264067417 100644 --- a/detections/application/ollama_possible_model_exfiltration_data_leakage.yml +++ b/detections/application/ollama_possible_model_exfiltration_data_leakage.yml @@ -1,7 +1,7 @@ name: Ollama Possible Model Exfiltration Data Leakage id: c9fd1a54-0eab-4470-8970-d5fcc3c740fb -version: 1 -date: '2025-10-05' +version: 2 +date: '2026-02-26' author: Rod Soto status: experimental type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: src type: system - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/ollama_possible_rce_via_model_loading.yml b/detections/application/ollama_possible_rce_via_model_loading.yml index c2284b3336..70d918e1d2 100644 --- a/detections/application/ollama_possible_rce_via_model_loading.yml +++ b/detections/application/ollama_possible_rce_via_model_loading.yml @@ -1,7 +1,7 @@ name: Ollama Possible RCE via Model Loading id: 3f28c930-5208-425d-a7b9-53d349756d91 -version: 1 -date: '2025-10-05' +version: 2 +date: '2026-02-26' author: Rod Soto status: experimental type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: host type: system - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/ollama_suspicious_prompt_injection_jailbreak.yml b/detections/application/ollama_suspicious_prompt_injection_jailbreak.yml index 2ceecbe84c..5af1ca323f 100644 --- a/detections/application/ollama_suspicious_prompt_injection_jailbreak.yml +++ b/detections/application/ollama_suspicious_prompt_injection_jailbreak.yml @@ -1,7 +1,7 @@ name: Ollama Suspicious Prompt Injection Jailbreak id: aac5df6f-9151-4da6-bdb2-5691aa6e376f -version: 1 -date: '2025-10-05' +version: 2 +date: '2026-02-26' author: Rod Soto status: experimental type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: src type: system - score: 70 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/splunk_appdynamics_secure_application_alerts.yml b/detections/application/splunk_appdynamics_secure_application_alerts.yml index 3f229a04d6..2c131b22ec 100644 --- a/detections/application/splunk_appdynamics_secure_application_alerts.yml +++ b/detections/application/splunk_appdynamics_secure_application_alerts.yml @@ -1,7 +1,7 @@ name: Splunk AppDynamics Secure Application Alerts id: d1a45d84-8dd1-4b31-8854-62b0b1d5da0b -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Ryan Long, Bhavin Patel, Splunk status: production type: Anomaly @@ -61,7 +61,7 @@ rba: risk_objects: - field: app_name type: other - score: 10 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/application/suspicious_email_attachment_extensions.yml b/detections/application/suspicious_email_attachment_extensions.yml index 5697a389fd..4c5fc67e93 100644 --- a/detections/application/suspicious_email_attachment_extensions.yml +++ b/detections/application/suspicious_email_attachment_extensions.yml @@ -1,7 +1,7 @@ name: Suspicious Email Attachment Extensions id: 473bd65f-06ca-4dfe-a2b8-ba04ab4a0084 -version: 10 -date: '2026-01-14' +version: 11 +date: '2026-02-26' author: David Dorsey, Splunk status: experimental type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/suspicious_java_classes.yml b/detections/application/suspicious_java_classes.yml index eb72ec40fa..adfabab27b 100644 --- a/detections/application/suspicious_java_classes.yml +++ b/detections/application/suspicious_java_classes.yml @@ -1,7 +1,7 @@ name: Suspicious Java Classes id: 6ed33786-5e87-4f55-b62c-cb5f1168b831 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Jose Hernandez, Splunk status: experimental type: Anomaly @@ -25,10 +25,10 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/application/zoom_high_video_latency.yml b/detections/application/zoom_high_video_latency.yml index 7ab5d4574a..81ea239b0d 100644 --- a/detections/application/zoom_high_video_latency.yml +++ b/detections/application/zoom_high_video_latency.yml @@ -1,7 +1,7 @@ name: Zoom High Video Latency id: 6ad6b548-adfa-452c-aa77-9ff94877e832 -version: 1 -date: '2025-06-02' +version: 2 +date: '2026-02-26' author: Marissa Bower, Raven Tait status: experimental type: Anomaly @@ -24,7 +24,7 @@ rba: risk_objects: - field: email type: user - score: 39 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml index fd172d6310..63455198bc 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml @@ -1,7 +1,7 @@ name: Abnormally High Number Of Cloud Infrastructure API Calls id: 0840ddf1-8c89-46ff-b730-c8d6722478c0 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: David Dorsey, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: user type: user - score: 15 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml index caae424eb0..5eaf8bcb0c 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml @@ -1,7 +1,7 @@ name: Abnormally High Number Of Cloud Instances Destroyed id: ef629fc9-1583-4590-b62a-f2247fbf7bbf -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: David Dorsey, Splunk status: experimental type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml index aba1107d79..4269d5b47f 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml @@ -1,7 +1,7 @@ name: Abnormally High Number Of Cloud Instances Launched id: f2361e9f-3928-496c-a556-120cd4223a65 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: David Dorsey, Splunk status: experimental type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml index f868ae7a5e..fc28ab439e 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml @@ -1,7 +1,7 @@ name: Abnormally High Number Of Cloud Security Group API Calls id: d4dfb7f3-7a37-498a-b5df-f19334e871af -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: David Dorsey, Splunk status: production type: Anomaly @@ -46,7 +46,7 @@ rba: risk_objects: - field: user type: user - score: 15 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index f4b304c9ad..5514b5fbcf 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -1,7 +1,7 @@ name: ASL AWS Concurrent Sessions From Different Ips id: b3424bbe-3204-4469-887b-ec144483a336 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 42 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index 8e26820a6e..6f8c232a82 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -1,7 +1,7 @@ name: ASL AWS Credential Access GetPasswordData id: a79b607a-50cc-4704-bb9d-eff280cb78c2 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index e7f98c456a..a729a09c53 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -1,7 +1,7 @@ name: ASL AWS Disable Bucket Versioning id: f32598bb-fa5f-4afd-8ab3-0263cc28efbc -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: user type: user - score: 64 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index 15b9c91d01..d5a8cf7b52 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -1,7 +1,7 @@ name: ASL AWS ECR Container Upload Outside Business Hours id: 739ed682-27e9-4ba0-80e5-a91b97698213 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index b2017da9a1..bfa2fe628d 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -1,7 +1,7 @@ name: ASL AWS ECR Container Upload Unknown User id: 886a8f46-d7e2-4439-b9ba-aec238e31732 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml index ec3493ed45..6af28cdebe 100644 --- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM AccessDenied Discovery Events id: a4f39755-b1e2-40bb-b2dc-4449c45b0bf2 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 10 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 1baa35ee6f..c889561557 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM Failure Group Deletion id: 8d12f268-c567-4557-9813-f8389e235c06 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 5 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml index a3082af310..f7b62149a6 100644 --- a/detections/cloud/asl_aws_network_access_control_list_deleted.yml +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -1,7 +1,7 @@ name: ASL AWS Network Access Control List Deleted id: e010ddf5-e9a5-44e5-bdd6-0c919ba8fc8b -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 5 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_credential_access_getpassworddata.yml b/detections/cloud/aws_credential_access_getpassworddata.yml index eb59efadf0..d6c6cbf4c8 100644 --- a/detections/cloud/aws_credential_access_getpassworddata.yml +++ b/detections/cloud/aws_credential_access_getpassworddata.yml @@ -1,7 +1,7 @@ name: AWS Credential Access GetPasswordData id: 4d347c4a-306e-41db-8d10-b46baf71b3e2 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml index 98b6922b48..3a8ccaa9d4 100644 --- a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml +++ b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml @@ -1,7 +1,7 @@ name: AWS Detect Users with KMS keys performing encryption S3 id: 884a5f59-eec7-4f4a-948b-dbde18225fdc -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Rod Soto, Patrick Bareiss Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 15 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/aws_disable_bucket_versioning.yml b/detections/cloud/aws_disable_bucket_versioning.yml index d41d2eb602..af08760360 100644 --- a/detections/cloud/aws_disable_bucket_versioning.yml +++ b/detections/cloud/aws_disable_bucket_versioning.yml @@ -1,7 +1,7 @@ name: AWS Disable Bucket Versioning id: 657902a9-987d-4879-a1b2-e7a65512824b -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 64 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml index be2fc4e595..486c50ee62 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml @@ -1,7 +1,7 @@ name: AWS ECR Container Scanning Findings Low Informational Unknown id: cbc95e44-7c22-443f-88fd-0424478f5589 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Patrick Bareiss, Eric McGinnis Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: user type: user - score: 5 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml index 7a7b49f217..eee1846a69 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml @@ -1,7 +1,7 @@ name: AWS ECR Container Scanning Findings Medium id: 0b80e2c8-c746-4ddb-89eb-9efd892220cf -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: user type: user - score: 21 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml index 91094bcee4..6eb83c1549 100644 --- a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml @@ -1,7 +1,7 @@ name: AWS ECR Container Upload Outside Business Hours id: d4c4d4eb-3994-41ca-a25e-a82d64e125bb -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_ecr_container_upload_unknown_user.yml b/detections/cloud/aws_ecr_container_upload_unknown_user.yml index b430208235..9d340ebb22 100644 --- a/detections/cloud/aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/aws_ecr_container_upload_unknown_user.yml @@ -1,7 +1,7 @@ name: AWS ECR Container Upload Unknown User id: 300688e4-365c-4486-a065-7c884462b31d -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml index e358884d0a..6054d798f2 100644 --- a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml +++ b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml @@ -1,7 +1,7 @@ name: AWS Exfiltration via Anomalous GetObject API Activity id: e4384bbf-5835-4831-8d85-694de6ad2cc6 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 64 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml index 62f82a56f7..c50355b6d9 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml @@ -1,7 +1,7 @@ name: AWS High Number Of Failed Authentications For User id: e3236f49-daf3-4b70-b808-9290912ac64d -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 35 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml index ba8ec65f5d..b8bca2a590 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml @@ -1,7 +1,7 @@ name: AWS High Number Of Failed Authentications From Ip id: f75b7f1a-b8eb-4975-a214-ff3e0a944757 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 54 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index 0ff6f915b4..43f0068294 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -1,7 +1,7 @@ name: AWS IAM AccessDenied Discovery Events id: 3e1f1568-9633-11eb-a69c-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 10 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index 9c995ad536..c21c615a54 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -1,7 +1,7 @@ name: AWS IAM Failure Group Deletion id: 723b861a-92eb-11eb-93b8-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 5 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml index 8b1838c0cc..b9a0e6383c 100644 --- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: AWS Multiple Failed MFA Requests For User id: 1fece617-e614-4329-9e61-3ba228c0f353 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Bhavin Patel status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 64 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml index 0b9531193f..0bb741ca9a 100644 --- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: AWS Multiple Users Failing To Authenticate From Ip id: 71e1fb89-dd5f-4691-8523-575420de4630 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Bhavin Patel status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 54 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_network_access_control_list_deleted.yml b/detections/cloud/aws_network_access_control_list_deleted.yml index 2283370099..f8667dbc6e 100644 --- a/detections/cloud/aws_network_access_control_list_deleted.yml +++ b/detections/cloud/aws_network_access_control_list_deleted.yml @@ -1,7 +1,7 @@ name: AWS Network Access Control List Deleted id: ada0f478-84a8-4641-a3f1-d82362d6fd75 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Bhavin Patel, Patrick Bareiss, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 5 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml index 1f67a46b18..135e7b5ac3 100644 --- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml +++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml @@ -1,7 +1,7 @@ name: AWS Successful Console Authentication From Multiple IPs id: 395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 72 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml index 97d64e705d..fffe7595e3 100644 --- a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml @@ -1,7 +1,7 @@ name: AWS Unusual Number of Failed Authentications From Ip id: 0b5c9c2b-e2cb-4831-b4f1-af125ceb1386 -version: 12 -date: '2026-02-25' +version: 13 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: tried_accounts type: user - score: 54 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml index 5f9b8e168e..14560c7f4f 100644 --- a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple AppIDs and UserAgents Authentication Spike id: 5d8bb1f0-f65a-4b4e-af2e-fcdb88276314 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: user type: user - score: 48 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml index 3d2c58fabb..89d1defefa 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Service Principals Created by SP id: 66cb378f-234d-4fe1-bb4c-e7878ff6b017 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Add service principal @@ -43,7 +43,7 @@ rba: risk_objects: - field: src_user type: user - score: 42 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml index 372e52ba3a..5ec9410323 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Service Principals Created by User id: 32880707-f512-414e-bd7f-204c0c85b758 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Add service principal @@ -41,7 +41,7 @@ rba: risk_objects: - field: src_user type: user - score: 42 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index 9b42945d32..28d6d0835c 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Users Failing To Authenticate From Ip id: 94481a6a-8f59-4c86-957f-55a71e3612a6 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: user type: user - score: 63 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index afbcf57750..3b71140749 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -1,7 +1,7 @@ name: Azure AD Unusual Number of Failed Authentications From Ip id: 3d8d3a36-93b8-42d7-8d91-c5f24cec223d -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: userPrincipalName type: user - score: 54 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/circle_ci_disable_security_job.yml b/detections/cloud/circle_ci_disable_security_job.yml index 23f44b1ca4..12c86f301b 100644 --- a/detections/cloud/circle_ci_disable_security_job.yml +++ b/detections/cloud/circle_ci_disable_security_job.yml @@ -1,7 +1,7 @@ name: Circle CI Disable Security Job id: 4a2fdd41-c578-4cd4-9ef7-980e352517f2 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 72 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/circle_ci_disable_security_step.yml b/detections/cloud/circle_ci_disable_security_step.yml index 11e02fdc69..a52c8d593b 100644 --- a/detections/cloud/circle_ci_disable_security_step.yml +++ b/detections/cloud/circle_ci_disable_security_step.yml @@ -1,7 +1,7 @@ name: Circle CI Disable Security Step id: 72cb9de9-e98b-4ac9-80b2-5331bba6ea97 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: experimental type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 72 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml index 05f2cdde5d..8c837edc73 100644 --- a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml +++ b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml @@ -1,7 +1,7 @@ name: Cloud API Calls From Previously Unseen User Roles id: 2181ad1f-1e73-4d0c-9780-e8880482a08f -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: David Dorsey, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: user type: user - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml index b561d65836..7e4eb7ff55 100644 --- a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml @@ -1,7 +1,7 @@ name: Cloud Compute Instance Created By Previously Unseen User id: 37a0ec8d-827e-4d6d-8025-cedf31f3a149 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Rico Valdez, Splunk status: production type: Anomaly @@ -38,10 +38,10 @@ rba: risk_objects: - field: dest type: system - score: 18 + score: 20 - field: user type: user - score: 18 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml index e23af4db82..e2448a41e8 100644 --- a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml +++ b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml @@ -1,7 +1,7 @@ name: Cloud Compute Instance Created In Previously Unused Region id: fa4089e2-50e3-40f7-8469-d2cc1564ca59 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: David Dorsey, Splunk status: production type: Anomaly @@ -38,10 +38,10 @@ rba: risk_objects: - field: dest type: system - score: 42 + score: 20 - field: user type: user - score: 42 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml index fe3eae1085..8826e68abc 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml @@ -1,7 +1,7 @@ name: Cloud Compute Instance Created With Previously Unseen Image id: bc24922d-987c-4645-b288-f8c73ec194c4 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: David Dorsey, Splunk status: production type: Anomaly @@ -40,10 +40,10 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 - field: user type: user - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml index 07fae74d1f..4dd2a72637 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml @@ -1,7 +1,7 @@ name: Cloud Compute Instance Created With Previously Unseen Instance Type id: c6ddbf53-9715-49f3-bb4c-fb2e8a309cda -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: David Dorsey, Splunk status: production type: Anomaly @@ -40,10 +40,10 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 - field: user type: user - score: 30 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml index 001d912bd2..51b8bd9fe5 100644 --- a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml @@ -1,7 +1,7 @@ name: Cloud Instance Modified By Previously Unseen User id: 7fb15084-b14e-405a-bd61-a6de15a40722 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Rico Valdez, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 42 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml index b478bcd173..294dcdebd2 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml @@ -1,7 +1,7 @@ name: Cloud Provisioning Activity From Previously Unseen City id: e7ecc5e0-88df-48b9-91af-51104c68f02f -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Rico Valdez, Bhavin Patel, Splunk status: production type: Anomaly @@ -46,10 +46,10 @@ rba: risk_objects: - field: user type: user - score: 18 + score: 20 - field: object type: system - score: 18 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml index 895f2436f2..e3873079d3 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml @@ -1,7 +1,7 @@ name: Cloud Provisioning Activity From Previously Unseen Country id: 94994255-3acf-4213-9b3f-0494df03bb31 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Rico Valdez, Bhavin Patel, Splunk status: production type: Anomaly @@ -46,10 +46,10 @@ rba: risk_objects: - field: object type: system - score: 42 + score: 20 - field: user type: user - score: 42 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml index c8e3d951e9..f89a876222 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml @@ -1,7 +1,7 @@ name: Cloud Provisioning Activity From Previously Unseen IP Address id: f86a8ec9-b042-45eb-92f4-e9ed1d781078 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Rico Valdez, Splunk status: production type: Anomaly @@ -43,10 +43,10 @@ rba: risk_objects: - field: object_id type: system - score: 42 + score: 20 - field: user type: user - score: 42 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml index 6ecf566936..ab51ca3ca2 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml @@ -1,7 +1,7 @@ name: Cloud Provisioning Activity From Previously Unseen Region id: 5aba1860-9617-4af9-b19d-aecac16fe4f2 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Rico Valdez, Bhavin Patel, Splunk status: production type: Anomaly @@ -46,10 +46,10 @@ rba: risk_objects: - field: object type: system - score: 42 + score: 20 - field: user type: user - score: 42 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/cloud_security_groups_modifications_by_user.yml b/detections/cloud/cloud_security_groups_modifications_by_user.yml index a5dfc1495f..78a5ffce29 100644 --- a/detections/cloud/cloud_security_groups_modifications_by_user.yml +++ b/detections/cloud/cloud_security_groups_modifications_by_user.yml @@ -1,7 +1,7 @@ name: Cloud Security Groups Modifications by User id: cfe7cca7-2746-4bdf-b712-b01ed819b9de -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Bhavin Patel, Splunk data_source: - AWS CloudTrail @@ -41,7 +41,7 @@ rba: risk_objects: - field: user type: user - score: 35 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml index 33c9ebb500..ef5e105408 100644 --- a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml +++ b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml @@ -1,7 +1,7 @@ name: Detect GCP Storage access from a new IP id: ccc3246a-daa1-11ea-87d0-0242ac130022 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Shannon Davis, Splunk status: experimental type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: bucket_name type: system - score: 25 + score: 20 threat_objects: - field: remote_ip type: ip_address diff --git a/detections/cloud/detect_s3_access_from_a_new_ip.yml b/detections/cloud/detect_s3_access_from_a_new_ip.yml index f185ad8e2a..1ce60fe8c0 100644 --- a/detections/cloud/detect_s3_access_from_a_new_ip.yml +++ b/detections/cloud/detect_s3_access_from_a_new_ip.yml @@ -1,7 +1,7 @@ name: Detect S3 access from a new IP id: e6f1bb1b-f441-492b-9126-902acda217da -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Bhavin Patel, Splunk status: experimental type: Anomaly @@ -32,7 +32,7 @@ rba: risk_objects: - field: bucketName type: other - score: 25 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml index e79c530161..fec051ab25 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml @@ -1,7 +1,7 @@ name: Detect Spike in AWS Security Hub Alerts for EC2 Instance id: 2a9b80d3-6340-4345-b5ad-290bf5d0d222 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 15 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml index f3f4e06def..46616187f6 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml @@ -1,7 +1,7 @@ name: Detect Spike in AWS Security Hub Alerts for User id: 2a9b80d3-6220-4345-b5ad-290bf5d0d222 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Bhavin Patel, Splunk status: experimental type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml index 04bc76833f..77224cc3fd 100644 --- a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml +++ b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml @@ -1,7 +1,7 @@ name: Detect Spike in blocked Outbound Traffic from your AWS id: d3fffa37-492f-487b-a35d-c60fcb2acf01 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Bhavin Patel, Splunk status: experimental type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: src_ip type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml index ebf8ff5d90..d33bd9b33f 100644 --- a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml +++ b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml @@ -1,7 +1,7 @@ name: Detect Spike in S3 Bucket deletion id: e733a326-59d2-446d-b8db-14a17151aa68 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Bhavin Patel, Splunk status: experimental type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml index 0db70c671f..95348386f9 100644 --- a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: GCP Multiple Users Failing To Authenticate From Ip id: da20828e-d6fb-4ee5-afb7-d0ac200923d5 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: tried_accounts type: user - score: 54 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml index 99dc795696..ec812cfb2d 100644 --- a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml @@ -1,7 +1,7 @@ name: GCP Unusual Number of Failed Authentications From Ip id: bd8097ed-958a-4873-87d9-44f2b4d85705 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: tried_accounts type: user - score: 54 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/geographic_improbable_location.yml b/detections/cloud/geographic_improbable_location.yml index 950e8f125e..6667455f87 100644 --- a/detections/cloud/geographic_improbable_location.yml +++ b/detections/cloud/geographic_improbable_location.yml @@ -1,7 +1,7 @@ name: Geographic Improbable Location id: 64f91df1-49ec-46aa-81bd-2282d3cea765 -version: 1 -date: '2025-06-03' +version: 2 +date: '2026-02-26' author: Marissa Bower, Raven Tait status: experimental type: Anomaly @@ -25,7 +25,7 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/github_enterprise_delete_branch_ruleset.yml b/detections/cloud/github_enterprise_delete_branch_ruleset.yml index 187fb52c4e..099d91e941 100644 --- a/detections/cloud/github_enterprise_delete_branch_ruleset.yml +++ b/detections/cloud/github_enterprise_delete_branch_ruleset.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Delete Branch Ruleset id: 6169ea23-3719-439f-957a-0ea5174b70e2 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_enterprise_disable_2fa_requirement.yml b/detections/cloud/github_enterprise_disable_2fa_requirement.yml index 5f2d1bf3d5..0058637ca6 100644 --- a/detections/cloud/github_enterprise_disable_2fa_requirement.yml +++ b/detections/cloud/github_enterprise_disable_2fa_requirement.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Disable 2FA Requirement id: 5a773226-ebd7-480c-a819-fccacfeddcd9 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml b/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml index d1ebc9158d..f1f4e52e10 100644 --- a/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml +++ b/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Disable Audit Log Event Stream id: 7bc111cc-7f1b-4be7-99fa-50cf8d2e7564 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml b/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml index 0e8a96a549..41c79c2a77 100644 --- a/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml +++ b/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Disable Classic Branch Protection Rule id: 372176ba-450c-4abd-9b86-419bb44c1b76 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_enterprise_disable_dependabot.yml b/detections/cloud/github_enterprise_disable_dependabot.yml index e59491930b..32be3cb2fc 100644 --- a/detections/cloud/github_enterprise_disable_dependabot.yml +++ b/detections/cloud/github_enterprise_disable_dependabot.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Disable Dependabot id: 787dd1c1-eb3a-4a31-8e8c-2ad24b214bc8 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_enterprise_disable_ip_allow_list.yml b/detections/cloud/github_enterprise_disable_ip_allow_list.yml index 7279d64efb..6290bc8b77 100644 --- a/detections/cloud/github_enterprise_disable_ip_allow_list.yml +++ b/detections/cloud/github_enterprise_disable_ip_allow_list.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Disable IP Allow List id: afed020e-edcd-4913-a675-cebedf81d4fb -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml b/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml index 3d62dcd40e..6588d2d41b 100644 --- a/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml +++ b/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Modify Audit Log Event Stream id: 99abf2e1-863c-4ec6-82f8-714391590a4c -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml b/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml index 68f27992d3..3b3a444b74 100644 --- a/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml +++ b/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Pause Audit Log Event Stream id: 21083dcb-276d-4ef9-8f7e-2113ca5e8094 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_enterprise_register_self_hosted_runner.yml b/detections/cloud/github_enterprise_register_self_hosted_runner.yml index 1b3d655db1..d8fb1be34a 100644 --- a/detections/cloud/github_enterprise_register_self_hosted_runner.yml +++ b/detections/cloud/github_enterprise_register_self_hosted_runner.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Register Self Hosted Runner id: b27685a2-8826-4123-ab78-2d9d0d419ed0 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_enterprise_remove_organization.yml b/detections/cloud/github_enterprise_remove_organization.yml index 66f0460471..7ce9ba8b7c 100644 --- a/detections/cloud/github_enterprise_remove_organization.yml +++ b/detections/cloud/github_enterprise_remove_organization.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Remove Organization id: 94cb89aa-aec1-4585-91b1-affcdacf357e -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_enterprise_repository_archived.yml b/detections/cloud/github_enterprise_repository_archived.yml index a40e914409..261a5ab7a3 100644 --- a/detections/cloud/github_enterprise_repository_archived.yml +++ b/detections/cloud/github_enterprise_repository_archived.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Repository Archived id: 8367cb99-bae1-4748-ae3b-0927bb381424 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_enterprise_repository_deleted.yml b/detections/cloud/github_enterprise_repository_deleted.yml index b835ed5edc..2643903fb7 100644 --- a/detections/cloud/github_enterprise_repository_deleted.yml +++ b/detections/cloud/github_enterprise_repository_deleted.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Repository Deleted id: f709e736-3e6c-492f-b865-bc7696cc24a7 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_organizations_delete_branch_ruleset.yml b/detections/cloud/github_organizations_delete_branch_ruleset.yml index d4338ea09c..a07f619a81 100644 --- a/detections/cloud/github_organizations_delete_branch_ruleset.yml +++ b/detections/cloud/github_organizations_delete_branch_ruleset.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Delete Branch Ruleset id: 8e454f64-4bd6-45e6-8a94-1b482593d721 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_organizations_disable_2fa_requirement.yml b/detections/cloud/github_organizations_disable_2fa_requirement.yml index 326180b51d..4348a62242 100644 --- a/detections/cloud/github_organizations_disable_2fa_requirement.yml +++ b/detections/cloud/github_organizations_disable_2fa_requirement.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Disable 2FA Requirement id: 3ed0d6ba-4791-4fa8-a1ef-403e438c7033 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml b/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml index bb423526c1..577344c36d 100644 --- a/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml +++ b/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Disable Classic Branch Protection Rule id: 33cffee0-41ee-402e-a238-d37825f2d788 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_organizations_disable_dependabot.yml b/detections/cloud/github_organizations_disable_dependabot.yml index 6ba76598d9..34dd88b6a4 100644 --- a/detections/cloud/github_organizations_disable_dependabot.yml +++ b/detections/cloud/github_organizations_disable_dependabot.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Disable Dependabot id: 69078d8c-0de6-45de-bb00-14e78e042fd6 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_organizations_repository_archived.yml b/detections/cloud/github_organizations_repository_archived.yml index 4b18f0880b..6b96dd77e1 100644 --- a/detections/cloud/github_organizations_repository_archived.yml +++ b/detections/cloud/github_organizations_repository_archived.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Repository Archived id: 4f568a0e-896f-4d94-a2f7-fa6d82ab1f77 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/github_organizations_repository_deleted.yml b/detections/cloud/github_organizations_repository_deleted.yml index 3dc60eb2ff..af97f9fc11 100644 --- a/detections/cloud/github_organizations_repository_deleted.yml +++ b/detections/cloud/github_organizations_repository_deleted.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Repository Deleted id: 9ff4ca95-fdae-4eea-9ffa-6d8e1c202a71 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: user_agent type: http_user_agent diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml index 067d23f49a..26bfbac017 100644 --- a/detections/cloud/gsuite_drive_share_in_external_email.yml +++ b/detections/cloud/gsuite_drive_share_in_external_email.yml @@ -1,7 +1,7 @@ name: Gsuite Drive Share In External Email id: f6ee02d6-fea0-11eb-b2c2-acde48001122 -version: 9 -date: '2025-10-14' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: experimental type: Anomaly @@ -45,10 +45,10 @@ rba: risk_objects: - field: dst_email_list type: user - score: 72 + score: 20 - field: user type: user - score: 72 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/gsuite_email_suspicious_attachment.yml b/detections/cloud/gsuite_email_suspicious_attachment.yml index f095b167b6..43efccd195 100644 --- a/detections/cloud/gsuite_email_suspicious_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_attachment.yml @@ -1,7 +1,7 @@ name: GSuite Email Suspicious Attachment id: 6d663014-fe92-11eb-ab07-acde48001122 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: destination{}.address type: user - score: 49 + score: 20 threat_objects: - field: source.address type: email_address diff --git a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml index 04d1589fd3..e449f44bed 100644 --- a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml @@ -1,7 +1,7 @@ name: Gsuite Email Suspicious Subject With Attachment id: 8ef3971e-00f2-11ec-b54f-acde48001122 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: destination{}.address type: user - score: 25 + score: 20 threat_objects: - field: source.address type: email_address diff --git a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml index 7f50276011..1223873b86 100644 --- a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml +++ b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml @@ -1,7 +1,7 @@ name: Gsuite Email With Known Abuse Web Service Link id: 8630aa22-042b-11ec-af39-acde48001122 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: destination{}.address type: user - score: 25 + score: 20 threat_objects: - field: source.address type: email_address diff --git a/detections/cloud/gsuite_suspicious_shared_file_name.yml b/detections/cloud/gsuite_suspicious_shared_file_name.yml index 1e132f1457..72f38b4938 100644 --- a/detections/cloud/gsuite_suspicious_shared_file_name.yml +++ b/detections/cloud/gsuite_suspicious_shared_file_name.yml @@ -1,7 +1,7 @@ name: Gsuite Suspicious Shared File Name id: 07eed200-03f5-11ec-98fb-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: experimental type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: email type: user - score: 21 + score: 20 - field: parameters.owner type: user - score: 21 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml index 30f24897a2..3a676dbc96 100644 --- a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml +++ b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml @@ -1,7 +1,7 @@ name: High Number of Login Failures from a single source id: 7f398cfb-918d-41f4-8db8-2e2474e02222 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml index 9568db5148..f1572f0ed9 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml @@ -1,7 +1,7 @@ name: Kubernetes Abuse of Secret by Unusual Location id: 40a064c1-4ec1-4381-9e35-61192ba8ef82 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml index 420863ff1a..2e848d709f 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml @@ -1,7 +1,7 @@ name: Kubernetes Abuse of Secret by Unusual User Agent id: 096ab390-05ca-462c-884e-343acd5b9240 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml index 9a809d9123..d83990f72d 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml @@ -1,7 +1,7 @@ name: Kubernetes Abuse of Secret by Unusual User Group id: b6f45bbc-4ea9-4068-b3bc-0477f6997ae2 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml index 4b6e5d6735..c1a6fce9c3 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml @@ -1,7 +1,7 @@ name: Kubernetes Abuse of Secret by Unusual User Name id: df6e9cae-5257-4a34-8f3a-df49fa0f5c46 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_access_scanning.yml b/detections/cloud/kubernetes_access_scanning.yml index beea58030c..2353a1903a 100644 --- a/detections/cloud/kubernetes_access_scanning.yml +++ b/detections/cloud/kubernetes_access_scanning.yml @@ -1,7 +1,7 @@ name: Kubernetes Access Scanning id: 2f4abe6d-5991-464d-8216-f90f42999764 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml index 5ac93e38f3..a4b3a2c4bc 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Inbound Network Activity from Process id: 10442d8b-0701-4c25-911d-d67b906e713c -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -17,7 +17,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml index 0d865c3bb9..a84080b626 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Inbound Outbound Network IO id: 4f3b0c97-657e-4547-a89a-9a50c656e3cd -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -17,7 +17,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml index fe58bd11c1..f5510958d8 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Inbound to Outbound Network IO Ratio id: 9d8f6e3f-39df-46d8-a9d4-96173edc501f -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -17,7 +17,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml index 6048925b4f..525cbdfd2e 100644 --- a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Outbound Network Activity from Process id: dd6afee6-e0a3-4028-a089-f47dd2842c22 -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -17,7 +17,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml index d72c0b854b..1dcce6b8ad 100644 --- a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml +++ b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Traffic on Network Edge id: 886c7e51-2ea1-425d-8705-faaca5a64cc6 -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -17,7 +17,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml index 317850317f..edb157175e 100644 --- a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml +++ b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml @@ -1,7 +1,7 @@ name: Kubernetes AWS detect suspicious kubectl calls id: 042a3d32-8318-4763-9679-09db2644a8f2 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Rod Soto, Patrick Bareiss, Splunk status: experimental type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml index b89e110a02..c9ee4de092 100644 --- a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml +++ b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml @@ -1,7 +1,7 @@ name: Kubernetes Create or Update Privileged Pod id: 3c6bd734-334d-4818-ae7c-5234313fc5da -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_cron_job_creation.yml b/detections/cloud/kubernetes_cron_job_creation.yml index 0aefd1400e..af1dd3041e 100644 --- a/detections/cloud/kubernetes_cron_job_creation.yml +++ b/detections/cloud/kubernetes_cron_job_creation.yml @@ -1,7 +1,7 @@ name: Kubernetes Cron Job Creation id: 5984dbe8-572f-47d7-9251-3dff6c3f0c0d -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_daemonset_deployed.yml b/detections/cloud/kubernetes_daemonset_deployed.yml index b0a275d819..824a342671 100644 --- a/detections/cloud/kubernetes_daemonset_deployed.yml +++ b/detections/cloud/kubernetes_daemonset_deployed.yml @@ -1,7 +1,7 @@ name: Kubernetes DaemonSet Deployed id: bf39c3a3-b191-4d42-8738-9d9797bd0c3a -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_falco_shell_spawned.yml b/detections/cloud/kubernetes_falco_shell_spawned.yml index 0e4ac6f3fa..c95f2dcd32 100644 --- a/detections/cloud/kubernetes_falco_shell_spawned.yml +++ b/detections/cloud/kubernetes_falco_shell_spawned.yml @@ -1,7 +1,7 @@ name: Kubernetes Falco Shell Spawned id: d2feef92-d54a-4a19-8306-b47c6ceba5b2 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -31,7 +31,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml index b465a34ac7..64bbc20821 100644 --- a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml @@ -1,7 +1,7 @@ name: Kubernetes newly seen TCP edge id: 13f081d6-7052-428a-bbb0-892c79ca7c65 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -26,7 +26,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_newly_seen_udp_edge.yml b/detections/cloud/kubernetes_newly_seen_udp_edge.yml index b094693c73..24d8dfacf1 100644 --- a/detections/cloud/kubernetes_newly_seen_udp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_udp_edge.yml @@ -1,7 +1,7 @@ name: Kubernetes newly seen UDP edge id: 49b7daca-4e3c-4899-ba15-9a175e056fa9 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -26,7 +26,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_node_port_creation.yml b/detections/cloud/kubernetes_node_port_creation.yml index c165c41c1e..a7a5058048 100644 --- a/detections/cloud/kubernetes_node_port_creation.yml +++ b/detections/cloud/kubernetes_node_port_creation.yml @@ -1,7 +1,7 @@ name: Kubernetes Node Port Creation id: d7fc865e-b8a1-4029-a960-cf4403b821b6 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml index ca5d880e02..8defd40e44 100644 --- a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml +++ b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml @@ -1,7 +1,7 @@ name: Kubernetes Pod Created in Default Namespace id: 3d6b1a81-367b-42d5-a925-6ef90b6b9f1e -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml index 36ce2fb47d..7c5dea5253 100644 --- a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml +++ b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml @@ -1,7 +1,7 @@ name: Kubernetes Pod With Host Network Attachment id: cce357cf-43a4-494a-814b-67cea90fe990 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml index 080ec10c0a..36b4f9cbb3 100644 --- a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml +++ b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml @@ -1,7 +1,7 @@ name: Kubernetes Previously Unseen Container Image Name id: fea515a4-b1d8-4cd6-80d6-e0d71397b891 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_previously_unseen_process.yml b/detections/cloud/kubernetes_previously_unseen_process.yml index 6f0cd4cbf5..68237d4389 100644 --- a/detections/cloud/kubernetes_previously_unseen_process.yml +++ b/detections/cloud/kubernetes_previously_unseen_process.yml @@ -1,7 +1,7 @@ name: Kubernetes Previously Unseen Process id: c8119b2f-d7f7-40be-940a-1c582870e8e2 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -26,7 +26,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_process_running_from_new_path.yml b/detections/cloud/kubernetes_process_running_from_new_path.yml index dd7d32d6db..1ce19baccb 100644 --- a/detections/cloud/kubernetes_process_running_from_new_path.yml +++ b/detections/cloud/kubernetes_process_running_from_new_path.yml @@ -1,7 +1,7 @@ name: Kubernetes Process Running From New Path id: 454076fb-0e9e-4adf-b93a-da132621c5e6 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -26,7 +26,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml index 27815457b9..afa071ca9f 100644 --- a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml +++ b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml @@ -1,7 +1,7 @@ name: Kubernetes Process with Anomalous Resource Utilisation id: 25ca9594-7a0d-4a95-a5e5-3228d7398ec8 -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -17,7 +17,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml index 62d52cfe2b..5367e334e5 100644 --- a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml +++ b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml @@ -1,7 +1,7 @@ name: Kubernetes Process with Resource Ratio Anomalies id: 0d42b295-0f1f-4183-b75e-377975f47c65 -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -17,7 +17,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml index f698de0c49..99d8b0b2a8 100644 --- a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml +++ b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml @@ -1,7 +1,7 @@ name: Kubernetes Scanning by Unauthenticated IP Address id: f9cadf4e-df22-4f4e-a08f-9d3344c2165d -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node.yml b/detections/cloud/kubernetes_shell_running_on_worker_node.yml index e7e0a22a2a..61241eb75c 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node.yml @@ -1,7 +1,7 @@ name: Kubernetes Shell Running on Worker Node id: efebf0c4-dcf4-496f-85a2-5ab7ad8fa876 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -24,7 +24,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml index 716229a7c2..6fb985f785 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml @@ -1,7 +1,7 @@ name: Kubernetes Shell Running on Worker Node with CPU Activity id: cc1448e3-cc7a-4518-bc9f-2fa48f61a22b -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Matthew Moore, Splunk status: experimental type: Anomaly @@ -24,7 +24,7 @@ rba: risk_objects: - field: host type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/kubernetes_suspicious_image_pulling.yml b/detections/cloud/kubernetes_suspicious_image_pulling.yml index df8e399667..98a5862c0e 100644 --- a/detections/cloud/kubernetes_suspicious_image_pulling.yml +++ b/detections/cloud/kubernetes_suspicious_image_pulling.yml @@ -1,7 +1,7 @@ name: Kubernetes Suspicious Image Pulling id: 4d3a17b3-0a6d-4ae0-9421-46623a69c122 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/kubernetes_unauthorized_access.yml b/detections/cloud/kubernetes_unauthorized_access.yml index 7572591554..9c15fa769a 100644 --- a/detections/cloud/kubernetes_unauthorized_access.yml +++ b/detections/cloud/kubernetes_unauthorized_access.yml @@ -1,7 +1,7 @@ name: Kubernetes Unauthorized Access id: 9b5f1832-e8b9-453f-93df-07a3d6a72a45 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Patrick Bareiss, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/cloud/o365_dlp_rule_triggered.yml b/detections/cloud/o365_dlp_rule_triggered.yml index 6c8c242e5b..c2ca953f7c 100644 --- a/detections/cloud/o365_dlp_rule_triggered.yml +++ b/detections/cloud/o365_dlp_rule_triggered.yml @@ -1,7 +1,7 @@ name: O365 DLP Rule Triggered id: 63a8a537-36fd-4aac-a3ea-1a96afd2c871 -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml index 3dc95c8c5c..f7ce2c18b9 100644 --- a/detections/cloud/o365_email_hard_delete_excessive_volume.yml +++ b/detections/cloud/o365_email_hard_delete_excessive_volume.yml @@ -1,7 +1,7 @@ name: O365 Email Hard Delete Excessive Volume id: c7fe0949-348a-41ce-8f17-a09a7fe5fd7d -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml index e35112962f..4efe4da78b 100644 --- a/detections/cloud/o365_email_new_inbox_rule_created.yml +++ b/detections/cloud/o365_email_new_inbox_rule_created.yml @@ -1,7 +1,7 @@ name: O365 Email New Inbox Rule Created id: 449f525a-7b42-47be-96a7-d9724e336c19 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 10 + score: 20 threat_objects: - field: desc type: signature diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml index e2e5e74010..cb743260fb 100644 --- a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml +++ b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml @@ -1,7 +1,7 @@ name: O365 Email Receive and Hard Delete Takeover Behavior id: b66aeaa4-586f-428b-8a2b-c4fd3039d8d3 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -54,7 +54,7 @@ rba: risk_objects: - field: user type: user - score: 80 + score: 20 threat_objects: - field: subject type: email_subject diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml index ff1aa7311a..5adf4adff9 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -1,7 +1,7 @@ name: O365 Email Send and Hard Delete Exfiltration Behavior id: dd7798cf-c4f5-4114-ad0f-beacd9a33708 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -55,10 +55,10 @@ rba: risk_objects: - field: user type: user - score: 40 + score: 20 - field: recipient type: user - score: 40 + score: 20 threat_objects: - field: subject type: email_subject diff --git a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml index 51fd362e5e..9d2fcd124a 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml @@ -1,7 +1,7 @@ name: O365 Email Send and Hard Delete Suspicious Behavior id: c97b3d72-0a47-46f9-b742-b89f1cc2d551 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index 76a82b073f..fffec1df3c 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -1,7 +1,7 @@ name: O365 Email Send Attachments Excessive Volume id: 70a050a2-8537-488a-a628-b60a9558d96a -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly diff --git a/detections/cloud/o365_email_suspicious_search_behavior.yml b/detections/cloud/o365_email_suspicious_search_behavior.yml index 9cccd974d5..f73cf0cffc 100644 --- a/detections/cloud/o365_email_suspicious_search_behavior.yml +++ b/detections/cloud/o365_email_suspicious_search_behavior.yml @@ -1,7 +1,7 @@ name: O365 Email Suspicious Search Behavior id: 3b6e1d36-6916-4eec-a7d5-bc98953ba595 -version: 3 -date: '2026-01-14' +version: 4 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: user type: user - score: 35 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml index 778e53537b..89a233f6cc 100644 --- a/detections/cloud/o365_email_transport_rule_changed.yml +++ b/detections/cloud/o365_email_transport_rule_changed.yml @@ -1,7 +1,7 @@ name: O365 Email Transport Rule Changed id: 11ebb7c2-46bd-41c9-81e1-d0b4b34583a2 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: object_id type: signature diff --git a/detections/cloud/o365_excessive_authentication_failures_alert.yml b/detections/cloud/o365_excessive_authentication_failures_alert.yml index 52d9d09818..24ffd72b81 100644 --- a/detections/cloud/o365_excessive_authentication_failures_alert.yml +++ b/detections/cloud/o365_excessive_authentication_failures_alert.yml @@ -1,7 +1,7 @@ name: O365 Excessive Authentication Failures Alert id: d441364c-349c-453b-b55f-12eccab67cf9 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Rod Soto, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: user type: user - score: 64 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/o365_excessive_sso_logon_errors.yml b/detections/cloud/o365_excessive_sso_logon_errors.yml index 47a2e0f0cd..207f38ca57 100644 --- a/detections/cloud/o365_excessive_sso_logon_errors.yml +++ b/detections/cloud/o365_excessive_sso_logon_errors.yml @@ -1,7 +1,7 @@ name: O365 Excessive SSO logon errors id: 8158ccc4-6038-11eb-ae93-0242ac130002 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Rod Soto, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: user type: user - score: 64 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index 36d861dab1..2625268821 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -1,7 +1,7 @@ name: O365 Exfiltration via File Access id: 80b44ae2-60ff-43f1-8e56-34beb49a340a -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index bc57c13c48..bd46dbc5b2 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -1,7 +1,7 @@ name: O365 Exfiltration via File Download id: 06b23921-bfe2-4576-89dd-616f06e129da -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index c8970f5695..d7da48f274 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -1,7 +1,7 @@ name: O365 Exfiltration via File Sync Download id: 350837b5-13d3-4c06-b688-db07afbe5050 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml index b71ea9c2f0..fc90599049 100644 --- a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml @@ -1,7 +1,7 @@ name: O365 Multiple AppIDs and UserAgents Authentication Spike id: 66adc486-224d-45c1-8e4d-9e7eeaba988f -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 48 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml index 9c04a06428..30fa1149c1 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml @@ -1,7 +1,7 @@ name: O365 Multiple Service Principals Created by SP id: ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-02-26' author: Mauricio Velazco, Splunk data_source: - O365 Add service principal. @@ -28,7 +28,7 @@ rba: risk_objects: - field: src_user type: user - score: 42 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/o365_multiple_service_principals_created_by_user.yml b/detections/cloud/o365_multiple_service_principals_created_by_user.yml index 473212f2b5..4a0dd412cd 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_user.yml @@ -1,7 +1,7 @@ name: O365 Multiple Service Principals Created by User id: a34e65d0-54de-4b02-9db8-5a04522067f6 -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-02-26' author: Mauricio Velazco, Splunk data_source: - O365 Add service principal. @@ -28,7 +28,7 @@ rba: risk_objects: - field: src_user type: user - score: 42 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml b/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml index 182ea0729a..e66555c3f8 100644 --- a/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml +++ b/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml @@ -1,7 +1,7 @@ name: O365 SharePoint Suspicious Search Behavior id: 6ca919db-52f3-4c95-a4e9-7b189e8a043d -version: 4 -date: '2026-01-14' +version: 5 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: user type: user - score: 35 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml b/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml index 9d9b764d05..d85afbefae 100644 --- a/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml +++ b/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml @@ -1,7 +1,7 @@ name: O365 Threat Intelligence Suspicious Email Delivered id: 605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly diff --git a/detections/cloud/o365_zap_activity_detection.yml b/detections/cloud/o365_zap_activity_detection.yml index 85bde8609e..61d8cd3cc1 100644 --- a/detections/cloud/o365_zap_activity_detection.yml +++ b/detections/cloud/o365_zap_activity_detection.yml @@ -1,7 +1,7 @@ name: O365 ZAP Activity Detection id: 4df275fd-a0e5-4246-8b92-d3201edaef7a -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 10 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 8bdceab553..c3d5636f16 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -1,7 +1,7 @@ name: Add DefaultUser And Password In Registry id: d4a3eb62-0f1e-11ec-a971-acde48001122 -version: 12 -date: '2026-01-14' +version: 13 +date: '2026-02-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/advanced_ip_or_port_scanner_execution.yml b/detections/endpoint/advanced_ip_or_port_scanner_execution.yml index 740c2f81cb..dac8ea0512 100644 --- a/detections/endpoint/advanced_ip_or_port_scanner_execution.yml +++ b/detections/endpoint/advanced_ip_or_port_scanner_execution.yml @@ -1,7 +1,7 @@ name: Advanced IP or Port Scanner Execution id: 9a4e50c7-5b62-4d52-93b4-f2b61332e9a5 -version: 1 -date: '2025-10-13' +version: 2 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -71,10 +71,10 @@ rba: risk_objects: - field: user type: user - score: 64 + score: 20 - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index a4b333ee13..75d8e8b7cb 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -1,7 +1,7 @@ name: Anomalous usage of 7zip id: 9364ee8e-a39a-11eb-8f1d-acde48001122 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,10 +44,10 @@ rba: risk_objects: - field: user type: user - score: 64 + score: 20 - field: dest type: system - score: 64 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml index 214b7f6e22..3dde353e92 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml @@ -1,7 +1,7 @@ name: Attempt To Add Certificate To Untrusted Store id: 6bc5243e-ef36-45dc-9b12-f4a6be131159 -version: 17 -date: '2026-02-25' +version: 18 +date: '2026-02-26' author: Patrick Bareiss, Rico Valdez, Splunk status: production type: Anomaly @@ -48,10 +48,10 @@ rba: risk_objects: - field: user type: user - score: 35 + score: 20 - field: dest type: system - score: 35 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index 11dfd77662..99fab1dc81 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -1,7 +1,7 @@ name: CHCP Command Execution id: 21d236ec-eec1-11eb-b23e-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 - field: user type: user - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/cisco_isovalent___access_to_cloud_metadata_service.yml b/detections/endpoint/cisco_isovalent___access_to_cloud_metadata_service.yml index 45af16a8fe..dd2766b981 100644 --- a/detections/endpoint/cisco_isovalent___access_to_cloud_metadata_service.yml +++ b/detections/endpoint/cisco_isovalent___access_to_cloud_metadata_service.yml @@ -1,7 +1,7 @@ name: Cisco Isovalent - Access To Cloud Metadata Service id: 7f2e1a9a-1e8e-4d2e-8b7c-5f2c3d6a9b21 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Bhavin Patel, Splunk type: Anomaly data_source: @@ -39,7 +39,7 @@ rba: risk_objects: - field: pod_name type: system - score: 50 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/endpoint/cisco_isovalent___cron_job_creation.yml b/detections/endpoint/cisco_isovalent___cron_job_creation.yml index c60cab06e0..bfbaddb39b 100644 --- a/detections/endpoint/cisco_isovalent___cron_job_creation.yml +++ b/detections/endpoint/cisco_isovalent___cron_job_creation.yml @@ -1,7 +1,7 @@ name: Cisco Isovalent - Cron Job Creation id: 94531a31-a041-4777-909f-cd92ed3b71ad -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Bhavin Patel, Splunk type: Anomaly data_source: @@ -39,7 +39,7 @@ rba: risk_objects: - field: pod_name type: system - score: 50 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/endpoint/cisco_isovalent___curl_execution_with_insecure_flags.yml index 81d017d78d..5fa722b2aa 100644 --- a/detections/endpoint/cisco_isovalent___curl_execution_with_insecure_flags.yml +++ b/detections/endpoint/cisco_isovalent___curl_execution_with_insecure_flags.yml @@ -1,7 +1,7 @@ name: Cisco Isovalent - Curl Execution With Insecure Flags id: c16c4899-d3f7-461b-92c2-cc0ef5758855 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Bhavin Patel, Splunk type: Anomaly data_source: @@ -35,7 +35,7 @@ rba: risk_objects: - field: pod_name type: system - score: 45 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_isovalent___late_process_execution.yml b/detections/endpoint/cisco_isovalent___late_process_execution.yml index 01d79756ad..9b953cf5d6 100644 --- a/detections/endpoint/cisco_isovalent___late_process_execution.yml +++ b/detections/endpoint/cisco_isovalent___late_process_execution.yml @@ -1,7 +1,7 @@ name: Cisco Isovalent - Late Process Execution id: 7f4b9b8e-5d6a-4a21-9e3f-0f1e8f2d1c3a -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Bhavin Patel, Splunk type: Anomaly data_source: @@ -41,7 +41,7 @@ rba: risk_objects: - field: pod_name type: system - score: 45 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_isovalent___non_allowlisted_image_use.yml b/detections/endpoint/cisco_isovalent___non_allowlisted_image_use.yml index 9500b1a65b..5a870691ea 100644 --- a/detections/endpoint/cisco_isovalent___non_allowlisted_image_use.yml +++ b/detections/endpoint/cisco_isovalent___non_allowlisted_image_use.yml @@ -1,7 +1,7 @@ name: Cisco Isovalent - Non Allowlisted Image Use id: 9f2b7b1d-6c2f-4f2d-9a8b-8a1d7c5f2e11 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -50,7 +50,7 @@ rba: risk_objects: - field: pod_name type: system - score: 45 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml b/detections/endpoint/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml index f306f043cf..103a792d10 100644 --- a/detections/endpoint/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml +++ b/detections/endpoint/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml @@ -1,7 +1,7 @@ name: Cisco Isovalent - Nsenter Usage in Kubernetes Pod id: cd07120d-4265-481a-ba0f-3b91fbc5a02f -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Bhavin Patel, Splunk type: Anomaly data_source: @@ -42,7 +42,7 @@ rba: risk_objects: - field: pod_name type: system - score: 50 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_isovalent___pods_running_offensive_tools.yml b/detections/endpoint/cisco_isovalent___pods_running_offensive_tools.yml index 562de890a8..c70d237e07 100644 --- a/detections/endpoint/cisco_isovalent___pods_running_offensive_tools.yml +++ b/detections/endpoint/cisco_isovalent___pods_running_offensive_tools.yml @@ -1,7 +1,7 @@ name: Cisco Isovalent - Pods Running Offensive Tools id: e9d0b9e6-2f3c-4a8a-9d61-2b6f4a9c1c2e -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Bhavin Patel, Splunk type: Anomaly data_source: @@ -37,7 +37,7 @@ rba: risk_objects: - field: pod_name type: system - score: 48 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_isovalent___potential_escape_to_host.yml b/detections/endpoint/cisco_isovalent___potential_escape_to_host.yml index 9e01be6f89..276e412532 100644 --- a/detections/endpoint/cisco_isovalent___potential_escape_to_host.yml +++ b/detections/endpoint/cisco_isovalent___potential_escape_to_host.yml @@ -1,7 +1,7 @@ name: Cisco Isovalent - Potential Escape to Host id: 2b8a7a21-bec6-4e1f-84c4-7b319f45d2ab -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Bhavin Patel, Splunk type: Anomaly data_source: @@ -59,7 +59,7 @@ rba: risk_objects: - field: pod_name type: system - score: 70 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_isovalent___shell_execution.yml b/detections/endpoint/cisco_isovalent___shell_execution.yml index 2dfc8b952e..51e90bfb8b 100644 --- a/detections/endpoint/cisco_isovalent___shell_execution.yml +++ b/detections/endpoint/cisco_isovalent___shell_execution.yml @@ -1,7 +1,7 @@ name: Cisco Isovalent - Shell Execution id: 12345678-abcd-1234-ef00-1234567890ab -version: 1 -date: '2026-01-05' +version: 2 +date: '2026-02-26' author: Bhavin Patel, Splunk type: Anomaly data_source: @@ -29,7 +29,7 @@ rba: risk_objects: - field: node_name type: system - score: 49 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml index 7554829ce0..cb6402b274 100644 --- a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml +++ b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Curl Execution With Insecure Flags id: cc695238-3117-4e60-aa83-4beac2a42c69 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -71,7 +71,7 @@ rba: risk_objects: - field: src type: system - score: 30 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml index 5e284af764..ec4fab4f6b 100644 --- a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml +++ b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml @@ -1,7 +1,7 @@ name: Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI id: f2a9df84-9b01-4a21-9e3a-7aa1a217f69e -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -76,7 +76,7 @@ rba: risk_objects: - field: src type: system - score: 40 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml b/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml index 97a9680ea8..70676b2e1c 100644 --- a/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml +++ b/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Non-Network Binary Making Network Connection id: c6db35af-8a0e-4b61-88ed-738e66f15715 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -72,7 +72,7 @@ rba: risk_objects: - field: src type: system - score: 40 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml b/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml index 0f7c8a1967..bca6310eb9 100644 --- a/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml +++ b/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Outbound Connection to Suspicious Port id: fc32a8d5-bc79-4437-b48f-4646ab7bed9d -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -70,7 +70,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml b/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml index c239e37443..24e0d28e75 100644 --- a/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml +++ b/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Rclone Execution With Network Activity id: 719f8c78-b20d-4bb9-8c33-6d1a762e7a9a -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -80,7 +80,7 @@ rba: risk_objects: - field: src type: system - score: 60 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml b/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml index 14b3f936c0..876979bee9 100644 --- a/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml +++ b/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download id: 18f0d27d-569e-4bc4-96e1-09b214fa73c0 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -68,7 +68,7 @@ rba: risk_objects: - field: src type: system - score: 40 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml b/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml index 028f42c133..7e4e74c3dd 100644 --- a/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml +++ b/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Susp Script From Archive Triggering Network Activity id: 8b07c2c9-0cde-4c44-9fa6-59dcf2b25777 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -66,7 +66,7 @@ rba: risk_objects: - field: src type: system - score: 40 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml index d03533077d..c408e251c3 100644 --- a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Suspicious Download From File Sharing Website id: 94ebc001-35e7-4ae8-9b0e-52766b2f99c7 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -86,7 +86,7 @@ rba: risk_objects: - field: src type: system - score: 30 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml index 2ffc620f90..f81d229381 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Suspicious Network Connection From Process With No Args id: 54fa06c5-96a2-4406-a4a7-44d93ddbd173 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -76,7 +76,7 @@ rba: risk_objects: - field: src type: system - score: 40 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml index 8baf55b2ba..70f066908a 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Suspicious Network Connection Initiated via MsXsl id: 1cbcf75f-0e45-4f29-8c1b-7fcd7e55cc55 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -70,7 +70,7 @@ rba: risk_objects: - field: src type: system - score: 40 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml index 68db8ae6f3..2048360a62 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml @@ -1,7 +1,7 @@ name: Cisco NVM - Suspicious Network Connection to IP Lookup Service API id: 568cb83e-d79e-4a23-85ec-6e1f6c30cb2f -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk, Janantha Marasinghe status: production type: Anomaly @@ -80,7 +80,7 @@ rba: risk_objects: - field: src type: system - score: 40 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/crowdstrike_falcon_stream_alerts.yml b/detections/endpoint/crowdstrike_falcon_stream_alerts.yml index 996e74890c..d829c0487a 100644 --- a/detections/endpoint/crowdstrike_falcon_stream_alerts.yml +++ b/detections/endpoint/crowdstrike_falcon_stream_alerts.yml @@ -1,7 +1,7 @@ name: CrowdStrike Falcon Stream Alerts id: cb6af2b3-29ab-441c-8d8d-679811c8b014 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Bryan Pluta, Teoderick Contreras, Splunk status: production type: Anomaly @@ -58,10 +58,10 @@ rba: risk_objects: - field: dest type: system - score: 81 + score: 20 - field: user type: user - score: 81 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/crowdstrike_medium_severity_alert.yml b/detections/endpoint/crowdstrike_medium_severity_alert.yml index 137188ad15..4e87d0908a 100644 --- a/detections/endpoint/crowdstrike_medium_severity_alert.yml +++ b/detections/endpoint/crowdstrike_medium_severity_alert.yml @@ -1,7 +1,7 @@ name: Crowdstrike Medium Severity Alert id: 7e80d92a-6ec3-4eb1-a444-1480acfe2d14 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml index 22dae5c80e..04814d6254 100644 --- a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml +++ b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml @@ -1,7 +1,7 @@ name: Crowdstrike Multiple LOW Severity Alerts id: 5c2c02d8-bee7-4f5c-9dea-e3e1012daddb -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: src_host type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml index 8974ca61db..12003b4954 100644 --- a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml +++ b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml @@ -1,7 +1,7 @@ name: Crowdstrike Privilege Escalation For Non-Admin User id: 69e2860c-0e4b-40ae-9dc4-bf9e3bf2a548 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/crowdstrike_user_weak_password_policy.yml b/detections/endpoint/crowdstrike_user_weak_password_policy.yml index 6de6117c03..31cd52a871 100644 --- a/detections/endpoint/crowdstrike_user_weak_password_policy.yml +++ b/detections/endpoint/crowdstrike_user_weak_password_policy.yml @@ -1,7 +1,7 @@ name: Crowdstrike User Weak Password Policy id: b49b6ef4-57cd-4d42-bd7e-64e00f11cc87 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml index e1d57af612..d5e4e47560 100644 --- a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml +++ b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml @@ -1,7 +1,7 @@ name: Crowdstrike User with Duplicate Password id: 386dd914-16e5-400b-9bf6-25572cc4415a -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml index 12940edd11..7e7b4be4e5 100644 --- a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml +++ b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml @@ -1,7 +1,7 @@ name: Detect Excessive Account Lockouts From Endpoint id: c026e3dd-7e18-4abb-8f41-929e836efe74 -version: 14 -date: '2026-02-25' +version: 15 +date: '2026-02-26' author: David Dorsey, Splunk status: production type: Anomaly @@ -34,10 +34,10 @@ rba: risk_objects: - field: user type: user - score: 36 + score: 20 - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/detect_excessive_user_account_lockouts.yml b/detections/endpoint/detect_excessive_user_account_lockouts.yml index dd962d0cdd..e84bcf7645 100644 --- a/detections/endpoint/detect_excessive_user_account_lockouts.yml +++ b/detections/endpoint/detect_excessive_user_account_lockouts.yml @@ -1,7 +1,7 @@ name: Detect Excessive User Account Lockouts id: 95a7f9a5-6096-437e-a19e-86f42ac609bd -version: 12 -date: '2026-02-25' +version: 13 +date: '2026-02-26' author: David Dorsey, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: user type: user - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml index c1e6d2d99c..54a99c4f84 100644 --- a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml +++ b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml @@ -1,7 +1,7 @@ name: Detect Outlook exe writing a zip file id: a51bfe1a-94f0-4822-b1e4-16ae10145893 -version: 15 -date: '2026-01-23' +version: 16 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -98,10 +98,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml index f3fdd77ef3..cb3094d1aa 100644 --- a/detections/endpoint/detect_rare_executables.yml +++ b/detections/endpoint/detect_rare_executables.yml @@ -1,7 +1,7 @@ name: Detect Rare Executables id: 44fddcb2-8d3b-454c-874e-7c6de5a4f7ac -version: 11 -date: '2026-01-15' +version: 12 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -66,7 +66,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index 627e4f4a9c..69a856b100 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage File id: 3bf5541a-6a45-4fdc-b01d-59b899fff961 -version: 13 -date: '2026-01-19' +version: 14 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -67,10 +67,10 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 - field: user type: user - score: 25 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index 835b980497..85aeb8a416 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage FileInfo id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454 -version: 12 -date: '2026-02-25' +version: 13 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -46,10 +46,10 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 - field: user type: user - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index c1ae9e010f..9507b0bf2b 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Process id: ffd5e001-2e34-48f4-97a2-26dc4bb08178 -version: 14 -date: '2026-02-25' +version: 15 +date: '2026-02-26' author: Steven Dick, Sebastian Wurl, Splunk Community status: production type: Anomaly @@ -51,10 +51,10 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 - field: user type: user - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/detect_remote_access_software_usage_registry.yml b/detections/endpoint/detect_remote_access_software_usage_registry.yml index f62cf3f9ac..e7939d3a15 100644 --- a/detections/endpoint/detect_remote_access_software_usage_registry.yml +++ b/detections/endpoint/detect_remote_access_software_usage_registry.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Registry id: 33804986-25dd-43cf-bb6b-dc14956c7cbc -version: 10 -date: '2025-10-14' +version: 11 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -33,10 +33,10 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 - field: user type: user - score: 25 + score: 20 threat_objects: - field: registry_path type: registry_path diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index c83cd93331..868cc582ce 100644 --- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -1,7 +1,7 @@ name: Detect suspicious processnames using pretrained model in DSDL id: a15f8977-ad7d-4669-92ef-b59b97219bf5 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly status: experimental @@ -35,10 +35,10 @@ rba: risk_objects: - field: dest type: system - score: 45 + score: 20 - field: user type: user - score: 45 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml index 1ec2c2bab5..5bc61a8b7b 100644 --- a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml +++ b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml @@ -1,7 +1,7 @@ name: Detection of tools built by NirSoft id: 3d8d201c-aa03-422d-b0ee-2e5ecf9718c0 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Bhavin Patel, Splunk status: experimental type: Anomaly @@ -36,10 +36,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index 700f70ab3f..ee05ac2474 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -1,7 +1,7 @@ name: Disable Show Hidden Files id: 6f3ccfa2-91fe-11eb-8f9b-acde48001122 -version: 14 -date: '2026-01-14' +version: 15 +date: '2026-02-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/disabling_firewall_with_netsh.yml b/detections/endpoint/disabling_firewall_with_netsh.yml index 98733d4e11..9eff89110f 100644 --- a/detections/endpoint/disabling_firewall_with_netsh.yml +++ b/detections/endpoint/disabling_firewall_with_netsh.yml @@ -1,7 +1,7 @@ name: Disabling Firewall with Netsh id: 6860a62c-9203-11eb-9e05-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,10 +44,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/domain_account_discovery_with_dsquery.yml b/detections/endpoint/domain_account_discovery_with_dsquery.yml index 253fe62e30..b30367a863 100644 --- a/detections/endpoint/domain_account_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_account_discovery_with_dsquery.yml @@ -1,7 +1,7 @@ name: Domain Account Discovery with Dsquery id: b1a8ce04-04c2-11ec-bea7-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Anomaly @@ -45,10 +45,10 @@ rba: risk_objects: - field: user type: user - score: 3 + score: 20 - field: dest type: system - score: 3 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/domain_group_discovery_with_dsquery.yml b/detections/endpoint/domain_group_discovery_with_dsquery.yml index e962b08dda..3b6de8ae9a 100644 --- a/detections/endpoint/domain_group_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_group_discovery_with_dsquery.yml @@ -1,7 +1,7 @@ name: Domain Group Discovery With Dsquery id: f0c9d62f-a232-4edd-b17e-bc409fb133d4 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -45,10 +45,10 @@ rba: risk_objects: - field: user type: user - score: 3 + score: 20 - field: dest type: system - score: 3 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/excessive_attempt_to_disable_services.yml b/detections/endpoint/excessive_attempt_to_disable_services.yml index 468235f24d..48a57c52fd 100644 --- a/detections/endpoint/excessive_attempt_to_disable_services.yml +++ b/detections/endpoint/excessive_attempt_to_disable_services.yml @@ -1,7 +1,7 @@ name: Excessive Attempt To Disable Services id: 8fa2a0f0-acd9-11eb-8994-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 80 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml index 9522b3a449..84ce21e66c 100644 --- a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml +++ b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml @@ -1,7 +1,7 @@ name: Excessive distinct processes from Windows Temp id: 23587b6a-c479-11eb-b671-acde48001122 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Michael Hart, Mauricio Velazco, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 80 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml index ff5d6826bb..5a6f9bbf9e 100644 --- a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml +++ b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml @@ -1,7 +1,7 @@ name: Excessive number of service control start as disabled id: 77592bec-d5cc-11eb-9e60-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Hart, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 80 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/excessive_number_of_taskhost_processes.yml b/detections/endpoint/excessive_number_of_taskhost_processes.yml index 05c4b23df5..c7d51c7269 100644 --- a/detections/endpoint/excessive_number_of_taskhost_processes.yml +++ b/detections/endpoint/excessive_number_of_taskhost_processes.yml @@ -1,7 +1,7 @@ name: Excessive number of taskhost processes id: f443dac2-c7cf-11eb-ab51-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Hart status: production type: Anomaly @@ -46,7 +46,7 @@ rba: risk_objects: - field: dest type: system - score: 56 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index ef7b8bfde1..9022366eb2 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -1,7 +1,7 @@ name: Excessive Usage Of Cacls App id: 0bdf6092-af17-11eb-939a-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -76,7 +76,7 @@ rba: risk_objects: - field: dest type: system - score: 80 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/excessive_usage_of_nslookup_app.yml b/detections/endpoint/excessive_usage_of_nslookup_app.yml index 0131bc9eda..675f9f5619 100644 --- a/detections/endpoint/excessive_usage_of_nslookup_app.yml +++ b/detections/endpoint/excessive_usage_of_nslookup_app.yml @@ -1,7 +1,7 @@ name: Excessive Usage of NSLOOKUP App id: 0a69fdaa-a2b8-11eb-b16d-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Stanislav Miskovic, Splunk status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 28 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml index 506c25e559..551ebe0625 100644 --- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml +++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml @@ -1,7 +1,7 @@ name: Excessive Usage Of SC Service Utility id: cb6b339e-d4c6-11eb-a026-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index 1fdd9e6642..f10df7e93b 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -1,7 +1,7 @@ name: Excessive Usage Of Taskkill id: fe5bca48-accb-11eb-a67c-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 28 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index aef801b568..8b4f84e0e0 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 23 -date: '2026-02-12' +version: 24 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -84,7 +84,7 @@ rba: risk_objects: - field: user type: user - score: 30 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml index 75ff63eff3..f6fc0cd5fb 100644 --- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Temp Path id: e0422b71-2c05-4f32-8754-01fb415f49c9 -version: 19 -date: '2026-02-03' +version: 20 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -74,7 +74,7 @@ rba: risk_objects: - field: user type: user - score: 5 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index f69b2c445d..37008dd618 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -1,7 +1,7 @@ name: Firewall Allowed Program Enable id: 9a8f63a8-43ac-11ec-904c-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/first_time_seen_child_process_of_zoom.yml b/detections/endpoint/first_time_seen_child_process_of_zoom.yml index cfbbbfa17c..091aa42a29 100644 --- a/detections/endpoint/first_time_seen_child_process_of_zoom.yml +++ b/detections/endpoint/first_time_seen_child_process_of_zoom.yml @@ -1,7 +1,7 @@ name: First Time Seen Child Process of Zoom id: e91bd102-d630-4e76-ab73-7e3ba22c5961 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: David Dorsey, Splunk status: experimental type: Anomaly @@ -31,10 +31,10 @@ rba: risk_objects: - field: user type: user - score: 64 + score: 20 - field: dest type: system - score: 64 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/first_time_seen_running_windows_service.yml b/detections/endpoint/first_time_seen_running_windows_service.yml index 364bb4091d..d05a5b97ef 100644 --- a/detections/endpoint/first_time_seen_running_windows_service.yml +++ b/detections/endpoint/first_time_seen_running_windows_service.yml @@ -1,7 +1,7 @@ name: First Time Seen Running Windows Service id: 823136f2-d755-4b6d-ae04-372b486a5808 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: David Dorsey, Splunk status: experimental type: Anomaly @@ -24,7 +24,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml index b2819995ec..3c4a5d8c83 100644 --- a/detections/endpoint/headless_browser_usage.yml +++ b/detections/endpoint/headless_browser_usage.yml @@ -1,7 +1,7 @@ name: Headless Browser Usage id: 869ba261-c272-47d7-affe-5c0aa85c93d6 -version: 7 -date: '2026-01-29' +version: 8 +date: '2026-02-26' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly @@ -32,10 +32,10 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 - field: user type: user - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml index fc376f03f7..1c32a261d7 100644 --- a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml +++ b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml @@ -1,7 +1,7 @@ name: High Frequency Copy Of Files In Network Share id: 40925f12-4709-11ec-bb43-acde48001122 -version: 7 -date: '2025-10-14' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: src_user type: user - score: 9 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/endpoint/high_process_termination_frequency.yml b/detections/endpoint/high_process_termination_frequency.yml index 09f8c29f15..28c3a38638 100644 --- a/detections/endpoint/high_process_termination_frequency.yml +++ b/detections/endpoint/high_process_termination_frequency.yml @@ -1,7 +1,7 @@ name: High Process Termination Frequency id: 17cd75b2-8666-11eb-9ab4-acde48001122 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Teoderick Contreras status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 72 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index b2fba8be5b..acf356deee 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -1,7 +1,7 @@ name: Icacls Deny Command id: cf8d753e-a8fe-11eb-8f58-acde48001122 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -59,10 +59,10 @@ rba: risk_objects: - field: dest type: system - score: 72 + score: 20 - field: user type: user - score: 72 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index 2e263fad5b..3a3d1e6b3a 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -1,7 +1,7 @@ name: ICACLS Grant Command id: b1b1e316-accc-11eb-a9b4-acde48001122 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -59,10 +59,10 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 - field: user type: user - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/kerberos_user_enumeration.yml b/detections/endpoint/kerberos_user_enumeration.yml index 61c7c3aaab..80c91b7dfd 100644 --- a/detections/endpoint/kerberos_user_enumeration.yml +++ b/detections/endpoint/kerberos_user_enumeration.yml @@ -1,7 +1,7 @@ name: Kerberos User Enumeration id: d82d4af4-a0bd-11ec-9445-3e22fbd008af -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: src_ip type: system - score: 24 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml index 0df4ac8949..87061cb8e5 100644 --- a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml +++ b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml @@ -1,7 +1,7 @@ name: Linux Account Manipulation Of SSH Config and Keys id: 73a56508-1cf5-4df7-b8d9-5737fbdc27d2 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml index 2fbc802c4f..063d2e3e54 100644 --- a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml +++ b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml @@ -1,7 +1,7 @@ name: Linux Add Files In Known Crontab Directories id: 023f3452-5f27-11ec-bf00-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_apt_privilege_escalation.yml b/detections/endpoint/linux_apt_privilege_escalation.yml index d00e7dcda2..d2b8d3c958 100644 --- a/detections/endpoint/linux_apt_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux APT Privilege Escalation id: 4d5a05fa-77d9-4fd0-af9c-05704f9f9a88 -version: 10 -date: '2026-02-10' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Bhavin Patel, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_at_allow_config_file_creation.yml b/detections/endpoint/linux_at_allow_config_file_creation.yml index 09bbb3f081..8894b35df3 100644 --- a/detections/endpoint/linux_at_allow_config_file_creation.yml +++ b/detections/endpoint/linux_at_allow_config_file_creation.yml @@ -1,7 +1,7 @@ name: Linux At Allow Config File Creation id: 977b3082-5f3d-11ec-b954-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index fcac10678a..8c9e985ab4 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -1,7 +1,7 @@ name: Linux At Application Execution id: bf0a378e-5f3c-11ec-a6de-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index fe8fb04db7..cde1a935d5 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -1,7 +1,7 @@ name: Linux Auditd Add User Account id: aae66dc0-74b4-4807-b480-b35f8027abb4 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index 39085890c1..fcf6a4dfde 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -1,7 +1,7 @@ name: Linux Auditd Add User Account Type id: f8c325ea-506e-4105-8ccf-da1492e90115 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index 314e50f676..3d281aa401 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd At Application Execution id: 9f306e0a-1c36-469e-8892-968ca12470dd -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_auditd_daemon_abort.yml b/detections/endpoint/linux_auditd_auditd_daemon_abort.yml index 98c077f6fc..80d7dfe641 100644 --- a/detections/endpoint/linux_auditd_auditd_daemon_abort.yml +++ b/detections/endpoint/linux_auditd_auditd_daemon_abort.yml @@ -1,7 +1,7 @@ name: Linux Auditd Auditd Daemon Abort id: 76d6573f-c4ab-4fa1-8390-c036416d4add -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_auditd_daemon_shutdown.yml b/detections/endpoint/linux_auditd_auditd_daemon_shutdown.yml index 7cece75c29..9485753c32 100644 --- a/detections/endpoint/linux_auditd_auditd_daemon_shutdown.yml +++ b/detections/endpoint/linux_auditd_auditd_daemon_shutdown.yml @@ -1,7 +1,7 @@ name: Linux Auditd Auditd Daemon Shutdown id: 6e2574b3-e24b-4321-ae3c-ba83a75bb714 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_auditd_daemon_start.yml b/detections/endpoint/linux_auditd_auditd_daemon_start.yml index 89d0e5129a..9e7d24fe5e 100644 --- a/detections/endpoint/linux_auditd_auditd_daemon_start.yml +++ b/detections/endpoint/linux_auditd_auditd_daemon_start.yml @@ -1,7 +1,7 @@ name: Linux Auditd Auditd Daemon Start id: 6b0cb0ff-9a7e-4475-a687-43827fdb31d6 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 15 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index 0a235efec2..d328b07de3 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Auditd Service Stop id: 6cb9d0e1-eabe-41de-a11a-5efade354e9d -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index 11965a0e04..a52ecfdc7d 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -1,7 +1,7 @@ name: Linux Auditd Base64 Decode Files id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index fe16233be8..809bd997a7 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -1,7 +1,7 @@ name: Linux Auditd Change File Owner To Root id: 7b87c556-0ca4-47e0-b84c-6cd62a0a3e90 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index d7663d7964..2bd7c1296b 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -1,7 +1,7 @@ name: Linux Auditd Clipboard Data Copy id: 9ddfe470-c4d0-4e60-8668-7337bd699edd -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 16 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index 8145d38e71..0b820ba595 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -1,7 +1,7 @@ name: Linux Auditd Data Transfer Size Limits Via Split id: 4669561d-3bbd-44e3-857c-0e3c6ef2120c -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index e0fa1a061a..d405b06d90 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -1,7 +1,7 @@ name: Linux Auditd Data Transfer Size Limits Via Split Syscall id: c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index c6b42cc430..bafd21d323 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd Database File And Directory Discovery id: f616c4f3-bde9-41cf-856c-019b65f668bb -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index 37b84049ae..e00f0c3f72 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -1,7 +1,7 @@ name: Linux Auditd Disable Or Modify System Firewall id: 07052556-d4b5-4bae-89aa-cbdc1bb11250 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index 9be66fa80b..b22d2caa3b 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Doas Tool Execution id: 91b8ca78-f205-4826-a3ef-cd8d6b24e97b -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index 522a16cbbf..f2db8a5408 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -1,7 +1,7 @@ name: Linux Auditd Edit Cron Table Parameter id: f4bb7321-7e64-4d1e-b1aa-21f8b019a91f -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml index 397ccd78f1..6c4416bae9 100644 --- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd File And Directory Discovery id: 0bbfb79c-a755-49a5-a38a-1128d0a452f1 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml index c19dc01885..565fd0b398 100644 --- a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml +++ b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml @@ -1,7 +1,7 @@ name: Linux Auditd File Permission Modification Via Chmod id: 5f1d2ea7-eec0-4790-8b24-6875312ad492 -version: 12 -date: '2026-02-25' +version: 13 +date: '2026-02-26' author: "Teoderick Contreras, Splunk, Ivar Nygård" status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml index e6a73849c3..2154908d1d 100644 --- a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml +++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml @@ -1,7 +1,7 @@ name: Linux Auditd File Permissions Modification Via Chattr id: f2d1110d-b01c-4a58-9975-90a9edeb083a -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml index aa8cfae548..27f42bf8be 100644 --- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -1,7 +1,7 @@ name: Linux Auditd Find Ssh Private Keys id: e2d2bd10-dcd1-4b2f-8a76-0198eab32ba5 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml index 9d1e6ddebf..8183131d9d 100644 --- a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml @@ -1,7 +1,7 @@ name: Linux Auditd Hardware Addition Swapoff id: 5728bb16-1a0b-4b66-bce2-0074ac839770 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index 8ddb0cd935..4dcb01a385 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -1,7 +1,7 @@ name: Linux Auditd Hidden Files And Directories Creation id: 555cc358-bf16-4e05-9b3a-0f89c73b7261 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml index 5d656da481..44d86c88d7 100644 --- a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Insert Kernel Module Using Insmod Utility id: bc0ca53f-dea6-4906-9b12-09c396fdf1d3 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index 3d66bec95c..dfef0a5a7f 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Install Kernel Module Using Modprobe Utility id: 95165985-ace5-4d42-9c42-93a89a5af901 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml index 7a120b7198..1f6b4d320b 100644 --- a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Auditd Kernel Module Enumeration id: d1b088de-c47a-4572-9339-bdcc26493b32 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 15 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index 3b8692330c..805cd0cdc7 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Nopasswd Entry In Sudoers File id: 651df959-ad17-4b73-a323-90cb96d5fa1b -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index 2ca137cbef..881e8a0b85 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Osquery Service Stop id: 0c320fea-6e87-4b99-a884-74d09d4b655d -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index b729f0725d..e16f287a48 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access Or Modification Of Sshd Config File id: acb3ea33-70f7-47aa-b335-643b3aebcb2f -version: 8 -date: '2025-11-27' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -81,7 +81,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index 1b7063f026..a4a0d92eae 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Credential Files id: 0419cb7a-57ea-467b-974f-77c303dfe2a3 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index fdc331489b..2ca7140377 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Sudoers File id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834 -version: 11 -date: '2025-11-27' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -77,7 +77,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index 06a2d7e1fe..ce7c39d67d 100644 --- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Auditd Private Keys and Certificate Enumeration id: 892eb674-3344-4143-8e52-4775b1daf3f1 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml index f91cf562dc..cb4956d9df 100644 --- a/detections/endpoint/linux_auditd_service_restarted.yml +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -1,7 +1,7 @@ name: Linux Auditd Service Restarted id: 8eb3e858-18d3-44a4-a514-52cfa39f154a -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml index cdc61ca29b..fb414e7754 100644 --- a/detections/endpoint/linux_auditd_service_started.yml +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -1,7 +1,7 @@ name: Linux Auditd Service Started id: b5eed06d-5c97-4092-a3a1-fa4b7e77c71a -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml index f56fbc1ec5..95ee67144c 100644 --- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Setuid Using Chmod Utility id: 8230c407-1b47-4d95-ac2e-718bd6381386 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: dest type: system - score: 81 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml index 879fd7f777..e53e445e03 100644 --- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Sudo Or Su Execution id: 817a5c89-5b92-4818-a22d-aa35e1361afe -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index ad3cc1032a..ae4e28d4bc 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Sysmon Service Stop id: 20901256-633a-40de-8753-7b88811a460f -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index 8882aeb1e3..037c7b59fc 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd System Network Configuration Discovery id: 5db16825-81bd-4923-a8d6-d6a13a59832a -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index c34d46c872..2f927beb0c 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd Virtual Disk File And Directory Discovery id: eec78cef-d4c8-4b35-8f5b-6922102a4a41 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index 8f8fcf583f..1e7bf9a375 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd Whoami User Discovery id: d1ff2e22-310d-446a-80b3-faedaa7b3b52 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_awk_privilege_escalation.yml b/detections/endpoint/linux_awk_privilege_escalation.yml index 8eaf041142..d21a31e393 100644 --- a/detections/endpoint/linux_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_awk_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux AWK Privilege Escalation id: 4510cae0-96a2-4840-9919-91d262db210a -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_busybox_privilege_escalation.yml b/detections/endpoint/linux_busybox_privilege_escalation.yml index 837aa1d790..808b2d0c10 100644 --- a/detections/endpoint/linux_busybox_privilege_escalation.yml +++ b/detections/endpoint/linux_busybox_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Busybox Privilege Escalation id: 387c4e78-f4a4-413d-ad44-e9f7bc4642c9 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_c89_privilege_escalation.yml b/detections/endpoint/linux_c89_privilege_escalation.yml index c10154875a..82a92b63ee 100644 --- a/detections/endpoint/linux_c89_privilege_escalation.yml +++ b/detections/endpoint/linux_c89_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux c89 Privilege Escalation id: 54c95f4d-3e5d-44be-9521-ea19ba62f7a8 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_c99_privilege_escalation.yml b/detections/endpoint/linux_c99_privilege_escalation.yml index 99b6246ccb..d43518497e 100644 --- a/detections/endpoint/linux_c99_privilege_escalation.yml +++ b/detections/endpoint/linux_c99_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux c99 Privilege Escalation id: e1c6dec5-2249-442d-a1f9-99a4bd228183 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_change_file_owner_to_root.yml b/detections/endpoint/linux_change_file_owner_to_root.yml index 12ca6b56c1..07532b2138 100644 --- a/detections/endpoint/linux_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_change_file_owner_to_root.yml @@ -1,7 +1,7 @@ name: Linux Change File Owner To Root id: c1400ea2-6257-11ec-ad49-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -46,7 +46,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_clipboard_data_copy.yml b/detections/endpoint/linux_clipboard_data_copy.yml index 40c4494f57..820c7ee1e3 100644 --- a/detections/endpoint/linux_clipboard_data_copy.yml +++ b/detections/endpoint/linux_clipboard_data_copy.yml @@ -1,7 +1,7 @@ name: Linux Clipboard Data Copy id: 7173b2ad-6146-418f-85ae-c3479e4515fc -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -41,10 +41,10 @@ rba: risk_objects: - field: user type: user - score: 16 + score: 20 - field: dest type: system - score: 16 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/linux_composer_privilege_escalation.yml b/detections/endpoint/linux_composer_privilege_escalation.yml index e5f852a8f2..1fa7784c3d 100644 --- a/detections/endpoint/linux_composer_privilege_escalation.yml +++ b/detections/endpoint/linux_composer_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Composer Privilege Escalation id: a3bddf71-6ba3-42ab-a6b2-396929b16d92 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_cpulimit_privilege_escalation.yml b/detections/endpoint/linux_cpulimit_privilege_escalation.yml index 40d585ee47..3b2671b2b2 100644 --- a/detections/endpoint/linux_cpulimit_privilege_escalation.yml +++ b/detections/endpoint/linux_cpulimit_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Cpulimit Privilege Escalation id: d4e40b7e-aad3-4a7d-aac8-550ea5222be5 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_csvtool_privilege_escalation.yml b/detections/endpoint/linux_csvtool_privilege_escalation.yml index 473823befe..0785cd6f36 100644 --- a/detections/endpoint/linux_csvtool_privilege_escalation.yml +++ b/detections/endpoint/linux_csvtool_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Csvtool Privilege Escalation id: f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_deletion_of_cron_jobs.yml b/detections/endpoint/linux_deletion_of_cron_jobs.yml index 4f279d295e..31f934dfe9 100644 --- a/detections/endpoint/linux_deletion_of_cron_jobs.yml +++ b/detections/endpoint/linux_deletion_of_cron_jobs.yml @@ -1,7 +1,7 @@ name: Linux Deletion Of Cron Jobs id: 3b132a71-9335-4f33-9932-00bb4f6ac7e8 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/linux_deletion_of_ssl_certificate.yml b/detections/endpoint/linux_deletion_of_ssl_certificate.yml index caf10c668d..e9c3bdbc7a 100644 --- a/detections/endpoint/linux_deletion_of_ssl_certificate.yml +++ b/detections/endpoint/linux_deletion_of_ssl_certificate.yml @@ -1,7 +1,7 @@ name: Linux Deletion of SSL Certificate id: 839ab790-a60a-4f81-bfb3-02567063f615 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/linux_doas_conf_file_creation.yml b/detections/endpoint/linux_doas_conf_file_creation.yml index f35c5014ef..998439b198 100644 --- a/detections/endpoint/linux_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_doas_conf_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Doas Conf File Creation id: f6343e86-6e09-11ec-9376-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_doas_tool_execution.yml b/detections/endpoint/linux_doas_tool_execution.yml index bd3e329005..ca0118305b 100644 --- a/detections/endpoint/linux_doas_tool_execution.yml +++ b/detections/endpoint/linux_doas_tool_execution.yml @@ -1,7 +1,7 @@ name: Linux Doas Tool Execution id: d5a62490-6e09-11ec-884e-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_docker_privilege_escalation.yml b/detections/endpoint/linux_docker_privilege_escalation.yml index 6af1be1e31..8b7bfed2c7 100644 --- a/detections/endpoint/linux_docker_privilege_escalation.yml +++ b/detections/endpoint/linux_docker_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Docker Privilege Escalation id: 2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 5 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_emacs_privilege_escalation.yml b/detections/endpoint/linux_emacs_privilege_escalation.yml index 3426ffdb5a..624d57007f 100644 --- a/detections/endpoint/linux_emacs_privilege_escalation.yml +++ b/detections/endpoint/linux_emacs_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Emacs Privilege Escalation id: 92033cab-1871-483d-a03b-a7ce98665cfc -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml index b3fc6d6254..4c0e0d3f5b 100644 --- a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml +++ b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml @@ -1,7 +1,7 @@ name: Linux File Created In Kernel Driver Directory id: b85bbeec-6326-11ec-9311-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: dest type: system - score: 72 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml index db9037eecc..015b9db915 100644 --- a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml +++ b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml @@ -1,7 +1,7 @@ name: Linux File Creation In Init Boot Directory id: 97d9cfb2-61ad-11ec-bb2d-acde48001122 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_file_creation_in_profile_directory.yml b/detections/endpoint/linux_file_creation_in_profile_directory.yml index c229e9b76a..0613946dbb 100644 --- a/detections/endpoint/linux_file_creation_in_profile_directory.yml +++ b/detections/endpoint/linux_file_creation_in_profile_directory.yml @@ -1,7 +1,7 @@ name: Linux File Creation In Profile Directory id: 46ba0082-61af-11ec-9826-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 56 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_find_privilege_escalation.yml b/detections/endpoint/linux_find_privilege_escalation.yml index ed8e5c4db4..1af1aaf441 100644 --- a/detections/endpoint/linux_find_privilege_escalation.yml +++ b/detections/endpoint/linux_find_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Find Privilege Escalation id: 2ff4e0c2-8256-4143-9c07-1e39c7231111 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 5 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_gdb_privilege_escalation.yml b/detections/endpoint/linux_gdb_privilege_escalation.yml index 56ba1ec49f..44c0258d9d 100644 --- a/detections/endpoint/linux_gdb_privilege_escalation.yml +++ b/detections/endpoint/linux_gdb_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux GDB Privilege Escalation id: 310b7da2-ab52-437f-b1bf-0bd458674308 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -46,7 +46,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_gem_privilege_escalation.yml b/detections/endpoint/linux_gem_privilege_escalation.yml index f6c7781876..f6436e4ae7 100644 --- a/detections/endpoint/linux_gem_privilege_escalation.yml +++ b/detections/endpoint/linux_gem_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Gem Privilege Escalation id: 0115482a-5dcb-4bb0-bcca-5d095d224236 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml index 7c314e9509..cb788d5285 100644 --- a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux GNU Awk Privilege Escalation id: 0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_hardware_addition_swapoff.yml b/detections/endpoint/linux_hardware_addition_swapoff.yml index 2befe5ccd3..ecbd7987ac 100644 --- a/detections/endpoint/linux_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_hardware_addition_swapoff.yml @@ -1,7 +1,7 @@ name: Linux Hardware Addition SwapOff id: c1eea697-99ed-44c2-9b70-d8935464c499 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -39,10 +39,10 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 - field: user type: user - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml index 64d8cd6732..352c986444 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml @@ -1,7 +1,7 @@ name: Linux High Frequency Of File Deletion In Etc Folder id: 9d867448-2aff-4d07-876c-89409a752ff8 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml index 493da60fa2..81809e9800 100644 --- a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml +++ b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml @@ -1,7 +1,7 @@ name: Linux Indicator Removal Service File Deletion id: 6c077f81-2a83-4537-afbc-0e62e3215d55 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,10 +44,10 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 - field: user type: user - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml index 0a7e773803..7d79f70dd5 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml @@ -1,7 +1,7 @@ name: Linux Ingress Tool Transfer with Curl id: 8c1de57d-abc1-4b41-a727-a7a8fc5e0857 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -52,10 +52,10 @@ rba: risk_objects: - field: user type: user - score: 12 + score: 20 - field: dest type: system - score: 12 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml index bd18029193..6eada25359 100644 --- a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Insert Kernel Module Using Insmod Utility id: 18b5a1a0-6326-11ec-943a-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml index d6f0437505..d02cb264da 100644 --- a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml @@ -1,7 +1,7 @@ name: Linux Install Kernel Module Using Modprobe Utility id: 387b278a-6326-11ec-aa2c-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml index 9c714fd7e2..17ea829183 100644 --- a/detections/endpoint/linux_iptables_firewall_modification.yml +++ b/detections/endpoint/linux_iptables_firewall_modification.yml @@ -1,7 +1,7 @@ name: Linux Iptables Firewall Modification id: 309d59dc-1e1b-49b2-9800-7cf18d12f7b7 -version: 12 -date: '2026-02-25' +version: 13 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -59,7 +59,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_kernel_module_enumeration.yml b/detections/endpoint/linux_kernel_module_enumeration.yml index 10ab100886..6233095686 100644 --- a/detections/endpoint/linux_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_kernel_module_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Kernel Module Enumeration id: 6df99886-0e04-4c11-8b88-325747419278 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -40,10 +40,10 @@ rba: risk_objects: - field: user type: user - score: 15 + score: 20 - field: dest type: system - score: 15 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_make_privilege_escalation.yml b/detections/endpoint/linux_make_privilege_escalation.yml index 329afa9466..66486c6430 100644 --- a/detections/endpoint/linux_make_privilege_escalation.yml +++ b/detections/endpoint/linux_make_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Make Privilege Escalation id: 80b22836-5091-4944-80ee-f733ac443f4f -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_mysql_privilege_escalation.yml b/detections/endpoint/linux_mysql_privilege_escalation.yml index fe514e9137..4e0c6d17cc 100644 --- a/detections/endpoint/linux_mysql_privilege_escalation.yml +++ b/detections/endpoint/linux_mysql_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux MySQL Privilege Escalation id: c0d810f4-230c-44ea-b703-989da02ff145 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml index fc8edac077..47743b8c61 100644 --- a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml @@ -1,7 +1,7 @@ name: Linux Ngrok Reverse Proxy Usage id: bc84d574-708c-467d-b78a-4c1e20171f97 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -41,10 +41,10 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 20 - field: dest type: system - score: 50 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_node_privilege_escalation.yml b/detections/endpoint/linux_node_privilege_escalation.yml index 7a4358cea0..f6970cbef0 100644 --- a/detections/endpoint/linux_node_privilege_escalation.yml +++ b/detections/endpoint/linux_node_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Node Privilege Escalation id: 2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -47,7 +47,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml index 645262aa1d..7475282433 100644 --- a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux NOPASSWD Entry In Sudoers File id: ab1e0d52-624a-11ec-8e0b-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml index 469052321e..cbb4ea3f79 100644 --- a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml +++ b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml @@ -1,7 +1,7 @@ name: Linux Obfuscated Files or Information Base64 Decode id: 303b38b2-c03f-44e2-8f41-4594606fcfc7 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: user type: user - score: 15 + score: 20 - field: dest type: system - score: 15 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_octave_privilege_escalation.yml b/detections/endpoint/linux_octave_privilege_escalation.yml index 0749bdb253..82ade8c4a9 100644 --- a/detections/endpoint/linux_octave_privilege_escalation.yml +++ b/detections/endpoint/linux_octave_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Octave Privilege Escalation id: 78f7487d-42ce-4f7f-8685-2159b25fb477 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_openvpn_privilege_escalation.yml b/detections/endpoint/linux_openvpn_privilege_escalation.yml index cc359d9589..c94a2f7b72 100644 --- a/detections/endpoint/linux_openvpn_privilege_escalation.yml +++ b/detections/endpoint/linux_openvpn_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux OpenVPN Privilege Escalation id: d25feebe-fa1c-4754-8a1e-afb03bedc0f2 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -49,7 +49,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_php_privilege_escalation.yml b/detections/endpoint/linux_php_privilege_escalation.yml index b667de8e7b..1121cad6db 100644 --- a/detections/endpoint/linux_php_privilege_escalation.yml +++ b/detections/endpoint/linux_php_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux PHP Privilege Escalation id: 4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml index 11d08d6ef0..7b4986d9e8 100644 --- a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml @@ -1,7 +1,7 @@ name: Linux Possible Access Or Modification Of sshd Config File id: 7a85eb24-72da-11ec-ac76-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_possible_access_to_credential_files.yml b/detections/endpoint/linux_possible_access_to_credential_files.yml index f7f7853112..d544e5a638 100644 --- a/detections/endpoint/linux_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_possible_access_to_credential_files.yml @@ -1,7 +1,7 @@ name: Linux Possible Access To Credential Files id: 16107e0e-71fc-11ec-b862-acde48001122 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml index e692947a69..320c44bb49 100644 --- a/detections/endpoint/linux_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_possible_access_to_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Possible Access To Sudoers File id: 4479539c-71fc-11ec-b2e2-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 4b76ae2a70..714ba23b01 100644 --- a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -1,7 +1,7 @@ name: Linux Possible Append Command To At Allow Config File id: 7bc20606-5f40-11ec-a586-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml index f0b139d65e..73c6849cb6 100644 --- a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml @@ -1,7 +1,7 @@ name: Linux Possible Append Command To Profile Config File id: 9c94732a-61af-11ec-91e3-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_possible_ssh_key_file_creation.yml b/detections/endpoint/linux_possible_ssh_key_file_creation.yml index 04a7150722..e9f7bbb8a6 100644 --- a/detections/endpoint/linux_possible_ssh_key_file_creation.yml +++ b/detections/endpoint/linux_possible_ssh_key_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Possible Ssh Key File Creation id: c04ef40c-72da-11ec-8eac-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_puppet_privilege_escalation.yml b/detections/endpoint/linux_puppet_privilege_escalation.yml index 15d463d43a..4e95926118 100644 --- a/detections/endpoint/linux_puppet_privilege_escalation.yml +++ b/detections/endpoint/linux_puppet_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Puppet Privilege Escalation id: 1d19037f-466e-4d56-8d87-36fafd9aa3ce -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -49,7 +49,7 @@ rba: risk_objects: - field: dest type: system - score: 5 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_rpm_privilege_escalation.yml b/detections/endpoint/linux_rpm_privilege_escalation.yml index 591854b2e9..6a5c166a27 100644 --- a/detections/endpoint/linux_rpm_privilege_escalation.yml +++ b/detections/endpoint/linux_rpm_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux RPM Privilege Escalation id: f8e58a23-cecd-495f-9c65-6c76b4cb9774 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_ruby_privilege_escalation.yml b/detections/endpoint/linux_ruby_privilege_escalation.yml index 8f7f0552fd..2829def194 100644 --- a/detections/endpoint/linux_ruby_privilege_escalation.yml +++ b/detections/endpoint/linux_ruby_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Ruby Privilege Escalation id: 097b28b5-7004-4d40-a715-7e390501788b -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml index fecfe9f837..27f1e97904 100644 --- a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml +++ b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml @@ -1,7 +1,7 @@ name: Linux Service File Created In Systemd Directory id: c7495048-61b6-11ec-9a37-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml index cbca65a7a2..4e7fb16da8 100644 --- a/detections/endpoint/linux_service_restarted.yml +++ b/detections/endpoint/linux_service_restarted.yml @@ -1,7 +1,7 @@ name: Linux Service Restarted id: 084275ba-61b8-11ec-8d64-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_service_started_or_enabled.yml b/detections/endpoint/linux_service_started_or_enabled.yml index 81695205ba..e0dade2b7a 100644 --- a/detections/endpoint/linux_service_started_or_enabled.yml +++ b/detections/endpoint/linux_service_started_or_enabled.yml @@ -1,7 +1,7 @@ name: Linux Service Started Or Enabled id: e0428212-61b7-11ec-88a3-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 42 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_setuid_using_chmod_utility.yml b/detections/endpoint/linux_setuid_using_chmod_utility.yml index df25b4e3c4..5488c0d63a 100644 --- a/detections/endpoint/linux_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_setuid_using_chmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Setuid Using Chmod Utility id: bf0304b6-6250-11ec-9d7c-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_setuid_using_setcap_utility.yml b/detections/endpoint/linux_setuid_using_setcap_utility.yml index 0667021ce9..88b4759a54 100644 --- a/detections/endpoint/linux_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_setuid_using_setcap_utility.yml @@ -1,7 +1,7 @@ name: Linux Setuid Using Setcap Utility id: 9d96022e-6250-11ec-9a19-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_sqlite3_privilege_escalation.yml b/detections/endpoint/linux_sqlite3_privilege_escalation.yml index c00322581a..415d4abda6 100644 --- a/detections/endpoint/linux_sqlite3_privilege_escalation.yml +++ b/detections/endpoint/linux_sqlite3_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Sqlite3 Privilege Escalation id: ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_ssh_authorized_keys_modification.yml b/detections/endpoint/linux_ssh_authorized_keys_modification.yml index 58afaf8315..f6479b207f 100644 --- a/detections/endpoint/linux_ssh_authorized_keys_modification.yml +++ b/detections/endpoint/linux_ssh_authorized_keys_modification.yml @@ -1,7 +1,7 @@ name: Linux SSH Authorized Keys Modification id: f5ab595e-28e5-4327-8077-5008ba97c850 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -41,10 +41,10 @@ rba: risk_objects: - field: user type: user - score: 15 + score: 20 - field: dest type: system - score: 15 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml index 931007d973..3246fb4c94 100644 --- a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml +++ b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml @@ -1,7 +1,7 @@ name: Linux Stdout Redirection To Dev Null File id: de62b809-a04d-46b5-9a15-8298d330f0c8 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_sudoers_tmp_file_creation.yml b/detections/endpoint/linux_sudoers_tmp_file_creation.yml index bc956f7370..c7baf43e88 100644 --- a/detections/endpoint/linux_sudoers_tmp_file_creation.yml +++ b/detections/endpoint/linux_sudoers_tmp_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Sudoers Tmp File Creation id: be254a5c-63e7-11ec-89da-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 72 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_system_network_discovery.yml b/detections/endpoint/linux_system_network_discovery.yml index e0b006b286..d7582315b3 100644 --- a/detections/endpoint/linux_system_network_discovery.yml +++ b/detections/endpoint/linux_system_network_discovery.yml @@ -1,7 +1,7 @@ name: Linux System Network Discovery id: 535cb214-8b47-11ec-a2c7-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml index 14ba45b95a..8799de8261 100644 --- a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml +++ b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml @@ -1,7 +1,7 @@ name: Linux Unix Shell Enable All SysRq Functions id: e7a96937-3b58-4962-8dce-538e4763cf15 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/linux_visudo_utility_execution.yml b/detections/endpoint/linux_visudo_utility_execution.yml index f637c1e48b..b77f35d6ad 100644 --- a/detections/endpoint/linux_visudo_utility_execution.yml +++ b/detections/endpoint/linux_visudo_utility_execution.yml @@ -1,7 +1,7 @@ name: Linux Visudo Utility Execution id: 08c41040-624c-11ec-a71f-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: dest type: system - score: 16 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml b/detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml index 94498e601b..ea74a45583 100644 --- a/detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml +++ b/detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml @@ -1,7 +1,7 @@ name: MacOS AMOS Stealer - Virtual Machine Check Activity id: 4e41ad21-9761-426d-8aa1-083712ff9f30 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk, Alex Karkins status: production type: Anomaly @@ -50,10 +50,10 @@ rba: risk_objects: - field: user type: user - score: 40 + score: 20 - field: dest type: system - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 4a74d3f11c..d4d6851462 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -1,7 +1,7 @@ name: Malicious PowerShell Process - Execution Policy Bypass id: 9be56c82-b1cc-4318-87eb-d138afaaca39 -version: 17 -date: '2026-02-25' +version: 18 +date: '2026-02-26' author: Rico Valdez, Mauricio Velazco, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 42 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index 52c5cb34ac..af620f5a89 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -1,7 +1,7 @@ name: Modify ACL permission To Files Or Folder id: 7e8458cc-acca-11eb-9e3f-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -56,7 +56,7 @@ rba: risk_objects: - field: dest type: system - score: 32 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml index e40d4b30ca..0634d6293c 100644 --- a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml @@ -1,7 +1,7 @@ name: MS Scripting Process Loading Ldap Module id: 0b0c40dc-14a6-11ec-b267-acde48001122 -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml index 4e6b4b7811..271e890bb6 100644 --- a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml @@ -1,7 +1,7 @@ name: MS Scripting Process Loading WMI Module id: 2eba3d36-14a6-11ec-a682-acde48001122 -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 10e1c733af..38ac6387dd 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,7 +1,7 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: 14 -date: '2025-12-16' +version: 15 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -26,7 +26,7 @@ rba: risk_objects: - field: dest type: system - score: 35 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 57aadae144..ad798e2fd8 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -1,7 +1,7 @@ name: Non Firefox Process Access Firefox Profile Dir id: e6fc13b0-1609-11ec-b533-acde48001122 -version: 14 -date: '2025-12-16' +version: 15 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -26,7 +26,7 @@ rba: risk_objects: - field: dest type: system - score: 35 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/permission_modification_using_takeown_app.yml b/detections/endpoint/permission_modification_using_takeown_app.yml index 9a53d5feea..ef9f1ecb57 100644 --- a/detections/endpoint/permission_modification_using_takeown_app.yml +++ b/detections/endpoint/permission_modification_using_takeown_app.yml @@ -1,7 +1,7 @@ name: Permission Modification using Takeown App id: fa7ca5c6-c9d8-11eb-bce9-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index f10154e37f..284d22d0e8 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -1,7 +1,7 @@ name: Ping Sleep Batch Command id: ce058d6c-79f2-11ec-b476-acde48001122 -version: 12 -date: '2026-02-25' +version: 13 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -60,10 +60,10 @@ rba: risk_objects: - field: user type: user - score: 36 + score: 20 - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml index 85544632c2..bdb691dd68 100644 --- a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml +++ b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml @@ -1,7 +1,7 @@ name: Potential System Network Configuration Discovery Activity id: 3f0b95e3-3195-46ac-bea3-84fb59e7fac5 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -67,10 +67,10 @@ rba: risk_objects: - field: user type: user - score: 32 + score: 20 - field: dest type: system - score: 32 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/potential_telegram_api_request_via_commandline.yml b/detections/endpoint/potential_telegram_api_request_via_commandline.yml index 7e7f9e6a42..bb2cda0bcc 100644 --- a/detections/endpoint/potential_telegram_api_request_via_commandline.yml +++ b/detections/endpoint/potential_telegram_api_request_via_commandline.yml @@ -1,7 +1,7 @@ name: Potential Telegram API Request Via CommandLine id: d6b0d627-d0bf-46b1-936f-c48284767d21 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk, Zaki Zarkasih Al Mustafa status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/endpoint/potentially_malicious_code_on_commandline.yml index e89cece1a1..f0e5c9b393 100644 --- a/detections/endpoint/potentially_malicious_code_on_commandline.yml +++ b/detections/endpoint/potentially_malicious_code_on_commandline.yml @@ -1,7 +1,7 @@ name: Potentially malicious code on commandline id: 9c53c446-757e-11ec-871d-acde48001122 -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-02-26' author: Michael Hart, Splunk status: production type: Anomaly @@ -30,10 +30,10 @@ rba: risk_objects: - field: dest type: system - score: 12 + score: 20 - field: user type: user - score: 12 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/powershell_enable_powershell_remoting.yml b/detections/endpoint/powershell_enable_powershell_remoting.yml index 0dbcfa88ea..1e3bf57196 100644 --- a/detections/endpoint/powershell_enable_powershell_remoting.yml +++ b/detections/endpoint/powershell_enable_powershell_remoting.yml @@ -1,7 +1,7 @@ name: PowerShell Enable PowerShell Remoting id: 40e3b299-19a5-4460-96e9-e1467f714f8e -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk type: Anomaly status: production @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml index d740c24d03..c12c521b37 100644 --- a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml +++ b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml @@ -1,7 +1,7 @@ name: PowerShell Invoke CIMMethod CIMSession id: 651ee958-a433-471c-b264-39725b788b83 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk type: Anomaly status: production @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index d8ae2126a2..1a3b03b886 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -1,7 +1,7 @@ name: PowerShell Loading DotNET into Memory via Reflection id: 85bc3f30-ca28-11eb-bd21-acde48001122 -version: 14 -date: '2025-10-14' +version: 15 +date: '2026-02-26' author: Michael Haag, Teoderick Contreras Splunk status: production type: Anomaly @@ -40,10 +40,10 @@ rba: risk_objects: - field: dest type: system - score: 56 + score: 20 - field: user_id type: user - score: 56 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/powershell_start_or_stop_service.yml b/detections/endpoint/powershell_start_or_stop_service.yml index 9b0219a072..b6468dbbcc 100644 --- a/detections/endpoint/powershell_start_or_stop_service.yml +++ b/detections/endpoint/powershell_start_or_stop_service.yml @@ -1,7 +1,7 @@ name: PowerShell Start or Stop Service id: 04207f8a-e08d-4ee6-be26-1e0c4488b04a -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk type: Anomaly status: production @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index abfea48eb4..5cddc5bc64 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -1,7 +1,7 @@ name: Process Creating LNK file in Suspicious Location id: 5d814af1-1041-47b5-a9ac-d754e82e9a26 -version: 14 -date: '2026-01-23' +version: 15 +date: '2026-02-26' author: Jose Hernandez, Michael Haag, Splunk status: production type: Anomaly @@ -76,10 +76,10 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 - field: user type: user - score: 30 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/endpoint/processes_launching_netsh.yml index eb2561ad47..66dd0ab42b 100644 --- a/detections/endpoint/processes_launching_netsh.yml +++ b/detections/endpoint/processes_launching_netsh.yml @@ -1,7 +1,7 @@ name: Processes launching netsh id: b89919ed-fe5f-492c-b139-95dbb162040e -version: 12 -date: '2026-02-25' +version: 13 +date: '2026-02-26' author: Michael Haag, Josef Kuepker, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: dest type: system - score: 14 + score: 20 - field: user type: user - score: 14 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml index d4cfa9cbb3..50473effea 100644 --- a/detections/endpoint/ransomware_notes_bulk_creation.yml +++ b/detections/endpoint/ransomware_notes_bulk_creation.yml @@ -1,7 +1,7 @@ name: Ransomware Notes bulk creation id: eff7919a-8330-11eb-83f8-acde48001122 -version: 13 -date: '2026-02-25' +version: 14 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 81 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index 2c22a88b9f..2274b3a273 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -1,7 +1,7 @@ name: Recon Using WMI Class id: 018c1972-ca07-11eb-9473-acde48001122 -version: 12 -date: '2026-02-25' +version: 13 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -45,10 +45,10 @@ rba: risk_objects: - field: dest type: system - score: 60 + score: 20 - field: user_id type: user - score: 60 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index 4521338408..3862d14e6c 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -1,7 +1,7 @@ name: Regsvr32 Silent and Install Param Dll Loading id: f421c250-24e7-11ec-bc43-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -47,10 +47,10 @@ rba: risk_objects: - field: user type: user - score: 36 + score: 20 - field: dest type: system - score: 36 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml index e216195bdd..a7e742b99e 100644 --- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml +++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml @@ -1,7 +1,7 @@ name: Regsvr32 with Known Silent Switch Cmdline id: c9ef7dc4-eeaf-11eb-b2b6-acde48001122 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -45,10 +45,10 @@ rba: risk_objects: - field: user type: user - score: 56 + score: 20 - field: dest type: system - score: 56 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/remote_system_discovery_with_dsquery.yml b/detections/endpoint/remote_system_discovery_with_dsquery.yml index 41d8696dc9..6fb52ced75 100644 --- a/detections/endpoint/remote_system_discovery_with_dsquery.yml +++ b/detections/endpoint/remote_system_discovery_with_dsquery.yml @@ -1,7 +1,7 @@ name: Remote System Discovery with Dsquery id: 9fb562f4-42f8-4139-8e11-a82edf7ed718 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -46,10 +46,10 @@ rba: risk_objects: - field: user type: user - score: 3 + score: 20 - field: dest type: system - score: 3 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml index 81accaf2b4..9d58d5b669 100644 --- a/detections/endpoint/rundll32_lockworkstation.yml +++ b/detections/endpoint/rundll32_lockworkstation.yml @@ -1,7 +1,7 @@ name: Rundll32 LockWorkStation id: fa90f372-f91d-11eb-816c-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml index 34f2d03da7..060cea72b8 100644 --- a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml +++ b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml @@ -1,7 +1,7 @@ name: SchCache Change By App Connect And Create ADSI Object id: 991eb510-0fc6-11ec-82d3-acde48001122 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/spike_in_file_writes.yml b/detections/endpoint/spike_in_file_writes.yml index 4d82498770..cd55df7c88 100644 --- a/detections/endpoint/spike_in_file_writes.yml +++ b/detections/endpoint/spike_in_file_writes.yml @@ -1,7 +1,7 @@ name: Spike in File Writes id: fdb0f805-74e4-4539-8c00-618927333aae -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: David Dorsey, Splunk status: experimental type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index 992feb183c..dccce25f94 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -1,7 +1,7 @@ name: Suspicious Copy on System32 id: ce633e56-25b2-11ec-9e76-acde48001122 -version: 13 -date: '2026-02-25' +version: 14 +date: '2026-02-26' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -80,10 +80,10 @@ rba: risk_objects: - field: dest type: system - score: 63 + score: 20 - field: user type: user - score: 63 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml index 9922de2ef9..8492de5186 100644 --- a/detections/endpoint/suspicious_reg_exe_process.yml +++ b/detections/endpoint/suspicious_reg_exe_process.yml @@ -1,7 +1,7 @@ name: Suspicious Reg exe Process id: a6b3ab4e-dd77-4213-95fa-fc94701995e0 -version: 13 -date: '2026-02-25' +version: 14 +date: '2026-02-26' author: David Dorsey, Splunk status: production type: Anomaly @@ -52,10 +52,10 @@ rba: risk_objects: - field: user type: user - score: 35 + score: 20 - field: dest type: system - score: 35 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index f4433a4980..f6371eb15b 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,7 +1,7 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: 18 -date: '2026-02-09' +version: 19 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -29,10 +29,10 @@ rba: risk_objects: - field: dest type: system - score: 35 + score: 20 - field: user type: user - score: 35 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index 0b75b23062..d15aaf08e4 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -1,7 +1,7 @@ name: System Processes Run From Unexpected Locations id: a34aae96-ccf8-4aef-952c-3ea21444444d -version: 14 -date: '2026-02-25' +version: 15 +date: '2026-02-26' author: David Dorsey, Michael Haag, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -56,7 +56,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index 57bc831df6..f2d55d8243 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -1,7 +1,7 @@ name: System User Discovery With Whoami id: 894fc43e-6f50-47d5-a68b-ee9ee23e18f4 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -44,10 +44,10 @@ rba: risk_objects: - field: user type: user - score: 3 + score: 20 - field: dest type: system - score: 3 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 23185204f4..6b47ccbd52 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -1,7 +1,7 @@ name: Unusual Number of Kerberos Service Tickets Requested id: eb3e6702-8936-11ec-98fe-acde48001122 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Mauricio Velazco, Dean Luxton, Splunk status: production type: Anomaly @@ -38,10 +38,10 @@ rba: risk_objects: - field: src type: system - score: 64 + score: 20 - field: user type: user - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/unusually_long_command_line.yml b/detections/endpoint/unusually_long_command_line.yml index 38a374acee..b45320d1c9 100644 --- a/detections/endpoint/unusually_long_command_line.yml +++ b/detections/endpoint/unusually_long_command_line.yml @@ -1,7 +1,7 @@ name: Unusually Long Command Line id: c77162d3-f93c-45cc-80c8-22f6a4264e7f -version: 12 -date: '2026-02-25' +version: 13 +date: '2026-02-26' author: David Dorsey, Splunk status: experimental type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 42 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/endpoint/unusually_long_command_line___mltk.yml index 4aace61db3..f1bbd87ee8 100644 --- a/detections/endpoint/unusually_long_command_line___mltk.yml +++ b/detections/endpoint/unusually_long_command_line___mltk.yml @@ -1,7 +1,7 @@ name: Unusually Long Command Line - MLTK id: 57edaefa-a73b-45e5-bbae-f39c1473f941 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Rico Valdez, Splunk status: experimental type: Anomaly @@ -37,10 +37,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 31a8b6a4e7..2f5b23854a 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -1,7 +1,7 @@ name: Windows Access Token Manipulation SeDebugPrivilege id: 6ece9ed0-5f92-4315-889d-48560472b188 -version: 18 -date: '2025-12-04' +version: 19 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -31,7 +31,7 @@ rba: risk_objects: - field: Computer type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml index 8c355ee466..ad60ff2ed3 100644 --- a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml +++ b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml @@ -1,7 +1,7 @@ name: Windows Access Token Winlogon Duplicate Handle In Uncommon Path id: b8f7ed6b-0556-4c84-bffd-839c262b0278 -version: 9 -date: '2025-08-20' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: - field: SourceImage type: process_name diff --git a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml index 96965f23b9..09ed2ac275 100644 --- a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml +++ b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml @@ -1,7 +1,7 @@ name: Windows Account Access Removal via Logoff Exec id: 223572ab-8768-4e20-9b39-c38707af80dc -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 @@ -40,10 +40,10 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 - field: user type: user - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml index bd1de6cb6a..1e96f498ef 100644 --- a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml +++ b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml @@ -1,7 +1,7 @@ name: Windows Account Discovery for Sam Account Name id: 69934363-e1dd-4c49-8651-9d7663dd4d2f -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 15 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml index f21d66eb95..2df964abc9 100644 --- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -1,7 +1,7 @@ name: Windows AD Abnormal Object Access Activity id: 71b289db-5f2c-4c43-8256-8bf26ae7324a -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_admin_permission_discovery.yml b/detections/endpoint/windows_admin_permission_discovery.yml index a9822ce0f1..8ac98e5c60 100644 --- a/detections/endpoint/windows_admin_permission_discovery.yml +++ b/detections/endpoint/windows_admin_permission_discovery.yml @@ -1,7 +1,7 @@ name: Windows Admin Permission Discovery id: e08620cb-9488-4052-832d-97bcc0afd414 -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/windows_ai_platform_dns_query.yml b/detections/endpoint/windows_ai_platform_dns_query.yml index 012885e6f2..b4a25856b6 100644 --- a/detections/endpoint/windows_ai_platform_dns_query.yml +++ b/detections/endpoint/windows_ai_platform_dns_query.yml @@ -1,7 +1,7 @@ name: Windows AI Platform DNS Query id: 1ad89d24-c856-4a0e-8fdf-c20c7b9febe1 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 15 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_apache_benchmark_binary.yml b/detections/endpoint/windows_apache_benchmark_binary.yml index 4355f5a59f..3a58116ad2 100644 --- a/detections/endpoint/windows_apache_benchmark_binary.yml +++ b/detections/endpoint/windows_apache_benchmark_binary.yml @@ -1,7 +1,7 @@ name: Windows Apache Benchmark Binary id: 894f48ea-8d85-4dcd-9132-c66cdb407c9b -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: user type: user - score: 100 + score: 20 - field: dest type: system - score: 100 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml index 2237dcf32d..da7875d450 100644 --- a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml @@ -1,7 +1,7 @@ name: Windows App Layer Protocol Qakbot NamedPipe id: 63a2c15e-9448-43c5-a4a8-9852266aaada -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -30,7 +30,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml index 2948d941d2..90d8b7f182 100644 --- a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml @@ -1,7 +1,7 @@ name: Windows App Layer Protocol Wermgr Connect To NamedPipe id: 2f3a4092-548b-421c-9caa-84918e1787ef -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_applocker_block_events.yml b/detections/endpoint/windows_applocker_block_events.yml index e2f4e8449a..15590e9895 100644 --- a/detections/endpoint/windows_applocker_block_events.yml +++ b/detections/endpoint/windows_applocker_block_events.yml @@ -1,7 +1,7 @@ name: Windows AppLocker Block Events id: e369afe8-cd35-47a3-9c1e-d813efc1f7dd -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Michael Haag, Splunk data_source: [] type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 16 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_appx_deployment_package_installation_success.yml b/detections/endpoint/windows_appx_deployment_package_installation_success.yml index d8f2e8026d..4898aa2ed2 100644 --- a/detections/endpoint/windows_appx_deployment_package_installation_success.yml +++ b/detections/endpoint/windows_appx_deployment_package_installation_success.yml @@ -1,7 +1,7 @@ name: Windows AppX Deployment Package Installation Success id: 1234abcd-5678-90ef-1234-56789abcdef0 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: - field: PackagePath type: file_path diff --git a/detections/endpoint/windows_archive_collected_data_via_powershell.yml b/detections/endpoint/windows_archive_collected_data_via_powershell.yml index c274df0203..7b761870fe 100644 --- a/detections/endpoint/windows_archive_collected_data_via_powershell.yml +++ b/detections/endpoint/windows_archive_collected_data_via_powershell.yml @@ -1,7 +1,7 @@ name: Windows Archive Collected Data via Powershell id: 74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5 -version: 8 -date: '2025-09-18' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml index 1a99f83c9f..5e2f9937be 100644 --- a/detections/endpoint/windows_archive_collected_data_via_rar.yml +++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml @@ -1,7 +1,7 @@ name: Windows Archive Collected Data via Rar id: 2015de95-fe91-413d-9d62-2fe011b67e82 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -46,7 +46,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml index de17dfcd10..72e2222d12 100644 --- a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml +++ b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml @@ -1,7 +1,7 @@ name: Windows Archived Collected Data In TEMP Folder id: cb56a1ea-e0b1-46d5-913f-e024cba40cbe -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml b/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml index 1bf0067c4c..d0c25b3e8f 100644 --- a/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml +++ b/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Auditing Option Modified - Registry id: 27914692-9c62-44ea-9129-ceb429b61bd0 -version: 4 -date: '2025-07-30' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Bhavin Patel, Splunk status: production type: Anomaly @@ -28,10 +28,10 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 - field: user type: user - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml b/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml index 8b310efcf8..27bcac6734 100644 --- a/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Disabled via Auditpol id: 14e008e5-6723-4298-b0d4-e95b24e10c18 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -47,10 +47,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml b/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml index a0694fb548..aacc94af42 100644 --- a/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Disabled via Legacy Auditpol id: d2cef287-c2b7-4496-a609-7a548c1e27f9 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -48,10 +48,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml b/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml index f94da716ab..7a2c9534ea 100644 --- a/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Excluded Category via Auditpol id: 083708d4-d763-4ba2-87ac-105b526de81a -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -47,10 +47,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml b/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml index 4bac07a1fc..6fac070c52 100644 --- a/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Restored via Auditpol id: d7d1795b-ea18-47e5-9ca6-2c330d052d21 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -47,10 +47,10 @@ rba: risk_objects: - field: user type: user - score: 16 + score: 20 - field: dest type: system - score: 16 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml b/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml index 6b42c666e7..698065d385 100644 --- a/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Security Descriptor Tampering via Auditpol id: 5628e0b7-73dc-4f1b-b37a-6e68efc2225f -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -44,10 +44,10 @@ rba: risk_objects: - field: user type: user - score: 16 + score: 20 - field: dest type: system - score: 16 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 9dd10c4e50..4346c74fc4 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -1,7 +1,7 @@ name: Windows Boot or Logon Autostart Execution In Startup Folder id: 99d157cb-923f-4a00-aee9-1f385412146f -version: 12 -date: '2025-12-17' +version: 13 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,10 +28,10 @@ rba: risk_objects: - field: user type: user - score: 81 + score: 20 - field: dest type: system - score: 81 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml b/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml index 3747394d2e..e204fedf64 100644 --- a/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml +++ b/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml @@ -1,7 +1,7 @@ name: Windows Browser Process Launched with Unusual Flags id: 841e2abc-0442-4e7f-b445-b22680632a08 -version: 1 -date: '2025-10-31' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 15 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml index 705681bece..8cbaa57aea 100644 --- a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml +++ b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml @@ -1,7 +1,7 @@ name: Windows Bypass UAC via Pkgmgr Tool id: cce58e2c-988a-4319-9390-0daa9eefa3cd -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -30,10 +30,10 @@ rba: risk_objects: - field: user type: user - score: 9 + score: 20 - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_cab_file_on_disk.yml b/detections/endpoint/windows_cab_file_on_disk.yml index d39919093c..1c1003166e 100644 --- a/detections/endpoint/windows_cab_file_on_disk.yml +++ b/detections/endpoint/windows_cab_file_on_disk.yml @@ -1,7 +1,7 @@ name: Windows CAB File on Disk id: 622f08d0-69ef-42c2-8139-66088bc25acd -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: dest type: system - score: 5 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml index 123644b231..d7ee4b9bef 100644 --- a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml +++ b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml @@ -1,7 +1,7 @@ name: Windows Cached Domain Credentials Reg Query id: 40ccb8e0-1785-466e-901e-6a8b75c04ecd -version: 8 -date: '2026-01-14' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -31,7 +31,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml b/detections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml index 6a95d8e3ef..d156bbf8ac 100644 --- a/detections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml +++ b/detections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml @@ -1,7 +1,7 @@ name: Windows Chrome Auto-Update Disabled via Registry id: 619eac6c-0f03-4699-ae29-5f337877bcf9 -version: 1 -date: '2026-01-12' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_chrome_enable_extension_loading_via_command_line.yml b/detections/endpoint/windows_chrome_enable_extension_loading_via_command_line.yml index 5580fe55ab..4ab4a3af81 100644 --- a/detections/endpoint/windows_chrome_enable_extension_loading_via_command_line.yml +++ b/detections/endpoint/windows_chrome_enable_extension_loading_via_command_line.yml @@ -1,7 +1,7 @@ name: Windows Chrome Enable Extension Loading via Command-Line id: da355155-1d23-48f9-bf95-e534ae273ab0 -version: 1 -date: '2026-01-12' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -46,7 +46,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_chrome_extension_allowed_registry_modification.yml b/detections/endpoint/windows_chrome_extension_allowed_registry_modification.yml index cb47959524..23d046bc3e 100644 --- a/detections/endpoint/windows_chrome_extension_allowed_registry_modification.yml +++ b/detections/endpoint/windows_chrome_extension_allowed_registry_modification.yml @@ -1,7 +1,7 @@ name: Windows Chrome Extension Allowed Registry Modification id: 2846089a-ffe9-4881-a2a2-43f3be2b8cc7 -version: 1 -date: '2026-01-12' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml index 633c4c1cb3..267fb2a1fb 100644 --- a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml +++ b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml @@ -1,7 +1,7 @@ name: Windows Chromium Browser with Custom User Data Directory id: 4f546cf4-15aa-4368-80f7-940e92bc551e -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -49,7 +49,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_chromium_process_launched_with_disable_popup_blocking.yml b/detections/endpoint/windows_chromium_process_launched_with_disable_popup_blocking.yml index 1938367020..da7f344d2d 100644 --- a/detections/endpoint/windows_chromium_process_launched_with_disable_popup_blocking.yml +++ b/detections/endpoint/windows_chromium_process_launched_with_disable_popup_blocking.yml @@ -1,7 +1,7 @@ name: Windows Chromium process Launched with Disable Popup Blocking id: 95f8acd6-978e-42d6-99c1-85baacdd2b46 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 - field: user type: user - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_chromium_process_launched_with_logging_disabled.yml b/detections/endpoint/windows_chromium_process_launched_with_logging_disabled.yml index d3b11344e5..2a698df595 100644 --- a/detections/endpoint/windows_chromium_process_launched_with_logging_disabled.yml +++ b/detections/endpoint/windows_chromium_process_launched_with_logging_disabled.yml @@ -1,7 +1,7 @@ name: Windows Chromium Process Launched with Logging Disabled id: d31de944-4e61-468f-9154-e50690f0e99e -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,10 +48,10 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 - field: user type: user - score: 40 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_chromium_process_loaded_extension_via_command_line.yml b/detections/endpoint/windows_chromium_process_loaded_extension_via_command_line.yml index fc931d69af..f992995b07 100644 --- a/detections/endpoint/windows_chromium_process_loaded_extension_via_command_line.yml +++ b/detections/endpoint/windows_chromium_process_loaded_extension_via_command_line.yml @@ -1,7 +1,7 @@ name: Windows Chromium Process Loaded Extension via Command-Line id: 1b8a468a-52e3-4206-b14a-73165441684c -version: 2 -date: '2026-01-29' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_chromium_process_with_disabled_extensions.yml b/detections/endpoint/windows_chromium_process_with_disabled_extensions.yml index 657ac0f27a..f5814f8abc 100644 --- a/detections/endpoint/windows_chromium_process_with_disabled_extensions.yml +++ b/detections/endpoint/windows_chromium_process_with_disabled_extensions.yml @@ -1,7 +1,7 @@ name: Windows Chromium Process with Disabled Extensions id: ce245717-779b-483b-bc52-fc7a94729973 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml index 3ed4b20cbc..1f84e99182 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml @@ -1,7 +1,7 @@ name: Windows Cisco Secure Endpoint Related Service Stopped id: df74f45f-01c8-4fd6-bcb8-f6a9ea58307a -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: dest type: system - score: 60 + score: 20 threat_objects: - field: display_name type: service diff --git a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml index b881116e5c..fb8ca63fe3 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml @@ -1,7 +1,7 @@ name: Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc id: 44badcb1-2e8c-4628-9537-021bbae571ad -version: 3 -date: '2025-05-02' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -29,10 +29,10 @@ rba: risk_objects: - field: user type: user - score: 56 + score: 20 - field: dest type: system - score: 56 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml index 9ea9c2c054..846ca80a2a 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml @@ -1,7 +1,7 @@ name: Windows Cisco Secure Endpoint Unblock File Via Sfc id: 9a7a490c-5581-4c95-bab5-a21e351293ef -version: 3 -date: '2025-05-02' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -29,10 +29,10 @@ rba: risk_objects: - field: user type: user - score: 56 + score: 20 - field: dest type: system - score: 56 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml index 84892e7761..14b85f0982 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml @@ -1,7 +1,7 @@ name: Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc id: ba6e7f4d-a85e-4a14-8e7d-41f4b82e3c9a -version: 3 -date: '2025-05-02' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -29,10 +29,10 @@ rba: risk_objects: - field: user type: user - score: 56 + score: 20 - field: dest type: system - score: 56 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index e1475d2776..a8506514c0 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -1,7 +1,7 @@ name: Windows ClipBoard Data via Get-ClipBoard id: ab73289e-2246-4de0-a14b-67006c72a893 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -40,10 +40,10 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 - field: user_id type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index 1ff003d758..83d2814227 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -1,7 +1,7 @@ name: Windows Cmdline Tool Execution From Non-Shell Process id: 2afa393f-b88d-41b7-9793-623c93a2dfde -version: 9 -date: '2026-02-09' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -31,10 +31,10 @@ rba: risk_objects: - field: dest type: system - score: 56 + score: 20 - field: user type: user - score: 56 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_consolehost_history_file_deletion.yml b/detections/endpoint/windows_consolehost_history_file_deletion.yml index 9fc025999c..1583f7c13b 100644 --- a/detections/endpoint/windows_consolehost_history_file_deletion.yml +++ b/detections/endpoint/windows_consolehost_history_file_deletion.yml @@ -1,7 +1,7 @@ name: Windows ConsoleHost History File Deletion id: a203040e-f8fd-49bb-8424-d2fabf277322 -version: 2 -date: '2025-05-02' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_create_local_account.yml b/detections/endpoint/windows_create_local_account.yml index 437ad03ae8..90c5d2e10e 100644 --- a/detections/endpoint/windows_create_local_account.yml +++ b/detections/endpoint/windows_create_local_account.yml @@ -1,7 +1,7 @@ name: Windows Create Local Account id: 3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: user type: user - score: 18 + score: 20 - field: dest type: system - score: 18 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_create_local_administrator_account_via_net.yml b/detections/endpoint/windows_create_local_administrator_account_via_net.yml index 8cd561495c..3e8e25b407 100644 --- a/detections/endpoint/windows_create_local_administrator_account_via_net.yml +++ b/detections/endpoint/windows_create_local_administrator_account_via_net.yml @@ -1,7 +1,7 @@ name: Windows Create Local Administrator Account Via Net id: 2c568c34-bb57-4b43-9d75-19c605b98e70 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -45,10 +45,10 @@ rba: risk_objects: - field: user type: user - score: 30 + score: 20 - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index 3947d83da2..72be777bdd 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -1,7 +1,7 @@ name: Windows Credential Access From Browser Password Store id: 72013a8e-5cea-408a-9d51-5585386b4d69 -version: 17 -date: '2025-12-16' +version: 18 +date: '2026-02-26' author: Teoderick Contreras, Bhavin Patel Splunk data_source: - Windows Event Log Security 4663 @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml b/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml index 14d3e607cc..0cf4b7edfc 100644 --- a/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml +++ b/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml @@ -1,7 +1,7 @@ name: Windows Credentials Access via VaultCli Module id: c0d89118-3f89-4cd7-8140-1f39e7210681 -version: 6 -date: '2025-10-14' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 @@ -31,7 +31,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index ff66cac751..091b9c7ea2 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Extension Access id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af -version: 9 -date: '2025-12-16' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index c7d8e4516a..c8a3d3f8dd 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 17 -date: '2025-12-16' +version: 18 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index eacb740dbe..93ce710a7b 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 17 -date: '2025-12-16' +version: 18 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml index 9c63fd81cd..52b439f72e 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_query.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Query id: db02d6b4-5d5b-4c33-8d8f-f0577516a8c7 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,7 +48,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_credentials_in_registry_reg_query.yml b/detections/endpoint/windows_credentials_in_registry_reg_query.yml index 484d3c1d0a..9d4b874239 100644 --- a/detections/endpoint/windows_credentials_in_registry_reg_query.yml +++ b/detections/endpoint/windows_credentials_in_registry_reg_query.yml @@ -1,7 +1,7 @@ name: Windows Credentials in Registry Reg Query id: a8b3124e-2278-4b73-ae9c-585117079fb2 -version: 8 -date: '2026-01-14' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -31,7 +31,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml index 25a446b08f..947a275450 100644 --- a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml +++ b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml @@ -1,7 +1,7 @@ name: Windows Defacement Modify Transcodedwallpaper File id: e11c3d90-5bc7-42ad-94cd-ba75db10d897 -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_default_rdp_file_creation_by_non_mstsc_process.yml b/detections/endpoint/windows_default_rdp_file_creation_by_non_mstsc_process.yml index 301cc475be..470f8565ad 100644 --- a/detections/endpoint/windows_default_rdp_file_creation_by_non_mstsc_process.yml +++ b/detections/endpoint/windows_default_rdp_file_creation_by_non_mstsc_process.yml @@ -1,7 +1,7 @@ name: Windows Default RDP File Creation By Non MSTSC Process id: 692226f1-84e3-4f63-a747-d53e65699608 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_default_rdp_file_deletion.yml b/detections/endpoint/windows_default_rdp_file_deletion.yml index 0db5ef2eb5..e3a0cd67b6 100644 --- a/detections/endpoint/windows_default_rdp_file_deletion.yml +++ b/detections/endpoint/windows_default_rdp_file_deletion.yml @@ -1,7 +1,7 @@ name: Windows Default Rdp File Deletion id: 30a334c1-f9a5-4fbd-8958-5b65a8435cb2 -version: 2 -date: '2026-01-14' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_default_rdp_file_unhidden.yml b/detections/endpoint/windows_default_rdp_file_unhidden.yml index 098307eaed..7ba2a0e7c9 100644 --- a/detections/endpoint/windows_default_rdp_file_unhidden.yml +++ b/detections/endpoint/windows_default_rdp_file_unhidden.yml @@ -1,7 +1,7 @@ name: Windows Default Rdp File Unhidden id: f5c1f64b-db59-4913-991e-3dac8adff288 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_defender_asr_audit_events.yml b/detections/endpoint/windows_defender_asr_audit_events.yml index 0de6715dba..f3c929fb2c 100644 --- a/detections/endpoint/windows_defender_asr_audit_events.yml +++ b/detections/endpoint/windows_defender_asr_audit_events.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Audit Events id: 0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: dest type: system - score: 5 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_defender_asr_block_events.yml b/detections/endpoint/windows_defender_asr_block_events.yml index 0c97a5e6e8..2802e7a2d3 100644 --- a/detections/endpoint/windows_defender_asr_block_events.yml +++ b/detections/endpoint/windows_defender_asr_block_events.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Block Events id: 026f5f4e-e99f-4155-9e63-911ba587300b -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: dest type: system - score: 45 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml index a0de7134fa..7ecbe0fcc3 100644 --- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -1,7 +1,7 @@ name: Windows Delete or Modify System Firewall id: b188d11a-eba7-419d-b8b6-cc265b4f2c4f -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml index 9fb740ed72..dc6612ca84 100644 --- a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml +++ b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Deleted Registry By A Non Critical Process File Path id: 15e70689-f55b-489e-8a80-6d0cd6d8aad2 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_detect_network_scanner_behavior.yml b/detections/endpoint/windows_detect_network_scanner_behavior.yml index a5f31c9200..027f2c2c82 100644 --- a/detections/endpoint/windows_detect_network_scanner_behavior.yml +++ b/detections/endpoint/windows_detect_network_scanner_behavior.yml @@ -1,7 +1,7 @@ name: Windows Detect Network Scanner Behavior id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7 -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -27,10 +27,10 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 - field: user type: user - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_developer_signed_msix_package_installation.yml b/detections/endpoint/windows_developer_signed_msix_package_installation.yml index b836186b24..46ade2d0f1 100644 --- a/detections/endpoint/windows_developer_signed_msix_package_installation.yml +++ b/detections/endpoint/windows_developer_signed_msix_package_installation.yml @@ -1,7 +1,7 @@ name: Windows Developer-Signed MSIX Package Installation id: 2c0427aa-982c-4e97-bc33-bddeda4fd095 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: - field: PackageMoniker type: file_name diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index c882ed5cbf..5978e38917 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Change Password Through Registry id: 0df33e1a-9ef6-11ec-a1ad-acde48001122 -version: 11 -date: '2025-05-02' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_disable_internet_explorer_addons.yml b/detections/endpoint/windows_disable_internet_explorer_addons.yml index 008a1a484a..b6e1f3fd25 100644 --- a/detections/endpoint/windows_disable_internet_explorer_addons.yml +++ b/detections/endpoint/windows_disable_internet_explorer_addons.yml @@ -1,7 +1,7 @@ name: Windows Disable Internet Explorer Addons id: 65224d8b-b95d-44ec-bb44-408d830c1258 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index a982c781c1..5e96e3b0e9 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Lock Workstation Feature Through Registry id: c82adbc6-9f00-11ec-a81f-acde48001122 -version: 12 -date: '2026-01-14' +version: 13 +date: '2026-02-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index 72e9369089..eddaa71082 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable LogOff Button Through Registry id: b2fb6830-9ed1-11ec-9fcb-acde48001122 -version: 11 -date: '2025-05-02' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index e0f9d4f7d0..6ae20b4fe0 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -1,7 +1,7 @@ name: Windows Disable Notification Center id: 1cd983c8-8fd6-11ec-a09d-acde48001122 -version: 12 -date: '2026-02-25' +version: 13 +date: '2026-02-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -41,10 +41,10 @@ rba: risk_objects: - field: user type: user - score: 48 + score: 20 - field: dest type: system - score: 48 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index 499066a79b..f7aa208f2d 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -1,7 +1,7 @@ name: Windows Disable or Modify Tools Via Taskkill id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index 0ab0bcd8c1..a11574e65f 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Shutdown Button Through Registry id: 55fb2958-9ecd-11ec-a06a-acde48001122 -version: 11 -date: '2025-05-02' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index c9de1e7d8d..def53eb544 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Windows Group Policy Features Through Registry id: 63a449ae-9f04-11ec-945e-acde48001122 -version: 12 -date: '2025-05-02' +version: 13 +date: '2026-02-26' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml index 0f8252f9f7..82c574a106 100644 --- a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml @@ -1,7 +1,7 @@ name: Windows DLL Side-Loading Process Child Of Calc id: 295ca9ed-e97b-4520-90f7-dfb6469902e1 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 81 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_dns_gather_network_info.yml b/detections/endpoint/windows_dns_gather_network_info.yml index 0bb48d90a8..a9fe7b528b 100644 --- a/detections/endpoint/windows_dns_gather_network_info.yml +++ b/detections/endpoint/windows_dns_gather_network_info.yml @@ -1,7 +1,7 @@ name: Windows DNS Gather Network Info id: 347e0892-e8f3-4512-afda-dc0e3fa996f3 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk type: Anomaly status: production @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_dns_query_request_to_tinyurl.yml b/detections/endpoint/windows_dns_query_request_to_tinyurl.yml index 6b7b96d3a6..3d506b4118 100644 --- a/detections/endpoint/windows_dns_query_request_to_tinyurl.yml +++ b/detections/endpoint/windows_dns_query_request_to_tinyurl.yml @@ -1,7 +1,7 @@ name: Windows DNS Query Request To TinyUrl id: b1ea79da-719c-437c-acaf-5c93f838f425 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -51,7 +51,7 @@ rba: risk_objects: - field: dvc type: system - score: 40 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml index 42c56ee755..9b1aad36bc 100644 --- a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml +++ b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml @@ -1,7 +1,7 @@ name: Windows Domain Account Discovery Via Get-NetComputer id: a7fbbc4e-4571-424a-b627-6968e1c939e4 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 15 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml index e6624915b8..2257b1de7d 100644 --- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml +++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml @@ -1,7 +1,7 @@ name: Windows Enable Win32 ScheduledJob via Registry id: 12c80db8-ef62-4456-92df-b23e1b3219f6 -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-26' author: Michael Haag, Splunk type: Anomaly status: production @@ -28,10 +28,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml b/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml index 893a6f0870..dfee53d813 100644 --- a/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml +++ b/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml @@ -1,7 +1,7 @@ name: Windows Eventlog Cleared Via Wevtutil id: fdb829a8-db84-4832-b64b-3e964cd44f01 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -43,10 +43,10 @@ rba: risk_objects: - field: dest type: system - score: 28 + score: 20 - field: user type: user - score: 28 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml index 8ffd116758..74f6eaeea7 100644 --- a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml +++ b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml @@ -1,7 +1,7 @@ name: Windows EventLog Recon Activity Using Log Query Utilities id: dc167f8b-3f9d-4460-9c98-8b6e703fd628 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -98,10 +98,10 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 - field: user type: user - score: 30 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml b/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml index 59b893081a..9aded28a06 100644 --- a/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml +++ b/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml @@ -1,7 +1,7 @@ name: Windows Excel ActiveMicrosoftApp Child Process id: 4dfd6a58-93b2-4012-bb33-038bb63652b3 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_excessive_usage_of_net_app.yml b/detections/endpoint/windows_excessive_usage_of_net_app.yml index 1b31a3fcff..f72be024e0 100644 --- a/detections/endpoint/windows_excessive_usage_of_net_app.yml +++ b/detections/endpoint/windows_excessive_usage_of_net_app.yml @@ -1,7 +1,7 @@ name: Windows Excessive Usage Of Net App id: 355ba810-0a20-4215-8485-9ce3f87f2e38 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -39,10 +39,10 @@ rba: risk_objects: - field: user type: user - score: 28 + score: 20 - field: dest type: system - score: 28 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml b/detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml index 5c74732f13..8820f9047d 100644 --- a/detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml +++ b/detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml @@ -1,7 +1,7 @@ name: Windows Executable Masquerading as Benign File Types id: 0470c8e7-dd8d-420f-8302-073e8a2b66f0 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 20 threat_objects: - field: Image type: process diff --git a/detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml b/detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml index c5dbcd4e78..efcdb79378 100644 --- a/detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml +++ b/detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Windows Execution of Microsoft MSC File In Suspicious Path id: ac30858b-7c25-4f0a-a7fa-bef036e49dc3 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_export_certificate.yml b/detections/endpoint/windows_export_certificate.yml index 28fb3c2229..c413a4731d 100644 --- a/detections/endpoint/windows_export_certificate.yml +++ b/detections/endpoint/windows_export_certificate.yml @@ -1,7 +1,7 @@ name: Windows Export Certificate id: d8ddfa9b-b724-4df9-9dbe-f34cc0936714 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml b/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml index 90a5d2c9ac..8b134ada8d 100644 --- a/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml +++ b/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml @@ -1,7 +1,7 @@ name: Windows File and Directory Permissions Remove Inheritance id: 9b62da2c-e442-474f-83ca-fac4dabab1b3 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_file_collection_via_copy_utilities.yml b/detections/endpoint/windows_file_collection_via_copy_utilities.yml index 0c74e5b6d1..455eae2cab 100644 --- a/detections/endpoint/windows_file_collection_via_copy_utilities.yml +++ b/detections/endpoint/windows_file_collection_via_copy_utilities.yml @@ -1,7 +1,7 @@ name: Windows File Collection Via Copy Utilities id: dbdd556d-9da8-4c42-9980-8a3ffe25a758 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -65,10 +65,10 @@ rba: risk_objects: - field: user type: user - score: 5 + score: 20 - field: dest type: system - score: 5 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml index 14df012cef..c6c6a09fe3 100644 --- a/detections/endpoint/windows_file_download_via_powershell.yml +++ b/detections/endpoint/windows_file_download_via_powershell.yml @@ -1,7 +1,7 @@ name: Windows File Download Via PowerShell id: 58c4e56c-b5b8-46a3-b5fb-6537dca3c6de -version: 7 -date: '2026-02-09' +version: 8 +date: '2026-02-26' author: Michael Haag, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -55,10 +55,10 @@ rba: risk_objects: - field: user type: user - score: 56 + score: 20 - field: dest type: system - score: 56 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml index 477254216a..1cc1bc6415 100644 --- a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml @@ -1,7 +1,7 @@ name: Windows File Transfer Protocol In Non-Common Process Path id: 0f43758f-1fe9-470a-a9e4-780acc4d5407 -version: 8 -date: '2025-10-20' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -49,7 +49,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_firewall_rule_added.yml b/detections/endpoint/windows_firewall_rule_added.yml index 0c91cf0b68..ec411aa172 100644 --- a/detections/endpoint/windows_firewall_rule_added.yml +++ b/detections/endpoint/windows_firewall_rule_added.yml @@ -1,7 +1,7 @@ name: Windows Firewall Rule Added id: efc25501-4e75-4075-8cc5-ac80f2847d80 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_firewall_rule_deletion.yml b/detections/endpoint/windows_firewall_rule_deletion.yml index 737d37a600..44181038a2 100644 --- a/detections/endpoint/windows_firewall_rule_deletion.yml +++ b/detections/endpoint/windows_firewall_rule_deletion.yml @@ -1,7 +1,7 @@ name: Windows Firewall Rule Deletion id: ca5327e1-0a91-4e23-bbd4-8901806c00e1 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_firewall_rule_modification.yml b/detections/endpoint/windows_firewall_rule_modification.yml index 0fd6795ee7..63f971214f 100644 --- a/detections/endpoint/windows_firewall_rule_modification.yml +++ b/detections/endpoint/windows_firewall_rule_modification.yml @@ -1,7 +1,7 @@ name: Windows Firewall Rule Modification id: fe7efbf7-5f82-44b9-8c33-316189ab2393 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_gather_victim_host_information_camera.yml b/detections/endpoint/windows_gather_victim_host_information_camera.yml index 3615fe55b7..f1a4d2a26c 100644 --- a/detections/endpoint/windows_gather_victim_host_information_camera.yml +++ b/detections/endpoint/windows_gather_victim_host_information_camera.yml @@ -1,7 +1,7 @@ name: Windows Gather Victim Host Information Camera id: e4df4676-ea41-4397-b160-3ee0140dc332 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -40,10 +40,10 @@ rba: risk_objects: - field: dest type: system - score: 42 + score: 20 - field: user_id type: user - score: 42 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml b/detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml index 069d29e456..d45d995f2a 100644 --- a/detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml +++ b/detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml @@ -1,7 +1,7 @@ name: Windows Handle Duplication in Known UAC-Bypass Binaries id: d7369bf5-1315-4138-b927-2dd8bb8c1da7 -version: 1 -date: '2025-10-31' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index 5db6037941..f5ac1fc081 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Hide Notification Features Through Registry id: cafa4bce-9f06-11ec-a7b2-acde48001122 -version: 12 -date: '2026-01-14' +version: 13 +date: '2026-02-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml index b30caa5ab8..6b76e85851 100644 --- a/detections/endpoint/windows_high_file_deletion_frequency.yml +++ b/detections/endpoint/windows_high_file_deletion_frequency.yml @@ -1,7 +1,7 @@ name: Windows High File Deletion Frequency id: 45b125c4-866f-11eb-a95a-acde48001122 -version: 11 -date: '2026-02-12' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -30,10 +30,10 @@ rba: risk_objects: - field: user type: user - score: 72 + score: 20 - field: dest type: system - score: 72 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index 6285db31aa..8110142a99 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -1,7 +1,7 @@ name: Windows Hijack Execution Flow Version Dll Side Load id: 8351340b-ac0e-41ec-8b07-dd01bf32d6ea -version: 11 -date: '2026-02-09' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 35 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml index 16875789c4..110021e0c1 100644 --- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -1,7 +1,7 @@ name: Windows HTTP Network Communication From MSIExec id: b0fd38c7-f71a-43a2-870e-f3ca06bcdd99 -version: 8 -date: '2026-02-09' +version: 9 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -29,10 +29,10 @@ rba: risk_objects: - field: user type: user - score: 35 + score: 20 - field: dest type: system - score: 35 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index 15cd512376..992df1c31b 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -1,7 +1,7 @@ name: Windows IIS Components Add New Module id: 38fe731c-1f13-43d4-b878-a5bbe44807e3 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -49,10 +49,10 @@ rba: risk_objects: - field: user type: user - score: 64 + score: 20 - field: dest type: system - score: 64 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_iis_components_module_failed_to_load.yml b/detections/endpoint/windows_iis_components_module_failed_to_load.yml index e76b2c2672..12371d2964 100644 --- a/detections/endpoint/windows_iis_components_module_failed_to_load.yml +++ b/detections/endpoint/windows_iis_components_module_failed_to_load.yml @@ -1,7 +1,7 @@ name: Windows IIS Components Module Failed to Load id: 40c2ba5b-dd6a-496b-9e6e-c9524d0be167 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml index 7d023a24ec..05f3fd9320 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Delete Win Defender Profile Registry id: 65d4b105-ec52-48ec-ac46-289d0fbf7d96 -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml index 91b330b3eb..73736f1460 100644 --- a/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml +++ b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml @@ -1,7 +1,7 @@ name: Windows Impair Defenses Disable Auto Logger Session id: dc6a5613-d024-47e7-9997-ab6477a483d3 -version: 5 -date: '2025-05-02' +version: 6 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -31,7 +31,7 @@ rba: risk_objects: - field: dest type: system - score: 81 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml index 62bec83eb3..c31e8217f4 100644 --- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml +++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml @@ -1,7 +1,7 @@ name: Windows Impair Defenses Disable Win Defender Auto Logging id: 76406a0f-f5e0-4167-8e1f-337fdc0f1b0c -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -30,7 +30,7 @@ rba: risk_objects: - field: dest type: system - score: 24 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml index 1ccd118d07..08f0dbccdc 100644 --- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml +++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml @@ -1,7 +1,7 @@ name: Windows Indicator Removal Via Rmdir id: c4566d2c-b094-48a1-9c59-d66e22065560 -version: 8 -date: '2026-02-12' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml index 9fdbc0f1cf..544eca299d 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml @@ -1,7 +1,7 @@ name: Windows Indirect Command Execution Via Series Of Forfiles id: bfdaabe7-3db8-48c5-80c1-220f9b8f22be -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index 10612c235f..d7011e7d28 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -1,7 +1,7 @@ name: Windows Information Discovery Fsutil id: 2181f261-93e6-4166-a5a9-47deac58feff -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -65,7 +65,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml index 41daa48178..1617b5a327 100644 --- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml +++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml @@ -1,7 +1,7 @@ name: Windows Ingress Tool Transfer Using Explorer id: 76753bab-f116-4ea3-8fb9-89b638be58a9 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,10 +41,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml index 350fc32b85..f04f98bd8a 100644 --- a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml +++ b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml @@ -1,7 +1,7 @@ name: Windows InProcServer32 New Outlook Form id: fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4 -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-26' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml index 9220dbe8d7..e8083c1507 100644 --- a/detections/endpoint/windows_installutil_remote_network_connection.yml +++ b/detections/endpoint/windows_installutil_remote_network_connection.yml @@ -1,7 +1,7 @@ name: Windows InstallUtil Remote Network Connection id: 4fbf9270-43da-11ec-9486-acde48001122 -version: 16 -date: '2025-09-09' +version: 17 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -60,10 +60,10 @@ rba: risk_objects: - field: user type: user - score: 80 + score: 20 - field: dest type: system - score: 80 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_known_abused_dll_created.yml b/detections/endpoint/windows_known_abused_dll_created.yml index 129d886de1..1bb03d8b97 100644 --- a/detections/endpoint/windows_known_abused_dll_created.yml +++ b/detections/endpoint/windows_known_abused_dll_created.yml @@ -1,7 +1,7 @@ name: Windows Known Abused DLL Created id: ea91651a-772a-4b02-ac3d-985b364a5f07 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -30,10 +30,10 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 - field: user type: user - score: 10 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml index bcac9378a2..bfa51cfa2b 100644 --- a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml +++ b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml @@ -1,7 +1,7 @@ name: Windows Known GraphicalProton Loaded Modules id: bf471c94-0324-4b19-a113-d02749b969bc -version: 10 -date: '2026-01-14' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml index 08bcd2770b..a4202d9883 100644 --- a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml @@ -1,7 +1,7 @@ name: Windows Large Number of Computer Service Tickets Requested id: 386ad394-c9a7-4b4f-b66f-586252de20f0 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Mauricio Velazco, Splunk type: Anomaly status: production @@ -35,7 +35,7 @@ rba: risk_objects: - field: IpAddress type: system - score: 30 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml index 865cbdcfc9..e950e2c1a5 100644 --- a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml +++ b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml @@ -1,7 +1,7 @@ name: Windows Linked Policies In ADSI Discovery id: 510ea428-4731-4d2f-8829-a28293e427aa -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml index a6d882b75e..40e49ac877 100644 --- a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml +++ b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml @@ -1,7 +1,7 @@ name: Windows List ENV Variables Via SET Command From Uncommon Parent id: aec157f4-8783-4584-aca6-754c4dc7fba9 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 56 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml index 6fa6bcef7d..5e459132d7 100644 --- a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml +++ b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml @@ -1,7 +1,7 @@ name: Windows LOLBAS Executed Outside Expected Path id: 326fdf44-b90c-4d2e-adca-1fd140b10536 -version: 7 -date: '2025-12-18' +version: 8 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -62,10 +62,10 @@ rba: risk_objects: - field: user type: user - score: 40 + score: 20 - field: dest type: system - score: 40 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml index becb4795d4..8c294ab02f 100644 --- a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml @@ -1,7 +1,7 @@ name: Windows Mail Protocol In Non-Common Process Path id: ac3311f5-661d-4e99-bd1f-3ec665b05441 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,7 +48,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml index 0a81c43a54..c502e8cff4 100644 --- a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml +++ b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml @@ -1,7 +1,7 @@ name: Windows Mimikatz Crypto Export File Extensions id: 3a9a6806-16a8-4cda-8d73-b49d10a05b16 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 28 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_mmc_loaded_script_engine_dll.yml b/detections/endpoint/windows_mmc_loaded_script_engine_dll.yml index df0fefa8de..36a9b91c37 100644 --- a/detections/endpoint/windows_mmc_loaded_script_engine_dll.yml +++ b/detections/endpoint/windows_mmc_loaded_script_engine_dll.yml @@ -1,7 +1,7 @@ name: Windows MMC Loaded Script Engine DLL id: 785bbfb5-d404-42d1-ab9d-45c37a2c75cd -version: 1 -date: '2026-02-03' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml index 1d0c7616b8..62b7c716ea 100644 --- a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml +++ b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry AuthenticationLevelOverride id: 6410a403-36bb-490f-a06a-11c3be7d2a41 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_auto_update_notif.yml b/detections/endpoint/windows_modify_registry_auto_update_notif.yml index 16584036a7..b9b931f425 100644 --- a/detections/endpoint/windows_modify_registry_auto_update_notif.yml +++ b/detections/endpoint/windows_modify_registry_auto_update_notif.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Auto Update Notif id: 4d1409df-40c7-4b11-aec4-bd0e709dfc12 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_default_icon_setting.yml b/detections/endpoint/windows_modify_registry_default_icon_setting.yml index 1388aeb95b..7cb59e8843 100644 --- a/detections/endpoint/windows_modify_registry_default_icon_setting.yml +++ b/detections/endpoint/windows_modify_registry_default_icon_setting.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Default Icon Setting id: a7a7afdb-3c58-45b6-9bff-63e5acfd9d40 -version: 9 -date: '2026-01-14' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,10 +28,10 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 - field: user type: user - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_disable_rdp.yml b/detections/endpoint/windows_modify_registry_disable_rdp.yml index 41d18426c9..4b088d99b5 100644 --- a/detections/endpoint/windows_modify_registry_disable_rdp.yml +++ b/detections/endpoint/windows_modify_registry_disable_rdp.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable RDP id: 11ed764f-eb9c-4be7-bdad-2209b9d33ee1 -version: 7 -date: '2025-08-01' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml index 5ce071a797..3ca449b31a 100644 --- a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable Toast Notifications id: ed4eeacb-8d5a-488e-bc97-1ce6ded63b84 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml index cf4644b7c8..aea472664c 100644 --- a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable Win Defender Raw Write Notif id: 0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml index 56f3096d7d..29c0b8900c 100644 --- a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable Windows Security Center Notif id: 27ed3e79-6d86-44dd-b9ab-524451c97a7b -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml index a9b3509d96..8c8449ce36 100644 --- a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml +++ b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Do Not Connect To Win Update id: e09c598e-8dd0-4e73-b740-4b96b689199e -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml index 4a20a06528..0eeea02ef4 100644 --- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml +++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry LongPathsEnabled id: 36f9626c-4272-4808-aadd-267acce681c0 -version: 9 -date: '2025-05-02' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 16 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml index 908910be37..d66ac61b44 100644 --- a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml +++ b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry MaxConnectionPerServer id: 064cd09f-1ff4-4823-97e0-45c2f5b087ec -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml index 57934939eb..372815569e 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry No Auto Reboot With Logon User id: 6a12fa9f-580d-4627-8c7f-313e359bdc6a -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_no_auto_update.yml b/detections/endpoint/windows_modify_registry_no_auto_update.yml index d89959f618..a9c8d477ba 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_update.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_update.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry No Auto Update id: fbd4f333-17bb-4eab-89cb-860fa2e0600e -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml index ff7ce48a3d..d66a504113 100644 --- a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml +++ b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry on Smart Card Group Policy id: 1522145a-8e86-4f83-89a8-baf62a8f489d -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_proxyenable.yml b/detections/endpoint/windows_modify_registry_proxyenable.yml index 4e7ec02b93..50a88a84ba 100644 --- a/detections/endpoint/windows_modify_registry_proxyenable.yml +++ b/detections/endpoint/windows_modify_registry_proxyenable.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry ProxyEnable id: b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_proxyserver.yml b/detections/endpoint/windows_modify_registry_proxyserver.yml index cfc5f1f6b9..7bbbd2c10b 100644 --- a/detections/endpoint/windows_modify_registry_proxyserver.yml +++ b/detections/endpoint/windows_modify_registry_proxyserver.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry ProxyServer id: 12bdaa0b-3c59-4489-aae1-bff6d67746ef -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml index 643260c94e..a08228dc48 100644 --- a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml +++ b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Qakbot Binary Data Registry id: 2e768497-04e0-4188-b800-70dd2be0e30d -version: 10 -date: '2026-01-14' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml index 7b9419f4ab..74abca1059 100644 --- a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml +++ b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Regedit Silent Reg Import id: 824dd598-71be-4203-bc3b-024f4cda340e -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,7 +48,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml index 6333217ed8..d2c7d0b795 100644 --- a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml +++ b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Suppress Win Defender Notif id: e3b42daf-fff4-429d-bec8-2a199468cea9 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index f1dc848696..5c9888e257 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry to Add or Modify Firewall Rule id: 43254751-e2ce-409a-b6b4-4f851e8dcc26 -version: 9 -date: '2025-11-20' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 @@ -28,10 +28,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml index 701246f10f..e163d11af1 100644 --- a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml +++ b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry UpdateServiceUrlAlternate id: ca4e94fb-7969-4d63-8630-3625809a1f70 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_modify_registry_utilize_progids.yml b/detections/endpoint/windows_modify_registry_utilize_progids.yml index 56869c5f80..1f210a0354 100644 --- a/detections/endpoint/windows_modify_registry_utilize_progids.yml +++ b/detections/endpoint/windows_modify_registry_utilize_progids.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Utilize ProgIDs id: 64fa82dd-fd11-472a-9e94-c221fffa591d -version: 8 -date: '2026-01-14' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 @@ -29,10 +29,10 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml index 4cbd08a859..ff8299c060 100644 --- a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml +++ b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml @@ -1,7 +1,7 @@ name: Windows MSExchange Management Mailbox Cmdlet Usage id: 396de86f-25e7-4b0e-be09-a330be35249d -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -33,7 +33,7 @@ rba: risk_objects: - field: dest type: system - score: 32 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_mstsc_rdp_commandline.yml b/detections/endpoint/windows_mstsc_rdp_commandline.yml index c084c44b59..d52694af35 100644 --- a/detections/endpoint/windows_mstsc_rdp_commandline.yml +++ b/detections/endpoint/windows_mstsc_rdp_commandline.yml @@ -1,7 +1,7 @@ name: Windows MSTSC RDP Commandline id: 3718549b-867e-4084-b770-790e8dab6ab8 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_net_system_service_discovery.yml b/detections/endpoint/windows_net_system_service_discovery.yml index 795f6a5192..e31b958eac 100644 --- a/detections/endpoint/windows_net_system_service_discovery.yml +++ b/detections/endpoint/windows_net_system_service_discovery.yml @@ -1,7 +1,7 @@ name: Windows Net System Service Discovery id: dd7da098-83b8-4c48-b09d-e51aeb621e81 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,10 +44,10 @@ rba: risk_objects: - field: user type: user - score: 3 + score: 20 - field: dest type: system - score: 3 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml b/detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml index 1c4dafc7ba..d3b7d8e096 100644 --- a/detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml +++ b/detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml @@ -1,7 +1,7 @@ name: Windows NetSupport RMM DLL Loaded By Uncommon Process id: 125f96f9-6f34-418b-b868-c4a8d7fb865f -version: 1 -date: '2025-11-20' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -57,7 +57,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: Image type: process_name diff --git a/detections/endpoint/windows_network_share_interaction_via_net.yml b/detections/endpoint/windows_network_share_interaction_via_net.yml index b27eebbe4b..338a9f319f 100644 --- a/detections/endpoint/windows_network_share_interaction_via_net.yml +++ b/detections/endpoint/windows_network_share_interaction_via_net.yml @@ -1,7 +1,7 @@ name: Windows Network Share Interaction Via Net id: e51fbdb0-0be0-474f-92ea-d289f71a695e -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Dean Luxton status: production type: Anomaly diff --git a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml index 7a10500128..5ae1125175 100644 --- a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml +++ b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml @@ -1,7 +1,7 @@ name: Windows New Custom Security Descriptor Set On EventLog Channel id: c0e5dd5a-2117-41d5-a04c-82a762a86a38 -version: 5 -date: '2026-01-14' +version: 6 +date: '2026-02-26' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly @@ -28,10 +28,10 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 - field: user type: user - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml index 2d2a029b7f..7c48224a0b 100644 --- a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml +++ b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml @@ -1,7 +1,7 @@ name: Windows New Deny Permission Set On Service SD Via Sc.EXE id: d0f6a5e5-dbfd-46e1-8bd5-2e2905947c33 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly @@ -49,10 +49,10 @@ rba: risk_objects: - field: user type: user - score: 30 + score: 20 - field: dest type: system - score: 30 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml index d562d0234a..2cf2295cfc 100644 --- a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml +++ b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml @@ -1,7 +1,7 @@ name: Windows New EventLog ChannelAccess Registry Value Set id: 16eb11bc-ef42-42e8-9d0c-d21e0fa15725 -version: 4 -date: '2025-05-02' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly @@ -28,10 +28,10 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 - field: user type: user - score: 30 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml index 2e68c7ca38..345551e07a 100644 --- a/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml +++ b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml @@ -1,7 +1,7 @@ name: Windows New Service Security Descriptor Set Via Sc.EXE id: cde00c31-042a-4307-bf70-25e471da56e9 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly @@ -49,10 +49,10 @@ rba: risk_objects: - field: user type: user - score: 36 + score: 20 - field: dest type: system - score: 36 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml index 3868c2ee97..d9e7c24d61 100644 --- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml @@ -1,7 +1,7 @@ name: Windows Ngrok Reverse Proxy Usage id: e2549f2c-0aef-408a-b0c1-e0f270623436 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 20 - field: dest type: system - score: 50 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_nirsoft_tool_bundle_file_created.yml b/detections/endpoint/windows_nirsoft_tool_bundle_file_created.yml index a06a148442..7e72bedf88 100644 --- a/detections/endpoint/windows_nirsoft_tool_bundle_file_created.yml +++ b/detections/endpoint/windows_nirsoft_tool_bundle_file_created.yml @@ -1,7 +1,7 @@ name: Windows NirSoft Tool Bundle File Created id: a2c8e8f8-18d6-4ad4-acf4-f58903bebe41 -version: 2 -date: '2025-11-19' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index 3f0df57613..a3f7758b0b 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -1,7 +1,7 @@ name: Windows Non Discord App Access Discord LevelDB id: 1166360c-d495-45ac-87a6-8948aac1fa07 -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Windows Event Log Security 4663 @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml index 8cc85c8f6c..035d61c0d8 100644 --- a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml +++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml @@ -1,7 +1,7 @@ name: Windows Obfuscated Files or Information via RAR SFX id: 4ab6862b-ce88-4223-96c0-f6da2cffb898 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 11 @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/endpoint/windows_office_product_dropped_uncommon_file.yml b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml index 3bcd60254e..cbc4a1f8a6 100644 --- a/detections/endpoint/windows_office_product_dropped_uncommon_file.yml +++ b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml @@ -1,7 +1,7 @@ name: Windows Office Product Dropped Uncommon File id: 7ac0fced-9eae-4381-a748-90dcd1aa9393 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github status: production type: Anomaly @@ -52,7 +52,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml index 915499f7b7..c93f8e5a4d 100644 --- a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml +++ b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml @@ -1,7 +1,7 @@ name: Windows Office Product Loaded MSHTML Module id: 4cc015c9-687c-40d2-adcc-46350f66e10c -version: 4 -date: '2025-05-02' +version: 5 +date: '2026-02-26' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Anomaly @@ -30,7 +30,7 @@ rba: risk_objects: - field: dest type: system - score: 80 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_office_product_loading_taskschd_dll.yml b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml index 2fa057b705..b5fe9072f7 100644 --- a/detections/endpoint/windows_office_product_loading_taskschd_dll.yml +++ b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml @@ -1,7 +1,7 @@ name: Windows Office Product Loading Taskschd DLL id: d7297cfa-1f04-4714-bfbe-3679e0666959 -version: 4 -date: '2025-05-02' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml index 56c4295bd1..59360bcf3b 100644 --- a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml +++ b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml @@ -1,7 +1,7 @@ name: Windows Office Product Loading VBE7 DLL id: 7cfec906-2697-43f7-898b-83634a051d9a -version: 4 -date: '2025-05-02' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -32,7 +32,7 @@ rba: risk_objects: - field: dest type: system - score: 35 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_outlook_webview_registry_modification.yml b/detections/endpoint/windows_outlook_webview_registry_modification.yml index 7e702b5b63..045c30f8e5 100644 --- a/detections/endpoint/windows_outlook_webview_registry_modification.yml +++ b/detections/endpoint/windows_outlook_webview_registry_modification.yml @@ -1,7 +1,7 @@ name: Windows Outlook WebView Registry Modification id: 6e1ad5d4-d9af-496a-96ec-f31c11cd09f2 -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-02-26' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 100 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_password_managers_discovery.yml b/detections/endpoint/windows_password_managers_discovery.yml index 5951122543..aa9d915f1a 100644 --- a/detections/endpoint/windows_password_managers_discovery.yml +++ b/detections/endpoint/windows_password_managers_discovery.yml @@ -1,7 +1,7 @@ name: Windows Password Managers Discovery id: a3b3bc96-1c4f-4eba-8218-027cac739a48 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,7 +48,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index 6575e709da..64c65fc6c2 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -1,7 +1,7 @@ name: Windows Phishing PDF File Executes URL Link id: 2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml index b69d9df315..af7e606da6 100644 --- a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml +++ b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml @@ -1,7 +1,7 @@ name: Windows Potential AppDomainManager Hijack Artifacts Creation id: be19b369-fd0c-42be-ae97-c10b6c01638f -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_powershell_cryptography_namespace.yml b/detections/endpoint/windows_powershell_cryptography_namespace.yml index b6901fb583..3c6004e719 100644 --- a/detections/endpoint/windows_powershell_cryptography_namespace.yml +++ b/detections/endpoint/windows_powershell_cryptography_namespace.yml @@ -1,7 +1,7 @@ name: Windows Powershell Cryptography Namespace id: f8b482f4-6d62-49fa-a905-dfa15698317b -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,10 +38,10 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 - field: user_id type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_powershell_export_certificate.yml b/detections/endpoint/windows_powershell_export_certificate.yml index aaa36f57e3..8746df108d 100644 --- a/detections/endpoint/windows_powershell_export_certificate.yml +++ b/detections/endpoint/windows_powershell_export_certificate.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Export Certificate id: 5e38ded4-c964-41f4-8cb6-4a1a53c6929f -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_powershell_export_pfxcertificate.yml b/detections/endpoint/windows_powershell_export_pfxcertificate.yml index af10f0f283..6f91d9129a 100644 --- a/detections/endpoint/windows_powershell_export_pfxcertificate.yml +++ b/detections/endpoint/windows_powershell_export_pfxcertificate.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Export PfxCertificate id: ed06725f-6da6-439f-9dcc-ab30e891297c -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml index b1b7c08e79..f9fd996601 100644 --- a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml +++ b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Get CIMInstance Remote Computer id: d8c972eb-ed84-431a-8869-ca4bd83257d1 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Michael Haag, Splunk type: Anomaly status: production @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 15 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_powershell_history_file_deletion.yml b/detections/endpoint/windows_powershell_history_file_deletion.yml index 9103fd9f02..99d8c79121 100644 --- a/detections/endpoint/windows_powershell_history_file_deletion.yml +++ b/detections/endpoint/windows_powershell_history_file_deletion.yml @@ -1,7 +1,7 @@ name: Windows Powershell History File Deletion id: f1369394-48e1-4327-bf6d-14377f4b8687 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml index c11e527f7f..a7c5539ca8 100644 --- a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml +++ b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml @@ -1,7 +1,7 @@ name: Windows PowerShell IIS Components WebGlobalModule Usage id: 33fc9f6f-0ce7-4696-924e-a69ec61a3d57 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml b/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml index 5cf485ff58..2180395d96 100644 --- a/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml +++ b/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Invoke-RestMethod IP Information Collection id: 8db47e12-9c3e-4f5a-b0d6-e42a1895cd4f -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 45 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_powershell_logoff_user_via_quser.yml b/detections/endpoint/windows_powershell_logoff_user_via_quser.yml index 8608156f81..691093cab9 100644 --- a/detections/endpoint/windows_powershell_logoff_user_via_quser.yml +++ b/detections/endpoint/windows_powershell_logoff_user_via_quser.yml @@ -1,7 +1,7 @@ name: Windows Powershell Logoff User via Quser id: 6d70780d-4cfe-4820-bafd-1b43941986b5 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Powershell Script Block Logging 4104 @@ -38,7 +38,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_powershell_process_implementing_manual_base64_decoder.yml b/detections/endpoint/windows_powershell_process_implementing_manual_base64_decoder.yml index e4fe41aa67..d1010934c8 100644 --- a/detections/endpoint/windows_powershell_process_implementing_manual_base64_decoder.yml +++ b/detections/endpoint/windows_powershell_process_implementing_manual_base64_decoder.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Process Implementing Manual Base64 Decoder id: 08d67349-0808-4f55-b431-1037269fa517 -version: 2 -date: '2025-11-19' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali status: production type: Anomaly @@ -69,10 +69,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 30 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_powershell_remotesigned_file.yml b/detections/endpoint/windows_powershell_remotesigned_file.yml index 064934fa95..2927afcf27 100644 --- a/detections/endpoint/windows_powershell_remotesigned_file.yml +++ b/detections/endpoint/windows_powershell_remotesigned_file.yml @@ -1,7 +1,7 @@ name: Windows Powershell RemoteSigned File id: f7f7456b-470d-4a95-9703-698250645ff4 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 - field: user type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml index 19adc186cc..596dd4f884 100644 --- a/detections/endpoint/windows_powershell_scheduletask.yml +++ b/detections/endpoint/windows_powershell_scheduletask.yml @@ -1,7 +1,7 @@ name: Windows PowerShell ScheduleTask id: ddf82fcb-e9ee-40e3-8712-a50b5bf323fc -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -39,10 +39,10 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 - field: user_id type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_private_keys_discovery.yml b/detections/endpoint/windows_private_keys_discovery.yml index 5146e6afa5..24a504d425 100644 --- a/detections/endpoint/windows_private_keys_discovery.yml +++ b/detections/endpoint/windows_private_keys_discovery.yml @@ -1,7 +1,7 @@ name: Windows Private Keys Discovery id: 5c1c2877-06c0-40ee-a1a2-db71f1372b5b -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,7 +48,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_process_executed_from_removable_media.yml b/detections/endpoint/windows_process_executed_from_removable_media.yml index 195548dc73..d7fa13a5fc 100644 --- a/detections/endpoint/windows_process_executed_from_removable_media.yml +++ b/detections/endpoint/windows_process_executed_from_removable_media.yml @@ -1,7 +1,7 @@ name: Windows Process Executed From Removable Media id: b483804a-4cc0-49a4-9f00-ac29ba844d08 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -62,10 +62,10 @@ rba: risk_objects: - field: user type: user - score: 35 + score: 20 - field: dest type: system - score: 35 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_process_execution_from_rdp_share.yml b/detections/endpoint/windows_process_execution_from_rdp_share.yml index 52a57ff962..d12050b18f 100644 --- a/detections/endpoint/windows_process_execution_from_rdp_share.yml +++ b/detections/endpoint/windows_process_execution_from_rdp_share.yml @@ -1,7 +1,7 @@ name: Windows Process Execution From RDP Share id: 6b1b84c4-3834-4dee-b062-9b79bdb31d15 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -66,7 +66,7 @@ rba: risk_objects: - field: dest type: system - score: 35 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml index 1e2ba73b05..9f969970db 100644 --- a/detections/endpoint/windows_process_execution_in_temp_dir.yml +++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Process Execution in Temp Dir id: f6fbe929-4187-4ba4-901e-8a34be838443 -version: 7 -date: '2025-12-10' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -33,7 +33,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: process_path type: process_name diff --git a/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml b/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml index 248daee2b6..6901cc595e 100644 --- a/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml +++ b/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml @@ -1,7 +1,7 @@ name: Windows Process Injection into Commonly Abused Processes id: 1e1dedc6-f6f3-41a0-9dd7-a1245904fe75 -version: 4 -date: '2025-09-18' +version: 5 +date: '2026-02-26' author: 0xC0FFEEEE, Github Community type: Anomaly status: production @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 32 + score: 20 threat_objects: - field: SourceImage type: process diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml index 0086d668c1..4c74ef4319 100644 --- a/detections/endpoint/windows_process_injection_into_notepad.yml +++ b/detections/endpoint/windows_process_injection_into_notepad.yml @@ -1,7 +1,7 @@ name: Windows Process Injection into Notepad id: b8340d0f-ba48-4391-bea7-9e793c5aae36 -version: 10 -date: '2025-09-18' +version: 11 +date: '2026-02-26' author: Michael Haag, Splunk type: Anomaly status: production @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 32 + score: 20 threat_objects: - field: SourceImage type: process diff --git a/detections/endpoint/windows_process_injection_wermgr_child_process.yml b/detections/endpoint/windows_process_injection_wermgr_child_process.yml index 37c9f8a636..fa2393deec 100644 --- a/detections/endpoint/windows_process_injection_wermgr_child_process.yml +++ b/detections/endpoint/windows_process_injection_wermgr_child_process.yml @@ -1,7 +1,7 @@ name: Windows Process Injection Wermgr Child Process id: 360ae6b0-38b5-4328-9e2b-bc9436cddb17 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 56 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml index 7e8d4a77c4..664530493a 100644 --- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml +++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml @@ -1,7 +1,7 @@ name: Windows Process With NamedPipe CommandLine id: e64399d4-94a8-11ec-a9da-acde48001122 -version: 6 -date: '2025-05-02' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml index c1a6585b7f..a6c79a3a0e 100644 --- a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml +++ b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml @@ -1,7 +1,7 @@ name: Windows Processes Killed By Industroyer2 Malware id: d8bea5ca-9d4a-4249-8b56-64a619109835 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_proxy_via_netsh.yml b/detections/endpoint/windows_proxy_via_netsh.yml index 76c2610d06..4d031b150e 100644 --- a/detections/endpoint/windows_proxy_via_netsh.yml +++ b/detections/endpoint/windows_proxy_via_netsh.yml @@ -1,7 +1,7 @@ name: Windows Proxy Via Netsh id: c137bfe8-6036-4cff-b77b-4e327dd0a1cf -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 - field: user type: user - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml index aea95cfe07..693ccb284f 100644 --- a/detections/endpoint/windows_proxy_via_registry.yml +++ b/detections/endpoint/windows_proxy_via_registry.yml @@ -1,7 +1,7 @@ name: Windows Proxy Via Registry id: 0270455b-1385-4579-9ac5-e77046c508ae -version: 9 -date: '2026-01-14' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_pstools_recon_usage.yml b/detections/endpoint/windows_pstools_recon_usage.yml index e3aad94f67..af808dd1ac 100644 --- a/detections/endpoint/windows_pstools_recon_usage.yml +++ b/detections/endpoint/windows_pstools_recon_usage.yml @@ -1,7 +1,7 @@ name: Windows PsTools Recon Usage id: 9a5f4b3e-1d2b-4c6f-9a8e-3b7d2f5c1a6e -version: 3 -date: '2025-11-19' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali status: production type: Anomaly @@ -95,10 +95,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 30 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_pua_named_pipe.yml b/detections/endpoint/windows_pua_named_pipe.yml index bf343237bb..c5a3e59e41 100644 --- a/detections/endpoint/windows_pua_named_pipe.yml +++ b/detections/endpoint/windows_pua_named_pipe.yml @@ -1,7 +1,7 @@ name: Windows PUA Named Pipe id: 95b11d20-e2c6-46a5-b526-8629f5f0860a -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -66,7 +66,7 @@ rba: risk_objects: - field: dest type: system - score: 72 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_query_registry_browser_list_application.yml b/detections/endpoint/windows_query_registry_browser_list_application.yml index 587045c9bc..74cd2256e2 100644 --- a/detections/endpoint/windows_query_registry_browser_list_application.yml +++ b/detections/endpoint/windows_query_registry_browser_list_application.yml @@ -1,7 +1,7 @@ name: Windows Query Registry Browser List Application id: 45ebd21c-f4bf-4ced-bd49-d25b6526cebb -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_query_registry_uninstall_program_list.yml b/detections/endpoint/windows_query_registry_uninstall_program_list.yml index 13f412caf2..59e63e8d85 100644 --- a/detections/endpoint/windows_query_registry_uninstall_program_list.yml +++ b/detections/endpoint/windows_query_registry_uninstall_program_list.yml @@ -1,7 +1,7 @@ name: Windows Query Registry UnInstall Program List id: 535fd4fc-7151-4062-9d7e-e896bea77bf6 -version: 7 -date: '2025-12-16' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml index e36c4e7377..8cc5dff9c5 100644 --- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml +++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml @@ -1,7 +1,7 @@ name: Windows Raw Access To Disk Volume Partition id: a85aa37e-9647-11ec-90c5-acde48001122 -version: 9 -date: '2025-08-20' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 90 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_rdp_automaticdestinations_deletion.yml b/detections/endpoint/windows_rdp_automaticdestinations_deletion.yml index 9bb047be88..48a2b4079c 100644 --- a/detections/endpoint/windows_rdp_automaticdestinations_deletion.yml +++ b/detections/endpoint/windows_rdp_automaticdestinations_deletion.yml @@ -1,7 +1,7 @@ name: Windows Rdp AutomaticDestinations Deletion id: e40a40a1-9fea-4554-abdf-b164422f0627 -version: 1 -date: '2025-07-30' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_rdp_bitmap_cache_file_creation.yml b/detections/endpoint/windows_rdp_bitmap_cache_file_creation.yml index ebea4b647f..fafa52d590 100644 --- a/detections/endpoint/windows_rdp_bitmap_cache_file_creation.yml +++ b/detections/endpoint/windows_rdp_bitmap_cache_file_creation.yml @@ -1,7 +1,7 @@ name: Windows RDP Bitmap Cache File Creation id: 5f8671b6-07a7-425d-b3da-c39a53f2a6ae -version: 1 -date: '2025-07-30' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_rdp_cache_file_deletion.yml b/detections/endpoint/windows_rdp_cache_file_deletion.yml index b8b89f0f6b..6ae6aa26b1 100644 --- a/detections/endpoint/windows_rdp_cache_file_deletion.yml +++ b/detections/endpoint/windows_rdp_cache_file_deletion.yml @@ -1,7 +1,7 @@ name: Windows RDP Cache File Deletion id: f3e86ff3-b1f9-4382-8924-6913385f1019 -version: 1 -date: '2025-07-30' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_rdp_client_launched_with_admin_session.yml b/detections/endpoint/windows_rdp_client_launched_with_admin_session.yml index ad9cd96e04..d79b4e4aee 100644 --- a/detections/endpoint/windows_rdp_client_launched_with_admin_session.yml +++ b/detections/endpoint/windows_rdp_client_launched_with_admin_session.yml @@ -1,7 +1,7 @@ name: Windows RDP Client Launched with Admin Session id: 1af84ac8-05ea-4f11-8541-b2d1e45a7744 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_rdp_login_session_was_established.yml b/detections/endpoint/windows_rdp_login_session_was_established.yml index c52a40a684..1204387b1c 100644 --- a/detections/endpoint/windows_rdp_login_session_was_established.yml +++ b/detections/endpoint/windows_rdp_login_session_was_established.yml @@ -1,7 +1,7 @@ name: Windows RDP Login Session Was Established id: 00ca7f9e-88ab-4841-a6c2-83979ab1ed29 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_rdp_server_registry_deletion.yml b/detections/endpoint/windows_rdp_server_registry_deletion.yml index b5fff106cd..72cc55d45a 100644 --- a/detections/endpoint/windows_rdp_server_registry_deletion.yml +++ b/detections/endpoint/windows_rdp_server_registry_deletion.yml @@ -1,7 +1,7 @@ name: Windows RDP Server Registry Deletion id: 1a058296-7c68-4d66-9560-464764d6e26c -version: 1 -date: '2025-07-30' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_rdp_server_registry_entry_created.yml b/detections/endpoint/windows_rdp_server_registry_entry_created.yml index cd767ebc19..560c908c3b 100644 --- a/detections/endpoint/windows_rdp_server_registry_entry_created.yml +++ b/detections/endpoint/windows_rdp_server_registry_entry_created.yml @@ -1,7 +1,7 @@ name: Windows RDP Server Registry Entry Created id: 61f10919-c360-4e56-9cda-f1f34500cfda -version: 1 -date: '2025-07-30' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_rdpclient_connection_sequence_events.yml b/detections/endpoint/windows_rdpclient_connection_sequence_events.yml index b36cac70d1..9c22872193 100644 --- a/detections/endpoint/windows_rdpclient_connection_sequence_events.yml +++ b/detections/endpoint/windows_rdpclient_connection_sequence_events.yml @@ -1,7 +1,7 @@ name: Windows RDPClient Connection Sequence Events id: 67340df1-3f1d-4470-93c8-9ac7249d11b0 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Michael Haag, Splunk type: Anomaly status: production @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 7 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml index b7a9760e17..e0ea7b08a3 100644 --- a/detections/endpoint/windows_registry_certificate_added.yml +++ b/detections/endpoint/windows_registry_certificate_added.yml @@ -1,7 +1,7 @@ name: Windows Registry Certificate Added id: 5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87 -version: 9 -date: '2025-05-02' +version: 10 +date: '2026-02-26' author: Michael Haag, Teodeerick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 42 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index 5bc0a60532..725448ec46 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -1,7 +1,7 @@ name: Windows Registry Delete Task SD id: ffeb7893-ff06-446f-815b-33ca73224e92 -version: 9 -date: '2026-01-23' +version: 10 +date: '2026-02-26' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly @@ -60,7 +60,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: - field: registry_path type: registry_path diff --git a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml index c04d0e54d7..af4a3a52bf 100644 --- a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml +++ b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml @@ -1,7 +1,7 @@ name: Windows Remote Access Software BRC4 Loaded Dll id: 73cf5dcb-cf36-4167-8bbe-384fe5384d05 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index 66b59dbe38..511750d7f5 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -1,7 +1,7 @@ name: Windows Remote Create Service id: 0dc44d03-8c00-482d-ba7c-796ba7ab18c9 -version: 9 -date: '2025-05-02' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -29,10 +29,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_remote_host_computer_management_access.yml b/detections/endpoint/windows_remote_host_computer_management_access.yml index 8b283566ab..0e1a3ab3b8 100644 --- a/detections/endpoint/windows_remote_host_computer_management_access.yml +++ b/detections/endpoint/windows_remote_host_computer_management_access.yml @@ -1,7 +1,7 @@ name: Windows Remote Host Computer Management Access id: 455da527-0047-4610-a3ca-b4a005c2d346 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_remote_management_execute_shell.yml b/detections/endpoint/windows_remote_management_execute_shell.yml index 9dd8f8c463..db3d3239bf 100644 --- a/detections/endpoint/windows_remote_management_execute_shell.yml +++ b/detections/endpoint/windows_remote_management_execute_shell.yml @@ -1,7 +1,7 @@ name: Windows Remote Management Execute Shell id: 28b80028-851d-4b8d-88a5-375ba115418a -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml index be555269c9..fd4092c6e9 100644 --- a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml +++ b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml @@ -1,7 +1,7 @@ name: Windows Remote Services Allow Rdp In Firewall id: 9170cb54-ea15-41e1-9dfc-9f3363ce9b02 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -47,7 +47,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml index f74c8cb499..d449fc2b15 100644 --- a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml +++ b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml @@ -1,7 +1,7 @@ name: Windows Remote Services Allow Remote Assistance id: 9bce3a97-bc97-4e89-a1aa-ead151c82fbb -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_rmm_named_pipe.yml b/detections/endpoint/windows_rmm_named_pipe.yml index 385dbb98c9..c6d456c5e9 100644 --- a/detections/endpoint/windows_rmm_named_pipe.yml +++ b/detections/endpoint/windows_rmm_named_pipe.yml @@ -1,7 +1,7 @@ name: Windows RMM Named Pipe id: c07c7138-edf5-4a16-8b24-3842599235bf -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -65,7 +65,7 @@ rba: risk_objects: - field: dest type: system - score: 52 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml index b7105ad515..4f873ab9be 100644 --- a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml +++ b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml @@ -1,7 +1,7 @@ name: Windows Root Domain linked policies Discovery id: 80ffaede-1f12-49d5-a86e-b4b599b68b3c -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml index 46bcdf44ae..2ea0d5b4fd 100644 --- a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml +++ b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml @@ -1,7 +1,7 @@ name: Windows Rundll32 Apply User Settings Changes id: b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -56,7 +56,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml b/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml index 7d4a02ae2e..04efd98374 100644 --- a/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml +++ b/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Rundll32 Load DLL in Temp Dir id: 520da6fa-7d5d-4a3b-9c61-1087517b8d0f -version: 3 -date: '2026-01-14' +version: 4 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_runmru_command_execution.yml b/detections/endpoint/windows_runmru_command_execution.yml index df5189a4e4..b7f96679a3 100644 --- a/detections/endpoint/windows_runmru_command_execution.yml +++ b/detections/endpoint/windows_runmru_command_execution.yml @@ -1,7 +1,7 @@ name: Windows RunMRU Command Execution id: a15aa1ab-2b79-467f-8201-65e0f32d5b1a -version: 8 -date: '2025-06-10' +version: 9 +date: '2026-02-26' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly @@ -30,10 +30,10 @@ rba: risk_objects: - field: dest type: system - score: 48 + score: 20 - field: user type: user - score: 48 + score: 20 threat_objects: - field: registry_value_data type: registry_value_text diff --git a/detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml b/detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml index a127b83dff..73d2c33da8 100644 --- a/detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml +++ b/detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml @@ -1,7 +1,7 @@ name: Windows RunMRU Registry Key or Value Deleted id: e651795f-b2c9-4a84-a18a-b901018a3bfa -version: 1 -date: '2025-11-20' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index 7725f64e6f..8346361277 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task Created Via XML id: 7e03b682-3965-4598-8e91-a60a40a3f7e4 -version: 12 -date: '2026-02-25' +version: 13 +date: '2026-02-26' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -53,10 +53,10 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 - field: user type: user - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index ce49a3efcb..413143c96d 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -1,7 +1,7 @@ name: Windows Security Support Provider Reg Query id: 31302468-93c9-4eca-9ae3-2d41f53a4e2b -version: 8 -date: '2026-01-14' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -31,7 +31,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_sensitive_group_discovery_with_net.yml b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml index c243000f72..1a384be60a 100644 --- a/detections/endpoint/windows_sensitive_group_discovery_with_net.yml +++ b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml @@ -1,7 +1,7 @@ name: Windows Sensitive Group Discovery With Net id: d9eb7cda-5622-4722-bc88-7f2442f4b5af -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Mauricio Velazco, Splunk status: production type: Anomaly @@ -46,7 +46,7 @@ rba: risk_objects: - field: dest type: system - score: 21 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_service_create_remcomsvc.yml b/detections/endpoint/windows_service_create_remcomsvc.yml index 7ea6a2e15e..d2636f1f28 100644 --- a/detections/endpoint/windows_service_create_remcomsvc.yml +++ b/detections/endpoint/windows_service_create_remcomsvc.yml @@ -1,7 +1,7 @@ name: Windows Service Create RemComSvc id: 0be4b5d6-c449-4084-b945-2392b519c33b -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Michael Haag, Splunk type: Anomaly status: production @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 32 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml index 2756bdee70..55438d789a 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -1,7 +1,7 @@ name: Windows Service Created with Suspicious Service Name id: 35eb6d19-a497-400c-93c5-645562804b11 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 75 + score: 20 threat_objects: - field: process type: process diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index a8cda9104c..4d09c7e15b 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 16 -date: '2026-02-09' +version: 17 +date: '2026-02-26' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml index 09469e3363..ce54ee3faf 100644 --- a/detections/endpoint/windows_service_deletion_in_registry.yml +++ b/detections/endpoint/windows_service_deletion_in_registry.yml @@ -1,7 +1,7 @@ name: Windows Service Deletion In Registry id: daed6823-b51c-4843-a6ad-169708f1323e -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 18 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_service_stop_win_updates.yml b/detections/endpoint/windows_service_stop_win_updates.yml index 0e0b067fce..710ff39b72 100644 --- a/detections/endpoint/windows_service_stop_win_updates.yml +++ b/detections/endpoint/windows_service_stop_win_updates.yml @@ -1,7 +1,7 @@ name: Windows Service Stop Win Updates id: 0dc25c24-6fcf-456f-b08b-dd55a183e4de -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml b/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml index 161338fa2d..fee68faab7 100644 --- a/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml +++ b/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml @@ -1,7 +1,7 @@ name: Windows Set Account Password Policy To Unlimited Via Net id: 11f93009-8083-43fd-82a7-821fcbdc8342 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -49,7 +49,7 @@ rba: risk_objects: - field: dest type: system - score: 100 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_set_network_profile_category_to_private_via_registry.yml b/detections/endpoint/windows_set_network_profile_category_to_private_via_registry.yml index c9116a89df..29fddd3f15 100644 --- a/detections/endpoint/windows_set_network_profile_category_to_private_via_registry.yml +++ b/detections/endpoint/windows_set_network_profile_category_to_private_via_registry.yml @@ -1,7 +1,7 @@ name: Windows Set Network Profile Category to Private via Registry id: b11bb510-97e1-4b7a-b673-887ab228c280 -version: 1 -date: '2025-10-07' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml index c1cefbd8b6..08aeb40e67 100644 --- a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml +++ b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml @@ -1,7 +1,7 @@ name: Windows SIP WinVerifyTrust Failed Trust Validation id: 6ffc7f88-415b-4278-a80d-b957d6539e1a -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_sql_server_startup_procedure.yml b/detections/endpoint/windows_sql_server_startup_procedure.yml index eaac1163ae..1a693be75c 100644 --- a/detections/endpoint/windows_sql_server_startup_procedure.yml +++ b/detections/endpoint/windows_sql_server_startup_procedure.yml @@ -1,7 +1,7 @@ name: Windows SQL Server Startup Procedure id: 7bec7c5c-2262-4adb-ba56-c8028512bc58 -version: 3 -date: '2025-10-14' +version: 4 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -29,10 +29,10 @@ rba: risk_objects: - field: dest type: system - score: 90 + score: 20 - field: startup_procedure type: other - score: 70 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_ssh_proxy_command.yml b/detections/endpoint/windows_ssh_proxy_command.yml index 5a81e5bb9f..e1d3b4372a 100644 --- a/detections/endpoint/windows_ssh_proxy_command.yml +++ b/detections/endpoint/windows_ssh_proxy_command.yml @@ -1,7 +1,7 @@ name: Windows SSH Proxy Command id: ac520039-21f1-4567-b528-5b7133dba76f -version: 3 -date: '2025-10-16' +version: 4 +date: '2026-02-26' author: Michael Haag, AJ King, Nasreddine Bencherchali, Splunk, Jesse Hunter, Splunk Community Contributor status: production type: Anomaly @@ -74,10 +74,10 @@ rba: risk_objects: - field: dest type: system - score: 60 + score: 20 - field: user type: user - score: 40 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml index 15e86169fd..b15fd35296 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates Certificate Issued id: 9b1a5385-0c31-4c39-9753-dc26b8ce64c2 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: dest type: system - score: 8 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml index d2e699611c..7661d61208 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates Certificate Request id: 747d7800-2eaa-422d-b994-04d8bb9e06d0 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: dest type: system - score: 8 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml index 2dd93e2759..5c2e923d1c 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates CertUtil Backup id: bac85b56-0b65-4ce5-aad5-d94880df0967 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: user type: user - score: 40 + score: 20 - field: dest type: system - score: 40 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml index 28a75257a5..0f381bde8d 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates CryptoAPI id: 905d5692-6d7c-432f-bc7e-a6b4f464d40e -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: dest type: system - score: 24 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml index 6152ffe483..780b092dc9 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates CS Backup id: a2f4cc7f-6503-4078-b206-f83a29f408a7 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -34,7 +34,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml index 76e6c36006..fce2c278fc 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates Export Certificate id: e39dc429-c2a5-4f1f-9c3c-6b211af6b332 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -43,10 +43,10 @@ rba: risk_objects: - field: user type: user - score: 36 + score: 20 - field: dest type: system - score: 36 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml index 248229ee26..2f04a24999 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates Export PfxCertificate id: 391329f3-c14b-4b8d-8b37-ac5012637360 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -43,10 +43,10 @@ rba: risk_objects: - field: user type: user - score: 36 + score: 20 - field: dest type: system - score: 36 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_subinacl_execution.yml b/detections/endpoint/windows_subinacl_execution.yml index 405a657a76..2a0bd38b24 100644 --- a/detections/endpoint/windows_subinacl_execution.yml +++ b/detections/endpoint/windows_subinacl_execution.yml @@ -1,7 +1,7 @@ name: Windows SubInAcl Execution id: 12491419-1a6f-4af4-afc3-4e2052f0610e -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly @@ -47,10 +47,10 @@ rba: risk_objects: - field: user type: user - score: 16 + score: 20 - field: dest type: system - score: 16 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml index c0cb29c39d..8bf8e5ce0e 100644 --- a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml +++ b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml @@ -1,7 +1,7 @@ name: Windows Suspect Process With Authentication Traffic id: 953322db-128a-4ce9-8e89-56e039e33d98 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -28,13 +28,13 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 - field: user type: user - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml index 4f9605f8b0..3b8dc62223 100644 --- a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml +++ b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml @@ -1,7 +1,7 @@ name: Windows Svchost.exe Parent Process Anomaly id: 1d38e5e9-2ff8-4c47-872c-bf1657cefab5 -version: 5 -date: '2025-11-07' +version: 6 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -29,10 +29,10 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 20 - field: user type: user - score: 50 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_symlink_evaluation_change_via_fsutil.yml b/detections/endpoint/windows_symlink_evaluation_change_via_fsutil.yml index 95ef970342..c8c2100ff9 100644 --- a/detections/endpoint/windows_symlink_evaluation_change_via_fsutil.yml +++ b/detections/endpoint/windows_symlink_evaluation_change_via_fsutil.yml @@ -1,7 +1,7 @@ name: Windows Symlink Evaluation Change via Fsutil id: 9777e7e3-2499-4a16-a519-ebe33630c1e8 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -69,7 +69,7 @@ rba: risk_objects: - field: dest type: system - score: 35 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml index 4aa981c83f..19b3646548 100644 --- a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml +++ b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml @@ -1,7 +1,7 @@ name: Windows System Discovery Using ldap Nslookup id: 2418780f-7c3e-4c45-b8b4-996ea850cd49 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,7 +48,7 @@ rba: risk_objects: - field: dest type: system - score: 1 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml index e79be5aa9f..19f5f45dd3 100644 --- a/detections/endpoint/windows_system_logoff_commandline.yml +++ b/detections/endpoint/windows_system_logoff_commandline.yml @@ -1,7 +1,7 @@ name: Windows System LogOff Commandline id: 74a8133f-93e7-4b71-9bd3-13a66124fd57 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,7 +48,7 @@ rba: risk_objects: - field: dest type: system - score: 56 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml index bcdd992554..7bfabec0b0 100644 --- a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml +++ b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml @@ -1,7 +1,7 @@ name: Windows System Network Config Discovery Display DNS id: e24f0a0e-41a9-419f-9999-eacab15efc36 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,7 +48,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index 32fc561d39..05c5fe8e4b 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -1,7 +1,7 @@ name: Windows System Network Connections Discovery Netsh id: abfb7cc5-c275-4a97-9029-62cd8d4ffeca -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index 74e30768d8..9631ec4353 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -1,7 +1,7 @@ name: Windows System Reboot CommandLine id: 97fc2b60-c8eb-4711-93f7-d26fade3686f -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,7 +48,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_system_remote_discovery_with_query.yml b/detections/endpoint/windows_system_remote_discovery_with_query.yml index dae983390e..34f55ec22b 100644 --- a/detections/endpoint/windows_system_remote_discovery_with_query.yml +++ b/detections/endpoint/windows_system_remote_discovery_with_query.yml @@ -1,7 +1,7 @@ name: Windows System Remote Discovery With Query id: 94859172-a521-474f-97ac-4cf4b09634a3 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -51,10 +51,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index 6134a981f8..6abde0c7eb 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -1,7 +1,7 @@ name: Windows System Shutdown CommandLine id: 4fee57b8-d825-4bf3-9ea8-bf405cdb614c -version: 11 -date: '2026-02-12' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -30,7 +30,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml index 8e24d90699..f750a82473 100644 --- a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml +++ b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml @@ -1,7 +1,7 @@ name: Windows System Time Discovery W32tm Delay id: b2cc69e7-11ba-42dc-a269-59c069a48870 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_terminating_lsass_process.yml b/detections/endpoint/windows_terminating_lsass_process.yml index 870de1ab26..77244f4128 100644 --- a/detections/endpoint/windows_terminating_lsass_process.yml +++ b/detections/endpoint/windows_terminating_lsass_process.yml @@ -1,7 +1,7 @@ name: Windows Terminating Lsass Process id: 7ab3c319-a4e7-4211-9e8c-40a049d0dba6 -version: 11 -date: '2026-02-25' +version: 12 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,7 +42,7 @@ rba: risk_objects: - field: dest type: system - score: 64 + score: 20 threat_objects: - field: TargetImage type: process diff --git a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml index b5971c4121..03709818ec 100644 --- a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml +++ b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml @@ -1,7 +1,7 @@ name: Windows Time Based Evasion via Choice Exec id: d5f54b38-10bf-4b3a-b6fc-85949862ed50 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_tor_client_execution.yml b/detections/endpoint/windows_tor_client_execution.yml index f2ba1a20be..d8ca04b930 100644 --- a/detections/endpoint/windows_tor_client_execution.yml +++ b/detections/endpoint/windows_tor_client_execution.yml @@ -1,7 +1,7 @@ name: Windows TOR Client Execution id: f164bc6f-ecbe-45e0-aaa6-f5c4d8c84b9a -version: 1 -date: '2026-02-02' +version: 2 +date: '2026-02-26' author: Vignesh Subramanian, Splunk status: production type: Anomaly @@ -66,10 +66,10 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 - field: user type: user - score: 40 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml index 0b26bf21f5..f102fb835f 100644 --- a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml +++ b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml @@ -1,7 +1,7 @@ name: Windows Unsecured Outlook Credentials Access In Registry id: 36334123-077d-47a2-b70c-6c7b3cc85049 -version: 9 -date: '2025-12-16' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index cc60826d85..3e22684091 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -1,7 +1,7 @@ name: Windows Unsigned DLL Side-Loading id: 5a83ce44-8e0f-4786-a775-8249a525c879 -version: 12 -date: '2026-02-09' +version: 13 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml index c56d4c3971..ec00cf00b4 100644 --- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml @@ -1,7 +1,7 @@ name: Windows Unsigned MS DLL Side-Loading id: 8d9e0e06-ba71-4dc5-be16-c1a46d58728c -version: 13 -date: '2026-01-13' +version: 14 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 @@ -57,7 +57,7 @@ rba: risk_objects: - field: dest type: system - score: 9 + score: 20 threat_objects: - field: Image type: file_name diff --git a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml index 920f3c4966..f5d00d6da8 100644 --- a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml @@ -1,8 +1,8 @@ name: Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos id: f65aa026-b811-42ab-b4b9-d9088137648f -date: '2026-02-25' +date: '2026-02-26' type: Anomaly -version: 8 +version: 9 status: production author: Mauricio Velazco, Splunk data_source: @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: IpAddress type: ip_address diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml index 2ed3d33171..b0fe44f777 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml @@ -1,8 +1,8 @@ name: Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos id: f122cb2e-d773-4f11-8399-62a3572d8dd7 type: Anomaly -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' status: production author: Mauricio Velazco, Splunk data_source: @@ -37,7 +37,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: IpAddress type: ip_address diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml index 131dd5fbd8..0c4dae9a1c 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml @@ -1,9 +1,9 @@ name: Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM id: 15603165-147d-4a6e-9778-bd0ff39e668f type: Anomaly -version: 9 +version: 10 status: production -date: '2026-02-25' +date: '2026-02-26' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 @@ -40,10 +40,10 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 - field: src type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml index e5520c5a18..0670dbd21a 100644 --- a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml @@ -1,9 +1,9 @@ name: Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials id: 14f414cf-3080-4b9b-aaf6-55a4ce947b93 type: Anomaly -version: 9 +version: 10 status: production -date: '2026-02-25' +date: '2026-02-26' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4648 @@ -39,10 +39,10 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 - field: Computer type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml index 2ecbba57f9..1ee041e006 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml @@ -1,8 +1,8 @@ name: Windows Unusual Count Of Users Failed To Auth Using Kerberos id: bc9cb715-08ba-40c3-9758-6e2b26e455cb -date: '2026-02-25' +date: '2026-02-26' type: Anomaly -version: 8 +version: 9 status: production author: Mauricio Velazco, Splunk data_source: @@ -39,7 +39,7 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 threat_objects: - field: IpAddress type: ip_address diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml index 6e2cf3944b..abbc9632bf 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml @@ -1,9 +1,9 @@ name: Windows Unusual Count Of Users Failed To Authenticate From Process id: 25bdb6cb-2e49-4d34-a93c-d6c567c122fe type: Anomaly -version: 9 +version: 10 status: production -date: '2026-02-25' +date: '2026-02-26' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 @@ -42,10 +42,10 @@ rba: risk_objects: - field: user type: user - score: 49 + score: 20 - field: Computer type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml index 2c09e742c2..ca77e7c014 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml @@ -1,9 +1,9 @@ name: Windows Unusual Count Of Users Failed To Authenticate Using NTLM id: 6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4 type: Anomaly -version: 9 +version: 10 status: production -date: '2026-02-25' +date: '2026-02-26' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 @@ -39,7 +39,7 @@ rba: risk_objects: - field: Workstation type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml index 3b856fb421..02b6cc26e1 100644 --- a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml +++ b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml @@ -1,9 +1,9 @@ name: Windows Unusual Count Of Users Remotely Failed To Auth From Host id: cf06a0ee-ffa9-4ed3-be77-0670ed9bab52 type: Anomaly -version: 9 +version: 10 status: production -date: '2026-02-25' +date: '2026-02-26' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 @@ -42,7 +42,7 @@ rba: risk_objects: - field: Computer type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml b/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml index e1370b5d71..837e6c2f9d 100644 --- a/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml +++ b/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml @@ -1,7 +1,7 @@ name: Windows Unusual FileZilla XML Config Access id: 47dc0426-cbe4-4253-8b86-1a983c3f9951 -version: 1 -date: '2025-07-16' +version: 2 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml b/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml index 7104f375e0..6055122e4b 100644 --- a/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml +++ b/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml @@ -1,7 +1,7 @@ name: Windows Unusual Intelliform Storage Registry Access id: 99d69078-7dae-4ffe-9f3d-063242772f5a -version: 2 -date: '2025-09-30' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 35 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml index 4b7af0e2d8..f677b753d9 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml @@ -1,7 +1,7 @@ name: Windows Unusual NTLM Authentication Destinations By Source id: ae9b0df5-5fb0-477f-abc9-47faf42aa91d -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -57,7 +57,7 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml index 5438682739..78fb45616a 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml @@ -1,7 +1,7 @@ name: Windows Unusual NTLM Authentication Destinations By User id: a4d86702-402b-4a4f-8d06-9d61e6c39cad -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -60,7 +60,7 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml index 10d6567451..a0002885a2 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml @@ -1,7 +1,7 @@ name: Windows Unusual NTLM Authentication Users By Destination id: 1120a204-8444-428b-8657-6ea4e1f3e840 -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -59,7 +59,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml index cbf8c3478c..8d4cd4dc5c 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml @@ -1,7 +1,7 @@ name: Windows Unusual NTLM Authentication Users By Source id: 80fcc4d4-fd90-488e-b55a-4e7190ae6ce2 -version: 7 -date: '2026-01-14' +version: 8 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -59,7 +59,7 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml index 43d53ed122..8f20c7b9f5 100644 --- a/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml +++ b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml @@ -1,7 +1,7 @@ name: Windows Unusual Process Load Mozilla NSS-Mozglue Module id: 1a7e7650-b81d-492e-99d4-d5ab633afbdd -version: 4 -date: '2025-12-16' +version: 5 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -27,7 +27,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml b/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml index f04ddaf6a3..11a9ba4210 100644 --- a/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml +++ b/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml @@ -1,7 +1,7 @@ name: Windows Unusual SysWOW64 Process Run System32 Executable id: e4602172-db86-4315-86df-da66fb40bcde -version: 3 -date: '2025-05-02' +version: 4 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: - field: process_path type: process_name diff --git a/detections/endpoint/windows_usbstor_registry_key_modification.yml b/detections/endpoint/windows_usbstor_registry_key_modification.yml index 2c980641f8..de0a434b3d 100644 --- a/detections/endpoint/windows_usbstor_registry_key_modification.yml +++ b/detections/endpoint/windows_usbstor_registry_key_modification.yml @@ -1,7 +1,7 @@ name: Windows USBSTOR Registry Key Modification id: a345980a-417d-4ed3-9fb4-cac30c9405a0 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -48,7 +48,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: - field: object_name type: registry_value_name diff --git a/detections/endpoint/windows_user_deletion_via_net.yml b/detections/endpoint/windows_user_deletion_via_net.yml index 4db2aca5f1..7cb6f4aa16 100644 --- a/detections/endpoint/windows_user_deletion_via_net.yml +++ b/detections/endpoint/windows_user_deletion_via_net.yml @@ -1,7 +1,7 @@ name: Windows User Deletion Via Net id: b0b6fd2c-8953-4d1b-8f7b-56075ea6ab3e -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -46,10 +46,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_user_disabled_via_net.yml b/detections/endpoint/windows_user_disabled_via_net.yml index e0ee3315fc..43a8fdf8c0 100644 --- a/detections/endpoint/windows_user_disabled_via_net.yml +++ b/detections/endpoint/windows_user_disabled_via_net.yml @@ -1,7 +1,7 @@ name: Windows User Disabled Via Net id: b0359e05-c87b-4354-83d8-aee0d890243f -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -46,10 +46,10 @@ rba: risk_objects: - field: user type: user - score: 42 + score: 20 - field: dest type: system - score: 42 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index 63a5a708f4..c368b7c2ad 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -1,7 +1,7 @@ name: Windows User Execution Malicious URL Shortcut File id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc -version: 10 -date: '2025-09-18' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -28,10 +28,10 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 20 - field: dest type: system - score: 50 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_wbadmin_file_recovery_from_backup.yml b/detections/endpoint/windows_wbadmin_file_recovery_from_backup.yml index ba1129687e..30c64d04d5 100644 --- a/detections/endpoint/windows_wbadmin_file_recovery_from_backup.yml +++ b/detections/endpoint/windows_wbadmin_file_recovery_from_backup.yml @@ -1,7 +1,7 @@ name: Windows WBAdmin File Recovery From Backup id: 0175f0b7-728d-4038-bbf1-1c30d6ee3d31 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -66,7 +66,7 @@ rba: risk_objects: - field: dest type: system - score: 30 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_wmi_impersonate_token.yml b/detections/endpoint/windows_wmi_impersonate_token.yml index 6abfbf5240..620a6a7913 100644 --- a/detections/endpoint/windows_wmi_impersonate_token.yml +++ b/detections/endpoint/windows_wmi_impersonate_token.yml @@ -1,7 +1,7 @@ name: Windows WMI Impersonate Token id: cf192860-2d94-40db-9a51-c04a2e8a8f8b -version: 7 -date: '2025-05-02' +version: 8 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -28,7 +28,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_wmi_process_and_service_list.yml b/detections/endpoint/windows_wmi_process_and_service_list.yml index 4e6817c1b9..7501af7e62 100644 --- a/detections/endpoint/windows_wmi_process_and_service_list.yml +++ b/detections/endpoint/windows_wmi_process_and_service_list.yml @@ -1,7 +1,7 @@ name: Windows WMI Process And Service List id: ef3c5ef2-3f6d-4087-aa75-49bf746dc907 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 4 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_wmic_cpu_discovery.yml b/detections/endpoint/windows_wmic_cpu_discovery.yml index 05696809b2..600eb878e7 100644 --- a/detections/endpoint/windows_wmic_cpu_discovery.yml +++ b/detections/endpoint/windows_wmic_cpu_discovery.yml @@ -1,7 +1,7 @@ name: Windows Wmic CPU Discovery id: 6fc46cae-a8c0-4296-b07a-8e52d4322587 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: user type: user - score: 3 + score: 20 - field: dest type: system - score: 3 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_wmic_diskdrive_discovery.yml b/detections/endpoint/windows_wmic_diskdrive_discovery.yml index ea2b29d2ca..c8da300859 100644 --- a/detections/endpoint/windows_wmic_diskdrive_discovery.yml +++ b/detections/endpoint/windows_wmic_diskdrive_discovery.yml @@ -1,7 +1,7 @@ name: Windows Wmic DiskDrive Discovery id: 85e88c80-e4ee-4c65-b02e-3c54d94c7a51 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: user type: user - score: 3 + score: 20 - field: dest type: system - score: 3 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_wmic_memory_chip_discovery.yml b/detections/endpoint/windows_wmic_memory_chip_discovery.yml index dfee0d6bd1..2b9899ab16 100644 --- a/detections/endpoint/windows_wmic_memory_chip_discovery.yml +++ b/detections/endpoint/windows_wmic_memory_chip_discovery.yml @@ -1,7 +1,7 @@ name: Windows Wmic Memory Chip Discovery id: aecaddaa-5885-4e44-a724-1edd5ecbc79f -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: user type: user - score: 3 + score: 20 - field: dest type: system - score: 3 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_wmic_network_discovery.yml b/detections/endpoint/windows_wmic_network_discovery.yml index c1530f1497..b64246fce1 100644 --- a/detections/endpoint/windows_wmic_network_discovery.yml +++ b/detections/endpoint/windows_wmic_network_discovery.yml @@ -1,7 +1,7 @@ name: Windows Wmic Network Discovery id: cce82b81-c716-4b6c-bac9-33e6a6925cc2 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: user type: user - score: 3 + score: 20 - field: dest type: system - score: 3 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_wmic_shadowcopy_delete.yml b/detections/endpoint/windows_wmic_shadowcopy_delete.yml index feee823bf0..544c43cc57 100644 --- a/detections/endpoint/windows_wmic_shadowcopy_delete.yml +++ b/detections/endpoint/windows_wmic_shadowcopy_delete.yml @@ -1,7 +1,7 @@ name: Windows WMIC Shadowcopy Delete id: 0a8c4b26-a4e2-4ef1-b0d9-62af6d36bdc8 -version: 2 -date: '2025-05-02' +version: 3 +date: '2026-02-26' author: Michael Haag, AJ King, Splunk status: production type: Anomaly @@ -33,7 +33,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_wmic_systeminfo_discovery.yml b/detections/endpoint/windows_wmic_systeminfo_discovery.yml index 6fc27c8e74..4302531eb0 100644 --- a/detections/endpoint/windows_wmic_systeminfo_discovery.yml +++ b/detections/endpoint/windows_wmic_systeminfo_discovery.yml @@ -1,7 +1,7 @@ name: Windows Wmic Systeminfo Discovery id: 97937ece-cb13-4dbc-9684-c0dc3afd400a -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -42,10 +42,10 @@ rba: risk_objects: - field: user type: user - score: 3 + score: 20 - field: dest type: system - score: 3 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml index 0f28f9cee8..532a04da9a 100644 --- a/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml +++ b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml @@ -1,7 +1,7 @@ name: Windows WPDBusEnum Registry Key Modification id: 52b48e8b-eb6e-48b0-b8f1-73273f6b134e -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -50,7 +50,7 @@ rba: risk_objects: - field: dest type: system - score: 10 + score: 20 threat_objects: - field: object_name type: registry_value_name diff --git a/detections/endpoint/wmi_recon_running_process_or_services.yml b/detections/endpoint/wmi_recon_running_process_or_services.yml index 0d4eb32a2a..40fcaf99ec 100644 --- a/detections/endpoint/wmi_recon_running_process_or_services.yml +++ b/detections/endpoint/wmi_recon_running_process_or_services.yml @@ -1,7 +1,7 @@ name: WMI Recon Running Process Or Services id: b5cd5526-cce7-11eb-b3bd-acde48001122 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/wmic_group_discovery.yml b/detections/endpoint/wmic_group_discovery.yml index c244c00d03..093cb02466 100644 --- a/detections/endpoint/wmic_group_discovery.yml +++ b/detections/endpoint/wmic_group_discovery.yml @@ -1,7 +1,7 @@ name: Wmic Group Discovery id: 83317b08-155b-11ec-8e00-acde48001122 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -43,10 +43,10 @@ rba: risk_objects: - field: user type: user - score: 3 + score: 20 - field: dest type: system - score: 3 + score: 20 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/network/cisco_ios_suspicious_privileged_account_creation.yml b/detections/network/cisco_ios_suspicious_privileged_account_creation.yml index cda2499616..3cd749cd1d 100644 --- a/detections/network/cisco_ios_suspicious_privileged_account_creation.yml +++ b/detections/network/cisco_ios_suspicious_privileged_account_creation.yml @@ -1,7 +1,7 @@ name: Cisco IOS Suspicious Privileged Account Creation id: 63e3aff9-45d7-4d41-bcdb-9da561fb4533 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Bhavin Patel, Michael Haag, Splunk status: production type: Anomaly @@ -45,10 +45,10 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 20 - field: user type: user - score: 50 + score: 20 threat_objects: - field: command type: command diff --git a/detections/network/cisco_network_interface_modifications.yml b/detections/network/cisco_network_interface_modifications.yml index 93ec00f847..9e094bd956 100644 --- a/detections/network/cisco_network_interface_modifications.yml +++ b/detections/network/cisco_network_interface_modifications.yml @@ -1,7 +1,7 @@ name: Cisco Network Interface Modifications id: 61ae09c2-079e-44b1-8be0-74e35c5a679e -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Bhavin Patel, Michael Haag, Splunk status: production type: Anomaly @@ -43,10 +43,10 @@ rba: risk_objects: - field: dest type: system - score: 55 + score: 20 - field: user type: user - score: 45 + score: 20 threat_objects: - field: command type: command diff --git a/detections/network/cisco_secure_firewall___binary_file_type_download.yml b/detections/network/cisco_secure_firewall___binary_file_type_download.yml index 295ff31dc9..f0a5a96bf3 100644 --- a/detections/network/cisco_secure_firewall___binary_file_type_download.yml +++ b/detections/network/cisco_secure_firewall___binary_file_type_download.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Binary File Type Download id: 24b2c2e3-2ff7-4a23-b814-87f8a62028cd -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -52,7 +52,7 @@ rba: risk_objects: - field: src type: system - score: 30 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/network/cisco_secure_firewall___bits_network_activity.yml b/detections/network/cisco_secure_firewall___bits_network_activity.yml index 717304d74a..ecb37cfb20 100644 --- a/detections/network/cisco_secure_firewall___bits_network_activity.yml +++ b/detections/network/cisco_secure_firewall___bits_network_activity.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Bits Network Activity id: b08e69d4-b42d-494c-bd30-abaaa3571ba4 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -43,10 +43,10 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: - field: url type: url diff --git a/detections/network/cisco_secure_firewall___blocked_connection.yml b/detections/network/cisco_secure_firewall___blocked_connection.yml index 5f73ada5a3..a20d266fd4 100644 --- a/detections/network/cisco_secure_firewall___blocked_connection.yml +++ b/detections/network/cisco_secure_firewall___blocked_connection.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Blocked Connection id: 17e9b764-3a2b-4d36-9751-32d13ce4718b -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 threat_objects: - field: EVE_Process type: process_name diff --git a/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml b/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml index 4bfc6951a9..f2e40c66fb 100644 --- a/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml +++ b/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Communication Over Suspicious Ports id: d85c05c8-42c0-4e4a-87e7-4e1bb3e844e3 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml b/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml index b796274aa4..feba5ef4fd 100644 --- a/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml +++ b/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Connection to File Sharing Domain id: f7e5e792-d907-46c1-a58e-4ff974dc462a -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -51,7 +51,7 @@ rba: risk_objects: - field: src type: system - score: 30 + score: 20 threat_objects: - field: url type: url diff --git a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml index 047de510cf..a77bae6e28 100644 --- a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml +++ b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - File Download Over Uncommon Port id: f26445a8-a6a2-4855-bec0-0c39e52e5b8f -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -49,7 +49,7 @@ rba: risk_objects: - field: src type: system - score: 30 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml b/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml index 08d58e9368..0ef616b5b3 100644 --- a/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml +++ b/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - High EVE Threat Confidence id: 8c15183e-2e70-4db4-86c3-88f8d9129b66 -version: 4 -date: '2026-01-21' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml b/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml index 547ae3abe2..2a252cb1bf 100644 --- a/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml +++ b/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - High Volume of Intrusion Events Per Host id: 9f2295a0-0dcb-4a5f-b013-8a6f2a3c11f6 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -49,7 +49,7 @@ rba: risk_objects: - field: src type: system - score: 40 + score: 20 threat_objects: - field: signature type: signature diff --git a/detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml b/detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml index fe1af08b56..098dbc6798 100644 --- a/detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml +++ b/detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Intrusion Events by Threat Activity id: b71e57e8-c571-4ff1-ae13-bc4384a9e891 -version: 7 -date: '2026-01-21' +version: 8 +date: '2026-02-26' author: Bhavin Patel, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -74,7 +74,7 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 20 threat_objects: - field: signature type: signature diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml b/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml index 84218a91aa..1b6c335525 100644 --- a/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml +++ b/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Lumma Stealer Download Attempt id: 66f22f52-fbae-4be7-a263-561dacb63613 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk, Talos NTDR status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: - field: signature type: signature diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml b/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml index 1093f601ae..6de65968c7 100644 --- a/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml +++ b/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt id: 66f22f52-fbae-4be7-a263-561dacb63612 -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk, Talos NTDR status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: - field: signature type: signature diff --git a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml index b38e863d97..73ad8316d9 100644 --- a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml +++ b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Malware File Downloaded id: 3cc93f52-5aa6-4b7f-83b9-3430b1436813 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -47,7 +47,7 @@ rba: risk_objects: - field: src type: system - score: 30 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/network/cisco_secure_firewall___possibly_compromised_host.yml b/detections/network/cisco_secure_firewall___possibly_compromised_host.yml index e3f95f4292..905d4c3250 100644 --- a/detections/network/cisco_secure_firewall___possibly_compromised_host.yml +++ b/detections/network/cisco_secure_firewall___possibly_compromised_host.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Possibly Compromised Host id: 244a77bb-3b2a-46f1-bf2c-b4f7cd29276d -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: experimental type: Anomaly @@ -46,7 +46,7 @@ rba: risk_objects: - field: src type: system - score: 35 + score: 20 threat_objects: - field: signature type: signature diff --git a/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml b/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml index 3c1ab21583..32bb9c579c 100644 --- a/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml +++ b/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Potential Data Exfiltration id: 3d8536b6-52b4-4c3e-b695-3f2e90bb22be -version: 4 -date: '2026-01-21' +version: 5 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -52,7 +52,7 @@ rba: risk_objects: - field: src type: system - score: 40 + score: 20 threat_objects: - field: url type: url diff --git a/detections/network/cisco_secure_firewall___privileged_command_execution_via_http.yml b/detections/network/cisco_secure_firewall___privileged_command_execution_via_http.yml index f36eeeaff7..66dce64c2e 100644 --- a/detections/network/cisco_secure_firewall___privileged_command_execution_via_http.yml +++ b/detections/network/cisco_secure_firewall___privileged_command_execution_via_http.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Privileged Command Execution via HTTP id: 0c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly @@ -60,7 +60,7 @@ rba: risk_objects: - field: dest type: system - score: 80 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml b/detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml index c001c134ce..8058dbf710 100644 --- a/detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml +++ b/detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Remote Access Software Usage Traffic id: ac54d39e-a75d-4f42-971d-006db3a0423a -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -60,7 +60,7 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 threat_objects: - field: ClientApplication type: signature diff --git a/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml b/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml index fa1b8c984f..0ebb6da674 100644 --- a/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml +++ b/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Repeated Blocked Connections id: 1f57f10e-1dc5-47ea-852c-2e85b2503d79 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -49,7 +49,7 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 threat_objects: - field: url type: url diff --git a/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml b/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml index e3c71c8dcf..bfb784b57f 100644 --- a/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml +++ b/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Repeated Malware Downloads id: aeff2bb5-3483-48d4-9be8-c8976194be1e -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -55,7 +55,7 @@ rba: risk_objects: - field: src type: system - score: 30 + score: 20 threat_objects: - field: file_name type: file_name diff --git a/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml b/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml index c12a3eb57c..0ac04badbe 100644 --- a/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml +++ b/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts id: a4c76d0a-56b6-44be-814b-939746c4d406 -version: 5 -date: '2026-02-25' +version: 6 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -50,7 +50,7 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 threat_objects: - field: signature type: signature diff --git a/detections/network/cisco_secure_firewall___ssh_connection_to_non_standard_port.yml b/detections/network/cisco_secure_firewall___ssh_connection_to_non_standard_port.yml index ffb365ab6a..9c43b4c2a0 100644 --- a/detections/network/cisco_secure_firewall___ssh_connection_to_non_standard_port.yml +++ b/detections/network/cisco_secure_firewall___ssh_connection_to_non_standard_port.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - SSH Connection to Non-Standard Port id: 9b0c2d3e-4f5a-6b7c-8d9e-0f1a2b3c4d5e -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly @@ -60,7 +60,7 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/network/cisco_secure_firewall___ssh_connection_to_sshd_operns.yml b/detections/network/cisco_secure_firewall___ssh_connection_to_sshd_operns.yml index 855cecd6a0..96e49b9bb9 100644 --- a/detections/network/cisco_secure_firewall___ssh_connection_to_sshd_operns.yml +++ b/detections/network/cisco_secure_firewall___ssh_connection_to_sshd_operns.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - SSH Connection to sshd_operns id: 8a9c1d2e-3f4b-5c6d-7e8f-9a0b1c2d3e4f -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -61,7 +61,7 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/network/cisco_secure_firewall___wget_or_curl_download.yml b/detections/network/cisco_secure_firewall___wget_or_curl_download.yml index 889a8c46d3..9da02d463f 100644 --- a/detections/network/cisco_secure_firewall___wget_or_curl_download.yml +++ b/detections/network/cisco_secure_firewall___wget_or_curl_download.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Wget or Curl Download id: 173a1cb9-1814-4128-a9dc-f29dade89957 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -52,7 +52,7 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 threat_objects: - field: EVE_Process type: process_name diff --git a/detections/network/cisco_snmp_community_string_configuration_changes.yml b/detections/network/cisco_snmp_community_string_configuration_changes.yml index 024b217ddd..badec392ad 100644 --- a/detections/network/cisco_snmp_community_string_configuration_changes.yml +++ b/detections/network/cisco_snmp_community_string_configuration_changes.yml @@ -1,7 +1,7 @@ name: Cisco SNMP Community String Configuration Changes id: b0ce5521-2533-4f24-b8d5-c2ff977aae08 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Bhavin Patel, Michael Haag, Splunk status: production type: Anomaly @@ -43,10 +43,10 @@ rba: risk_objects: - field: dest type: system - score: 60 + score: 20 - field: user type: user - score: 40 + score: 20 threat_objects: - field: command type: command diff --git a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml index 45fa505511..8a913cb126 100644 --- a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml @@ -1,7 +1,7 @@ name: Detect DGA domains using pretrained model in DSDL id: 92e24f32-9b9a-4060-bba2-2a0eb31f3493 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk status: experimental type: Anomaly @@ -31,7 +31,7 @@ rba: risk_objects: - field: src type: system - score: 63 + score: 20 threat_objects: - field: domain type: url diff --git a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml index 644f6f3403..af729d25ac 100644 --- a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml @@ -1,7 +1,7 @@ name: Detect DNS Data Exfiltration using pretrained model in DSDL id: 92f65c3a-168c-11ed-71eb-0242ac120012 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' status: experimental author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: src type: system - score: 45 + score: 20 threat_objects: - field: query type: domain diff --git a/detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml b/detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml index a4f816e598..a6866ca046 100644 --- a/detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml +++ b/detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml @@ -1,7 +1,7 @@ name: Detect DNS Query to Decommissioned S3 Bucket id: 2f1c5fd1-4b8a-4f5d-a0e9-7d6a8e2f5e1e -version: 4 -date: '2026-02-25' +version: 5 +date: '2026-02-26' author: Jose Hernandez, Splunk status: experimental type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: src type: system - score: 30 + score: 20 threat_objects: - field: query type: domain diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index 0a6168405c..1b967eed35 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage DNS id: a16b797d-e309-41bd-8ba0-5067dae2e4be -version: 11 -date: '2026-01-19' +version: 12 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -51,7 +51,7 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 threat_objects: - field: query type: domain diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index 4ea3803f9b..11a7246a46 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Traffic id: 885ea672-07ee-475a-879e-60d28aa5dd42 -version: 12 -date: '2026-01-19' +version: 13 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -55,10 +55,10 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 - field: user type: user - score: 25 + score: 20 threat_objects: - field: signature type: signature diff --git a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml index 0ae70bedad..16e263e174 100644 --- a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml @@ -1,7 +1,7 @@ name: Detect suspicious DNS TXT records using pretrained model in DSDL id: 92f65c3a-968c-11ed-a1eb-0242ac120002 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk status: experimental type: Anomaly @@ -35,7 +35,7 @@ rba: risk_objects: - field: src type: system - score: 45 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/network/dns_query_length_outliers___mltk.yml b/detections/network/dns_query_length_outliers___mltk.yml index 5e9aeef268..4b2cc717aa 100644 --- a/detections/network/dns_query_length_outliers___mltk.yml +++ b/detections/network/dns_query_length_outliers___mltk.yml @@ -1,7 +1,7 @@ name: DNS Query Length Outliers - MLTK id: 85fbcfe8-9718-4911-adf6-7000d077a3a9 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Rico Valdez, Splunk status: experimental type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/network/dns_query_length_with_high_standard_deviation.yml b/detections/network/dns_query_length_with_high_standard_deviation.yml index 0f2734beeb..8ce8b42dc9 100644 --- a/detections/network/dns_query_length_with_high_standard_deviation.yml +++ b/detections/network/dns_query_length_with_high_standard_deviation.yml @@ -1,7 +1,7 @@ name: DNS Query Length With High Standard Deviation id: 1a67f15a-f4ff-4170-84e9-08cf6f75d6f5 -version: 13 -date: '2026-02-25' +version: 14 +date: '2026-02-26' author: Bhavin Patel, Splunk status: production type: Anomaly @@ -46,7 +46,7 @@ rba: risk_objects: - field: src type: system - score: 30 + score: 20 threat_objects: - field: query type: url diff --git a/detections/network/excessive_dns_failures.yml b/detections/network/excessive_dns_failures.yml index 7c7c53af46..8e972f76fd 100644 --- a/detections/network/excessive_dns_failures.yml +++ b/detections/network/excessive_dns_failures.yml @@ -1,7 +1,7 @@ name: Excessive DNS Failures id: 104658f4-afdc-499e-9719-17243f9826f1 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: bowesmana, Bhavin Patel, Splunk status: experimental type: Anomaly @@ -32,7 +32,7 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml index 3064879113..a5986ff5ad 100644 --- a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml +++ b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml @@ -1,7 +1,7 @@ name: Hosts receiving high volume of network traffic from email server id: 7f5fb3e1-4209-4914-90db-0ec21b556368 -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Bhavin Patel, Splunk status: experimental type: Anomaly @@ -22,7 +22,7 @@ rba: risk_objects: - field: src_ip type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/network/http_pua_user_agent.yml b/detections/network/http_pua_user_agent.yml index 43f630884f..7b16d35dfe 100644 --- a/detections/network/http_pua_user_agent.yml +++ b/detections/network/http_pua_user_agent.yml @@ -1,7 +1,7 @@ name: HTTP PUA User Agent id: 21af5447-734f-4549-956b-7a255cb2b032 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: src type: system - score: 32 + score: 20 threat_objects: - field: http_user_agent type: http_user_agent diff --git a/detections/network/http_rmm_user_agent.yml b/detections/network/http_rmm_user_agent.yml index 4c28b34721..7285415d5f 100644 --- a/detections/network/http_rmm_user_agent.yml +++ b/detections/network/http_rmm_user_agent.yml @@ -1,7 +1,7 @@ name: HTTP RMM User Agent id: 61884b02-0dcf-44c5-9094-db33bac09fa6 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -40,7 +40,7 @@ rba: risk_objects: - field: src type: system - score: 44 + score: 20 threat_objects: - field: http_user_agent type: http_user_agent diff --git a/detections/network/large_volume_of_dns_any_queries.yml b/detections/network/large_volume_of_dns_any_queries.yml index 25e4a21f99..84f46eb085 100644 --- a/detections/network/large_volume_of_dns_any_queries.yml +++ b/detections/network/large_volume_of_dns_any_queries.yml @@ -1,7 +1,7 @@ name: Large Volume of DNS ANY Queries id: 8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Bhavin Patel, Splunk status: experimental type: Anomaly @@ -22,7 +22,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/network/ngrok_reverse_proxy_on_network.yml b/detections/network/ngrok_reverse_proxy_on_network.yml index 3444e93eca..6c23acd07a 100644 --- a/detections/network/ngrok_reverse_proxy_on_network.yml +++ b/detections/network/ngrok_reverse_proxy_on_network.yml @@ -1,7 +1,7 @@ name: Ngrok Reverse Proxy on Network id: 5790a766-53b8-40d3-a696-3547b978fcf0 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -36,7 +36,7 @@ rba: risk_objects: - field: src type: system - score: 50 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/network/protocol_or_port_mismatch.yml b/detections/network/protocol_or_port_mismatch.yml index ca3b471029..685dbd4b8e 100644 --- a/detections/network/protocol_or_port_mismatch.yml +++ b/detections/network/protocol_or_port_mismatch.yml @@ -1,7 +1,7 @@ name: Protocol or Port Mismatch id: 54dc1265-2f74-4b6d-b30d-49eb506a31b3 -version: 9 -date: '2026-01-29' +version: 10 +date: '2026-02-26' author: Rico Valdez, Splunk status: production type: Anomaly @@ -60,7 +60,7 @@ rba: risk_objects: - field: src_ip type: system - score: 25 + score: 20 threat_objects: - field: dest_ip type: ip_address diff --git a/detections/network/protocols_passing_authentication_in_cleartext.yml b/detections/network/protocols_passing_authentication_in_cleartext.yml index 2cf108ba0a..756b7c524d 100644 --- a/detections/network/protocols_passing_authentication_in_cleartext.yml +++ b/detections/network/protocols_passing_authentication_in_cleartext.yml @@ -1,7 +1,7 @@ name: Protocols passing authentication in cleartext id: 6923cd64-17a0-453c-b945-81ac2d8c6db9 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Rico Valdez, Splunk status: production type: Anomaly @@ -48,10 +48,10 @@ rba: risk_objects: - field: user type: user - score: 25 + score: 20 - field: dest type: system - score: 25 + score: 20 threat_objects: - field: dest type: ip_address diff --git a/detections/network/remote_desktop_network_traffic.yml b/detections/network/remote_desktop_network_traffic.yml index 7693fb305b..6fcf518375 100644 --- a/detections/network/remote_desktop_network_traffic.yml +++ b/detections/network/remote_desktop_network_traffic.yml @@ -1,7 +1,7 @@ name: Remote Desktop Network Traffic id: 272b8407-842d-4b3d-bead-a704584003d3 -version: 14 -date: '2026-02-25' +version: 15 +date: '2026-02-26' author: David Dorsey, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 threat_objects: - field: dest type: ip_address diff --git a/detections/network/smb_traffic_spike.yml b/detections/network/smb_traffic_spike.yml index 70b4484e0d..d268dae214 100644 --- a/detections/network/smb_traffic_spike.yml +++ b/detections/network/smb_traffic_spike.yml @@ -1,7 +1,7 @@ name: SMB Traffic Spike id: 7f5fb3e1-4209-4914-90db-0ec21b936378 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: David Dorsey, Splunk status: experimental type: Anomaly @@ -31,7 +31,7 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/network/smb_traffic_spike___mltk.yml b/detections/network/smb_traffic_spike___mltk.yml index 822346a3d6..7b7d2bb50c 100644 --- a/detections/network/smb_traffic_spike___mltk.yml +++ b/detections/network/smb_traffic_spike___mltk.yml @@ -1,7 +1,7 @@ name: SMB Traffic Spike - MLTK id: d25773ba-9ad8-48d1-858e-07ad0bbeb828 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-02-26' author: Rico Valdez, Splunk status: experimental type: Anomaly @@ -32,7 +32,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/network/suspicious_process_with_discord_dns_query.yml b/detections/network/suspicious_process_with_discord_dns_query.yml index 50f2b7b6de..3f4cb3b1ef 100644 --- a/detections/network/suspicious_process_with_discord_dns_query.yml +++ b/detections/network/suspicious_process_with_discord_dns_query.yml @@ -1,7 +1,7 @@ name: Suspicious Process With Discord DNS Query id: 4d4332ae-792c-11ec-89c1-acde48001122 -version: 10 -date: '2025-05-02' +version: 11 +date: '2026-02-26' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: dvc type: system - score: 64 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml index deac2b6ad7..05068a1e98 100644 --- a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml +++ b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml @@ -1,7 +1,7 @@ name: Windows DNS Query Request by Telegram Bot API id: 86f66f44-94d9-412d-a71d-5d8ed0fef72e -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 22 @@ -38,7 +38,7 @@ rba: risk_objects: - field: dvc type: system - score: 36 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml index 9d29cccb88..6d2436b1b4 100644 --- a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -1,7 +1,7 @@ name: Windows Gather Victim Network Info Through Ip Check Web Services id: 70f7c952-0758-46d6-9148-d8969c4481d1 -version: 16 -date: '2026-02-25' +version: 17 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dvc type: system - score: 36 + score: 20 threat_objects: - field: process_name type: process_name diff --git a/detections/network/windows_multi_hop_proxy_tor_website_query.yml b/detections/network/windows_multi_hop_proxy_tor_website_query.yml index 15832cda67..1cb83d16fd 100644 --- a/detections/network/windows_multi_hop_proxy_tor_website_query.yml +++ b/detections/network/windows_multi_hop_proxy_tor_website_query.yml @@ -1,7 +1,7 @@ name: Windows Multi hop Proxy TOR Website Query id: 4c2d198b-da58-48d7-ba27-9368732d0054 -version: 9 -date: '2026-02-25' +version: 10 +date: '2026-02-26' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: dvc type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml index acbec1e59a..618f75d5f8 100644 --- a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml +++ b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml @@ -1,7 +1,7 @@ name: Windows Remote Desktop Network Bruteforce Attempt id: 908bf0d5-0983-4afd-b6a4-e9eb5d361a7d -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Jose Hernandez, Bhavin Patel, Splunk status: production type: Anomaly @@ -45,7 +45,7 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/web/citrix_adc_and_gateway_citrixbleed_2_memory_disclosure.yml b/detections/web/citrix_adc_and_gateway_citrixbleed_2_memory_disclosure.yml index e2f1df3dca..2f7d9d8b90 100644 --- a/detections/web/citrix_adc_and_gateway_citrixbleed_2_memory_disclosure.yml +++ b/detections/web/citrix_adc_and_gateway_citrixbleed_2_memory_disclosure.yml @@ -1,7 +1,7 @@ name: Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure id: bef92f3f-7dc8-413a-8989-50581039e250 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -50,7 +50,7 @@ rba: risk_objects: - field: dest type: system - score: 85 + score: 20 threat_objects: - field: src type: system diff --git a/detections/web/crushftp_max_simultaneous_users_from_ip.yml b/detections/web/crushftp_max_simultaneous_users_from_ip.yml index 215853c547..3337021aa5 100644 --- a/detections/web/crushftp_max_simultaneous_users_from_ip.yml +++ b/detections/web/crushftp_max_simultaneous_users_from_ip.yml @@ -1,7 +1,7 @@ name: CrushFTP Max Simultaneous Users From IP id: 75dfd9f4-ca64-45d0-9422-4bde6d26a59e -version: 2 -date: '2025-05-02' +version: 3 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -29,7 +29,7 @@ rba: risk_objects: - field: src_ip type: system - score: 45 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index 9f5f764341..37cf8b68da 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage URL id: 9296f515-073c-43a5-88ec-eda5a4626654 -version: 12 -date: '2026-01-19' +version: 13 +date: '2026-02-26' author: Steven Dick status: production type: Anomaly @@ -52,10 +52,10 @@ rba: risk_objects: - field: src type: system - score: 25 + score: 20 - field: user type: user - score: 25 + score: 20 threat_objects: - field: url_domain type: domain diff --git a/detections/web/detect_web_access_to_decommissioned_s3_bucket.yml b/detections/web/detect_web_access_to_decommissioned_s3_bucket.yml index 9009ab8375..058e51f44a 100644 --- a/detections/web/detect_web_access_to_decommissioned_s3_bucket.yml +++ b/detections/web/detect_web_access_to_decommissioned_s3_bucket.yml @@ -1,7 +1,7 @@ name: Detect Web Access to Decommissioned S3 Bucket id: 3a1d8f62-5b9c-4e7d-b8f3-9d6a8e2f5e1f -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Jose Hernandez, Splunk status: experimental type: Anomaly @@ -38,7 +38,7 @@ rba: risk_objects: - field: src type: system - score: 30 + score: 20 threat_objects: - field: url_domain type: domain diff --git a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml index 778800bbaf..2877341d6a 100644 --- a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml +++ b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml @@ -1,7 +1,7 @@ name: Exploit Public Facing Application via Apache Commons Text id: 19a481e0-c97c-4d14-b1db-75a708eb592e -version: 8 -date: '2026-02-25' +version: 9 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -47,7 +47,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/web/high_volume_of_bytes_out_to_url.yml b/detections/web/high_volume_of_bytes_out_to_url.yml index a14d7dd301..7d712869cd 100644 --- a/detections/web/high_volume_of_bytes_out_to_url.yml +++ b/detections/web/high_volume_of_bytes_out_to_url.yml @@ -1,7 +1,7 @@ name: High Volume of Bytes Out to Url id: c8a6b56d-16dd-4e9c-b4bd-527742ead98d -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Bhavin Patel, Splunk data_source: - Nginx Access @@ -35,7 +35,7 @@ rba: risk_objects: - field: src type: system - score: 9 + score: 20 threat_objects: - field: dest type: ip_address diff --git a/detections/web/http_duplicated_header.yml b/detections/web/http_duplicated_header.yml index 44fe601d8d..8dac0f667a 100644 --- a/detections/web/http_duplicated_header.yml +++ b/detections/web/http_duplicated_header.yml @@ -1,7 +1,7 @@ name: HTTP Duplicated Header id: 1606cc5b-fd5f-4865-9fe3-0ed1eaec2df6 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -43,7 +43,7 @@ rba: risk_objects: - field: dest type: system - score: 51 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/web/http_rapid_post_with_mixed_status_codes.yml b/detections/web/http_rapid_post_with_mixed_status_codes.yml index 111eeeb3c8..0cc90d4784 100644 --- a/detections/web/http_rapid_post_with_mixed_status_codes.yml +++ b/detections/web/http_rapid_post_with_mixed_status_codes.yml @@ -1,7 +1,7 @@ name: HTTP Rapid POST with Mixed Status Codes id: c8c987d6-3a1a-4555-9a52-eea0741b6113 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -39,7 +39,7 @@ rba: risk_objects: - field: dest type: system - score: 40 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/web/http_scripting_tool_user_agent.yml b/detections/web/http_scripting_tool_user_agent.yml index 249f417802..508c555059 100644 --- a/detections/web/http_scripting_tool_user_agent.yml +++ b/detections/web/http_scripting_tool_user_agent.yml @@ -1,7 +1,7 @@ name: HTTP Scripting Tool User Agent id: 04430b4e-5ca8-4e88-98b5-d6bcf54f8393 -version: 2 -date: '2026-02-25' +version: 3 +date: '2026-02-26' author: Raven Tait, Splunk status: production type: Anomaly @@ -44,7 +44,7 @@ rba: risk_objects: - field: dest type: system - score: 31 + score: 20 threat_objects: - field: src_ip type: ip_address diff --git a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml index 54b19a3fb2..c6b04e8ba7 100644 --- a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml +++ b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml @@ -1,7 +1,7 @@ name: Ivanti Connect Secure System Information Access via Auth Bypass id: d51c13dd-a232-4c83-a2bb-72ab36233c5d -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -37,7 +37,7 @@ rba: risk_objects: - field: dest type: system - score: 72 + score: 20 threat_objects: [] tags: cve: diff --git a/detections/web/log4shell_jndi_payload_injection_attempt.yml b/detections/web/log4shell_jndi_payload_injection_attempt.yml index d2dac9ac8d..377c724007 100644 --- a/detections/web/log4shell_jndi_payload_injection_attempt.yml +++ b/detections/web/log4shell_jndi_payload_injection_attempt.yml @@ -1,7 +1,7 @@ name: Log4Shell JNDI Payload Injection Attempt id: c184f12e-5c90-11ec-bf1f-497c9a704a72 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Jose Hernandez status: production type: Anomaly @@ -32,10 +32,10 @@ rba: risk_objects: - field: user type: user - score: 15 + score: 20 - field: dest type: system - score: 15 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml index 8f422a17d1..e22e7a298f 100644 --- a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml +++ b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml @@ -1,7 +1,7 @@ name: Log4Shell JNDI Payload Injection with Outbound Connection id: 69afee44-5c91-11ec-bf1f-497c9a704a72 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Jose Hernandez status: production type: Anomaly @@ -31,10 +31,10 @@ rba: risk_objects: - field: user type: user - score: 15 + score: 20 - field: dest type: system - score: 15 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/web/tomcat_session_deserialization_attempt.yml b/detections/web/tomcat_session_deserialization_attempt.yml index a3206323a1..e4d70a3981 100644 --- a/detections/web/tomcat_session_deserialization_attempt.yml +++ b/detections/web/tomcat_session_deserialization_attempt.yml @@ -1,7 +1,7 @@ name: Tomcat Session Deserialization Attempt id: e28b4fd4-8f5a-41cd-8222-2f1ccca53ef1 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -50,7 +50,7 @@ rba: risk_objects: - field: dest type: system - score: 80 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/web/tomcat_session_file_upload_attempt.yml b/detections/web/tomcat_session_file_upload_attempt.yml index c17eea7110..1ab3e13973 100644 --- a/detections/web/tomcat_session_file_upload_attempt.yml +++ b/detections/web/tomcat_session_file_upload_attempt.yml @@ -1,7 +1,7 @@ name: Tomcat Session File Upload Attempt id: a1d8f5c3-9b7e-4f2d-8c51-3bca5e672410 -version: 3 -date: '2026-02-25' +version: 4 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -51,7 +51,7 @@ rba: risk_objects: - field: dest type: system - score: 70 + score: 20 threat_objects: - field: src type: ip_address diff --git a/detections/web/unusually_long_content_type_length.yml b/detections/web/unusually_long_content_type_length.yml index 72d1f1cf72..7ca1346646 100644 --- a/detections/web/unusually_long_content_type_length.yml +++ b/detections/web/unusually_long_content_type_length.yml @@ -1,7 +1,7 @@ name: Unusually Long Content-Type Length id: 57a0a2bf-353f-40c1-84dc-29293f3c35b7 -version: 5 -date: '2025-05-02' +version: 6 +date: '2026-02-26' author: Bhavin Patel, Splunk status: experimental type: Anomaly @@ -23,10 +23,10 @@ rba: risk_objects: - field: dest type: system - score: 25 + score: 20 - field: src type: system - score: 25 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml index 89a7930ec9..d2a86b0db3 100644 --- a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml +++ b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml @@ -1,7 +1,7 @@ name: VMware Workspace ONE Freemarker Server-side Template Injection id: 9e5726fe-8fde-460e-bd74-cddcf6c86113 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Michael Haag, Splunk status: production type: Anomaly @@ -41,7 +41,7 @@ rba: risk_objects: - field: dest type: system - score: 49 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/web/zscaler_adware_activities_threat_blocked.yml b/detections/web/zscaler_adware_activities_threat_blocked.yml index e2e29d6d60..877b77e8d7 100644 --- a/detections/web/zscaler_adware_activities_threat_blocked.yml +++ b/detections/web/zscaler_adware_activities_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Adware Activities Threat Blocked id: 3407b250-345a-4d71-80db-c91e555a3ece -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -34,10 +34,10 @@ rba: risk_objects: - field: src type: system - score: 8 + score: 20 - field: user type: user - score: 8 + score: 20 threat_objects: - field: url type: url diff --git a/detections/web/zscaler_behavior_analysis_threat_blocked.yml b/detections/web/zscaler_behavior_analysis_threat_blocked.yml index e6929b39e8..27b53f11f7 100644 --- a/detections/web/zscaler_behavior_analysis_threat_blocked.yml +++ b/detections/web/zscaler_behavior_analysis_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Behavior Analysis Threat Blocked id: 289ad59f-8939-4331-b805-f2bd51d36fb8 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -34,10 +34,10 @@ rba: risk_objects: - field: src type: system - score: 8 + score: 20 - field: user type: user - score: 8 + score: 20 threat_objects: - field: url type: url diff --git a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml index c3b31cf018..a43222e615 100644 --- a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml +++ b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler CryptoMiner Downloaded Threat Blocked id: ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly @@ -34,10 +34,10 @@ rba: risk_objects: - field: src type: system - score: 32 + score: 20 - field: user type: user - score: 32 + score: 20 threat_objects: - field: url type: url diff --git a/detections/web/zscaler_employment_search_web_activity.yml b/detections/web/zscaler_employment_search_web_activity.yml index 7b59d5275f..01b95cf4bf 100644 --- a/detections/web/zscaler_employment_search_web_activity.yml +++ b/detections/web/zscaler_employment_search_web_activity.yml @@ -1,7 +1,7 @@ name: Zscaler Employment Search Web Activity id: 5456bdef-d765-4565-8e1f-61ca027bc50e -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly @@ -34,10 +34,10 @@ rba: risk_objects: - field: src type: system - score: 4 + score: 20 - field: user type: user - score: 4 + score: 20 threat_objects: - field: url type: url diff --git a/detections/web/zscaler_legal_liability_threat_blocked.yml b/detections/web/zscaler_legal_liability_threat_blocked.yml index 909f70bbad..c8ef6972f9 100644 --- a/detections/web/zscaler_legal_liability_threat_blocked.yml +++ b/detections/web/zscaler_legal_liability_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Legal Liability Threat Blocked id: bbf55ebf-c416-4f62-94d9-4064f2a28014 -version: 6 -date: '2026-02-25' +version: 7 +date: '2026-02-26' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -35,10 +35,10 @@ rba: risk_objects: - field: src type: system - score: 16 + score: 20 - field: user type: user - score: 16 + score: 20 threat_objects: - field: url type: url diff --git a/detections/web/zscaler_malware_activity_threat_blocked.yml b/detections/web/zscaler_malware_activity_threat_blocked.yml index a9962370cd..dfcea1d562 100644 --- a/detections/web/zscaler_malware_activity_threat_blocked.yml +++ b/detections/web/zscaler_malware_activity_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Malware Activity Threat Blocked id: ae874ad8-e353-40a7-87d4-420cdfb27d1a -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly @@ -34,10 +34,10 @@ rba: risk_objects: - field: src type: system - score: 40 + score: 20 - field: user type: user - score: 40 + score: 20 threat_objects: - field: url type: url diff --git a/detections/web/zscaler_phishing_activity_threat_blocked.yml b/detections/web/zscaler_phishing_activity_threat_blocked.yml index f10da211a6..bff024b31e 100644 --- a/detections/web/zscaler_phishing_activity_threat_blocked.yml +++ b/detections/web/zscaler_phishing_activity_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Phishing Activity Threat Blocked id: 68d3e2c1-e97f-4310-b080-dea180b48aa9 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly @@ -34,10 +34,10 @@ rba: risk_objects: - field: src type: system - score: 16 + score: 20 - field: user type: user - score: 16 + score: 20 threat_objects: - field: url type: url diff --git a/detections/web/zscaler_potentially_abused_file_download.yml b/detections/web/zscaler_potentially_abused_file_download.yml index 21d87b9208..859b20fee3 100644 --- a/detections/web/zscaler_potentially_abused_file_download.yml +++ b/detections/web/zscaler_potentially_abused_file_download.yml @@ -1,7 +1,7 @@ name: Zscaler Potentially Abused File Download id: b0c21379-f4ba-4bac-a958-897e260f964a -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly @@ -34,10 +34,10 @@ rba: risk_objects: - field: src type: system - score: 8 + score: 20 - field: user type: user - score: 8 + score: 20 threat_objects: - field: url type: url diff --git a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml index 790fdee6d1..b9d3d77643 100644 --- a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml +++ b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Privacy Risk Destinations Threat Blocked id: 5456bdef-d765-4565-8e1f-61ca027bc50d -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly @@ -35,10 +35,10 @@ rba: risk_objects: - field: src type: system - score: 8 + score: 20 - field: user type: user - score: 8 + score: 20 threat_objects: - field: url type: url diff --git a/detections/web/zscaler_scam_destinations_threat_blocked.yml b/detections/web/zscaler_scam_destinations_threat_blocked.yml index f37f6b77ce..32ec9de465 100644 --- a/detections/web/zscaler_scam_destinations_threat_blocked.yml +++ b/detections/web/zscaler_scam_destinations_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Scam Destinations Threat Blocked id: a0c21379-f4ba-4bac-a958-897e260f964a -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly @@ -34,10 +34,10 @@ rba: risk_objects: - field: src type: system - score: 8 + score: 20 - field: user type: user - score: 8 + score: 20 threat_objects: - field: url type: url diff --git a/detections/web/zscaler_virus_download_threat_blocked.yml b/detections/web/zscaler_virus_download_threat_blocked.yml index a6c1cf5704..3842504443 100644 --- a/detections/web/zscaler_virus_download_threat_blocked.yml +++ b/detections/web/zscaler_virus_download_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Virus Download threat blocked id: aa19e627-d448-4a31-85cd-82068dec5691 -version: 7 -date: '2026-02-25' +version: 8 +date: '2026-02-26' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly @@ -34,10 +34,10 @@ rba: risk_objects: - field: src type: system - score: 40 + score: 20 - field: user type: user - score: 40 + score: 20 threat_objects: - field: url type: url