anomaly_init_score

detections/application/cisco_ai_defense_security_alerts_by_application_name.yml

@@ -1,7 +1,7 @@
 name: Cisco AI Defense Security Alerts by Application Name
 id: 105e4a69-ec55-49fc-be1f-902467435ea8
-version: 4
-date: '2026-02-25'
+version: 5
+date: '2026-02-26'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -56,7 +56,7 @@ rba:
     risk_objects:
         - field: application_name
           type: other
-          score: 10
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/application/cisco_asa___aaa_policy_tampering.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - AAA Policy Tampering
 id: 8f2c4e9a-5d3b-4c7e-9a1f-6e8d5b2c3a9f
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-02-26'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -61,7 +61,7 @@ rba:
     risk_objects:
         - field: host
           type: system
-          score: 40
+          score: 20
     threat_objects:
         - field: command
           type: process

detections/application/cisco_asa___device_file_copy_activity.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Device File Copy Activity
 id: 4d7e8f3a-9c2b-4e6f-8a1d-5b9c7e2f4a8c
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-02-26'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -61,7 +61,7 @@ rba:
     risk_objects:
         - field: host
           type: system
-          score: 50
+          score: 20
     threat_objects:
         - field: src_ip
           type: ip_address

detections/application/cisco_asa___device_file_copy_to_remote_location.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Device File Copy to Remote Location
 id: 8a9e5f2b-6d4c-4e7f-9b3a-1c8d7f5e2a9b
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-02-26'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -82,10 +82,10 @@ rba:
     risk_objects:
         - field: host
           type: system
-          score: 50
+          score: 20
         - field: user
           type: user
-          score: 50
+          score: 20
     threat_objects:
         - field: dest
           type: ip_address

detections/application/cisco_asa___logging_filters_configuration_tampering.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Logging Filters Configuration Tampering
 id: b87b48a8-6d1a-4280-9cf1-16a950dbf901
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-02-26'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -71,10 +71,10 @@ rba:
     risk_objects:
         - field: host
           type: system
-          score: 60
+          score: 20
         - field: user
           type: user
-          score: 60
+          score: 20
     threat_objects:
         - field: command
           type: process

detections/application/cisco_asa___logging_message_suppression.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Logging Message Suppression
 id: 4e6c9d2a-8f3b-4c7e-9a5f-2d8b6e1c4a9f
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-02-26'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -56,10 +56,10 @@ rba:
     risk_objects:
         - field: host
           type: system
-          score: 50
+          score: 20
         - field: user
           type: user
-          score: 50
+          score: 20
     threat_objects:
         - field: command
           type: process

detections/application/cisco_asa___new_local_user_account_created.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - New Local User Account Created
 id: 9c8e4f2a-7d3b-4e5c-8a9f-1b6d4e8c3f5a
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-02-26'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -51,10 +51,10 @@ rba:
     risk_objects:
         - field: host
           type: system
-          score: 40
+          score: 20
         - field: user
           type: user
-          score: 40
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/application/cisco_asa___packet_capture_activity.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Packet Capture Activity
 id: 7e9c3f8a-4b2d-4c5e-9a1f-6d8e5b3c2a9f
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-02-26'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -56,10 +56,10 @@ rba:
     risk_objects:
         - field: host
           type: system
-          score: 50
+          score: 20
         - field: user
           type: user
-          score: 50
+          score: 20
     threat_objects:
         - field: command
           type: process

detections/application/cisco_asa___reconnaissance_command_activity.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Reconnaissance Command Activity
 id: 6e9d4f7a-3c8b-4a9e-8d2f-7b5c9e1a6f3d
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-02-26'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -112,10 +112,10 @@ rba:
     risk_objects:
         - field: host
           type: system
-          score: 50
+          score: 20
         - field: user
           type: user
-          score: 40
+          score: 20
     threat_objects:
         - field: src_ip
           type: ip_address

detections/application/cisco_asa___user_account_deleted_from_local_database.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - User Account Deleted From Local Database
 id: 2d4b9e7f-5c3a-4d8e-9b1f-8a6c5e2d4f7a
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-02-26'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -51,10 +51,10 @@ rba:
     risk_objects:
         - field: host
           type: system
-          score: 40
+          score: 20
         - field: user
           type: user
-          score: 40
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - User Account Lockout Threshold Exceeded
 id: 3e8f9c2a-6d4b-4a7e-9c5f-1b8d7e3a9f2c
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-02-26'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -51,10 +51,10 @@ rba:
     risk_objects:
         - field: host
           type: system
-          score: 40
+          score: 20
         - field: user
           type: user
-          score: 30
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/application/cisco_asa___user_privilege_level_change.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - User Privilege Level Change
 id: 5f7d8c3e-9a2b-4d6f-8e1c-3b5a9d7f2c4e
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-02-26'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -51,10 +51,10 @@ rba:
     risk_objects:
         - field: host
           type: system
-          score: 40
+          score: 20
         - field: user
           type: user
-          score: 40
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/application/email_attachments_with_lots_of_spaces.yml

@@ -1,7 +1,7 @@
 name: Email Attachments With Lots Of Spaces
 id: 56e877a6-1455-4479-ada6-0550dc1e22f8
-version: 8
-date: '2026-02-25'
+version: 9
+date: '2026-02-26'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly
@@ -26,7 +26,7 @@ rba:
     risk_objects:
         - field: src_user
           type: user
-          score: 25
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml

@@ -1,7 +1,7 @@
 name: Email servers sending high volume traffic to hosts
 id: 7f5fb3e1-4209-4914-90db-0ec21b556378
-version: 8
-date: '2026-02-25'
+version: 9
+date: '2026-02-26'
 author: Bhavin Patel, Splunk
 status: experimental
 type: Anomaly
@@ -28,7 +28,7 @@ rba:
     risk_objects:
         - field: dest
           type: system
-          score: 25
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/application/esxi_account_modified.yml

@@ -1,7 +1,7 @@
 name: ESXi Account Modified
 id: b5e3b024-a7bb-4019-8975-46cf54485e78
-version: 1
-date: '2025-07-01'
+version: 2
+date: '2026-02-26'
 author: Raven Tait, Splunk
 status: production
 type: Anomaly
@@ -27,7 +27,7 @@ rba:
     risk_objects:
         - field: dest
           type: system
-          score: 60
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/application/esxi_download_errors.yml

@@ -1,7 +1,7 @@
 name: ESXi Download Errors
 id: 515cccd0-c4d8-4427-92d9-8a8f8b5a71dc
-version: 1
-date: '2025-05-12'
+version: 2
+date: '2026-02-26'
 author: Raven Tait, Splunk
 status: production
 type: Anomaly
@@ -25,7 +25,7 @@ rba:
     risk_objects:
         - field: dest
           type: system
-          score: 30
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/application/esxi_external_root_login_activity.yml

@@ -1,7 +1,7 @@
 name: ESXi External Root Login Activity
 id: 218bf991-6c63-4c26-a682-6ac1a53ad8f8
-version: 1
-date: '2025-05-13'
+version: 2
+date: '2026-02-26'
 author: Raven Tait, Splunk
 status: production
 type: Anomaly
@@ -25,10 +25,10 @@ rba:
     risk_objects:
         - field: dest
           type: system
-          score: 45
+          score: 20
         - field: SrcIpAddr
           type: system
-          score: 45
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

detections/application/esxi_shared_or_stolen_root_account.yml

@@ -1,7 +1,7 @@
 name: ESXi Shared or Stolen Root Account
 id: 1bc8f235-5d7c-457c-95ca-5e92edcb52ea
-version: 1
-date: '2025-05-09'
+version: 2
+date: '2026-02-26'
 author: Raven Tait, Splunk
 status: production
 type: Anomaly
@@ -27,7 +27,7 @@ rba:
     risk_objects:
         - field: dest
           type: system
-          score: 50
+          score: 20
     threat_objects: []
 tags:
     analytic_story: