diff --git a/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml b/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml
index 8bb0948c32..014c03323b 100644
--- a/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml
+++ b/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml
@@ -1,7 +1,7 @@
name: Cisco AI Defense Security Alerts by Application Name
id: 105e4a69-ec55-49fc-be1f-902467435ea8
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -48,9 +48,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$application_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$application_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$application_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Cisco AI Defense Security Alert has been action - [$event_action$] for the application name - [$application_name$]
risk_objects:
diff --git a/detections/application/cisco_asa___aaa_policy_tampering.yml b/detections/application/cisco_asa___aaa_policy_tampering.yml
index e13e624e85..9dcac48b4b 100644
--- a/detections/application/cisco_asa___aaa_policy_tampering.yml
+++ b/detections/application/cisco_asa___aaa_policy_tampering.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - AAA Policy Tampering
id: 8f2c4e9a-5d3b-4c7e-9a1f-6e8d5b2c3a9f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ executed command $command$ to modify AAA configuration on Cisco ASA host $host$.
risk_objects:
diff --git a/detections/application/cisco_asa___device_file_copy_activity.yml b/detections/application/cisco_asa___device_file_copy_activity.yml
index d9af3f38a6..79ccedde6a 100644
--- a/detections/application/cisco_asa___device_file_copy_activity.yml
+++ b/detections/application/cisco_asa___device_file_copy_activity.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - Device File Copy Activity
id: 4d7e8f3a-9c2b-4e6f-8a1d-5b9c7e2f4a8c
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ executed command $command$ to export device configuration from Cisco ASA host $host$.
risk_objects:
diff --git a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml
index 2bb33fd955..9523f00967 100644
--- a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml
+++ b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - Device File Copy to Remote Location
id: 8a9e5f2b-6d4c-4e7f-9b3a-1c8d7f5e2a9b
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -74,9 +74,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ executed command $command$ to copy file or config from Cisco ASA host $host$ to remote location $dest$ via $remote_protocol$ protocols.
risk_objects:
diff --git a/detections/application/cisco_asa___logging_disabled_via_cli.yml b/detections/application/cisco_asa___logging_disabled_via_cli.yml
index e525ef44c0..c16b9f134e 100644
--- a/detections/application/cisco_asa___logging_disabled_via_cli.yml
+++ b/detections/application/cisco_asa___logging_disabled_via_cli.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - Logging Disabled via CLI
id: 7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Bhavin Patel, Micheal Haag, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -55,9 +55,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ executed command $command$ to disable logging on the Cisco ASA host $host$.
risk_objects:
diff --git a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml
index 875768a4bb..494a27f8f8 100644
--- a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml
+++ b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - Logging Filters Configuration Tampering
id: b87b48a8-6d1a-4280-9cf1-16a950dbf901
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -63,9 +63,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ executed command $command$ to tamper with logging filter configuration on the Cisco ASA host $host$.
risk_objects:
diff --git a/detections/application/cisco_asa___logging_message_suppression.yml b/detections/application/cisco_asa___logging_message_suppression.yml
index 4a89fb9d02..a49211c8cc 100644
--- a/detections/application/cisco_asa___logging_message_suppression.yml
+++ b/detections/application/cisco_asa___logging_message_suppression.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - Logging Message Suppression
id: 4e6c9d2a-8f3b-4c7e-9a5f-2d8b6e1c4a9f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -48,9 +48,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ executed command $command$ to suppress specific logging message ID on Cisco ASA host $host$.
risk_objects:
diff --git a/detections/application/cisco_asa___new_local_user_account_created.yml b/detections/application/cisco_asa___new_local_user_account_created.yml
index 26c1e21e5e..17fdd2b917 100644
--- a/detections/application/cisco_asa___new_local_user_account_created.yml
+++ b/detections/application/cisco_asa___new_local_user_account_created.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - New Local User Account Created
id: 9c8e4f2a-7d3b-4e5c-8a9f-1b6d4e8c3f5a
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: New local user account $user$ with privilege level $privilege_level$ was created on Cisco ASA host $host$.
risk_objects:
diff --git a/detections/application/cisco_asa___packet_capture_activity.yml b/detections/application/cisco_asa___packet_capture_activity.yml
index c8027c6cb4..990bc6570c 100644
--- a/detections/application/cisco_asa___packet_capture_activity.yml
+++ b/detections/application/cisco_asa___packet_capture_activity.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - Packet Capture Activity
id: 7e9c3f8a-4b2d-4c5e-9a1f-6d8e5b3c2a9f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -48,9 +48,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ executed packet capture command $command$ on Cisco ASA host $host$, potentially for network sniffing activity.
risk_objects:
diff --git a/detections/application/cisco_asa___reconnaissance_command_activity.yml b/detections/application/cisco_asa___reconnaissance_command_activity.yml
index 8507b53bdf..e00a03a5ad 100644
--- a/detections/application/cisco_asa___reconnaissance_command_activity.yml
+++ b/detections/application/cisco_asa___reconnaissance_command_activity.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - Reconnaissance Command Activity
id: 6e9d4f7a-3c8b-4a9e-8d2f-7b5c9e1a6f3d
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -104,9 +104,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ executed $unique_recon_commands$ distinct reconnaissance commands of type $command_types$ within a 5-minute window on Cisco ASA host $host$, indicating potential reconnaissance activity.
risk_objects:
diff --git a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml
index 1c4f62082a..bade02d65e 100644
--- a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml
+++ b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - User Account Deleted From Local Database
id: 2d4b9e7f-5c3a-4d8e-9b1f-8a6c5e2d4f7a
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Local user account $user$ with privilege level $privilege_level$ was deleted from Cisco ASA host $host$.
risk_objects:
diff --git a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml
index 0569cf2524..43242e1abc 100644
--- a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml
+++ b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - User Account Lockout Threshold Exceeded
id: 3e8f9c2a-6d4b-4a7e-9c5f-1b8d7e3a9f2c
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User account $user$ was $failure_description$ on Cisco ASA host $host$.
risk_objects:
diff --git a/detections/application/cisco_asa___user_privilege_level_change.yml b/detections/application/cisco_asa___user_privilege_level_change.yml
index f1518b4ec2..661e8c211b 100644
--- a/detections/application/cisco_asa___user_privilege_level_change.yml
+++ b/detections/application/cisco_asa___user_privilege_level_change.yml
@@ -1,7 +1,7 @@
name: Cisco ASA - User Privilege Level Change
id: 5f7d8c3e-9a2b-4d6f-8e1c-3b5a9d7f2c4e
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $host$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User account $user$ privilege level changed from $old_privilege_level$ to $new_privilege_level$ on Cisco ASA host $host$.
risk_objects:
diff --git a/detections/application/cisco_duo_admin_login_unusual_browser.yml b/detections/application/cisco_duo_admin_login_unusual_browser.yml
index 2c8f0a971a..74607a8ea1 100644
--- a/detections/application/cisco_duo_admin_login_unusual_browser.yml
+++ b/detections/application/cisco_duo_admin_login_unusual_browser.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Admin Login Unusual Browser
id: b38932ad-e663-4e90-bfdf-8446ee5b3f34
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Activity
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user $user$ has logged in using an unusual browser $access_device.browser$ from $src_ip$.
risk_objects:
diff --git a/detections/application/cisco_duo_admin_login_unusual_country.yml b/detections/application/cisco_duo_admin_login_unusual_country.yml
index 9c5725f26a..f268dc751e 100644
--- a/detections/application/cisco_duo_admin_login_unusual_country.yml
+++ b/detections/application/cisco_duo_admin_login_unusual_country.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Admin Login Unusual Country
id: 1bf631d1-44a0-472b-98c4-2975b8b281df
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Activity
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user $user$ has logged in using an unusual country using browser $access_device.browser$ from $src_ip$.
risk_objects:
diff --git a/detections/application/cisco_duo_admin_login_unusual_os.yml b/detections/application/cisco_duo_admin_login_unusual_os.yml
index e8ff5166d9..eb3ebc59de 100644
--- a/detections/application/cisco_duo_admin_login_unusual_os.yml
+++ b/detections/application/cisco_duo_admin_login_unusual_os.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Admin Login Unusual Os
id: c4824cc6-d644-458e-a39a-67cd67da75e3
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Activity
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user $user$ has logged in using an unusual OS $access_device.os$ using browser $access_device.browser$ from $src_ip$.
risk_objects:
diff --git a/detections/application/cisco_duo_bulk_policy_deletion.yml b/detections/application/cisco_duo_bulk_policy_deletion.yml
index acbac53045..991f357ab3 100644
--- a/detections/application/cisco_duo_bulk_policy_deletion.yml
+++ b/detections/application/cisco_duo_bulk_policy_deletion.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Bulk Policy Deletion
id: 983be012-e408-4cb0-b87f-6756bb5f7047
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Administrator
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user $user$ has deleted more than 3 policies
risk_objects:
diff --git a/detections/application/cisco_duo_bypass_code_generation.yml b/detections/application/cisco_duo_bypass_code_generation.yml
index 258684f3f1..05f9176f90 100644
--- a/detections/application/cisco_duo_bypass_code_generation.yml
+++ b/detections/application/cisco_duo_bypass_code_generation.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Bypass Code Generation
id: 446e81ff-ce06-4925-9c7d-4073f9b5abf5
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Administrator
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user $user$ has generated a bypass code
risk_objects:
diff --git a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml
index f922c4729b..63e0cbe77d 100644
--- a/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml
+++ b/detections/application/cisco_duo_policy_allow_devices_without_screen_lock.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Policy Allow Devices Without Screen Lock
id: 114c616b-c793-465d-a80d-758c9fe8a704
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Administrator
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A policy has been created or updated to allow devices without screen lock by user $user$ with email $admin_email$
risk_objects:
diff --git a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml
index 5f5fef8e73..099c5675bb 100644
--- a/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml
+++ b/detections/application/cisco_duo_policy_allow_network_bypass_2fa.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Policy Allow Network Bypass 2FA
id: 2593f641-6192-4f3d-b96c-2bd1c706215f
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Administrator
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A policy has been created or updated to allow network bypass 2FA by user $user$ with email $admin_email$
risk_objects:
diff --git a/detections/application/cisco_duo_policy_allow_old_flash.yml b/detections/application/cisco_duo_policy_allow_old_flash.yml
index 1dffc5ffa3..2dbbea6341 100644
--- a/detections/application/cisco_duo_policy_allow_old_flash.yml
+++ b/detections/application/cisco_duo_policy_allow_old_flash.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Policy Allow Old Flash
id: f36c0d3f-d57f-4b88-a5d4-0a4c9a0752f6
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Administrator
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A policy has been created or updated to allow old flash by user $user$ with email $admin_email$
risk_objects:
diff --git a/detections/application/cisco_duo_policy_allow_old_java.yml b/detections/application/cisco_duo_policy_allow_old_java.yml
index 7db607c0ce..af2241760e 100644
--- a/detections/application/cisco_duo_policy_allow_old_java.yml
+++ b/detections/application/cisco_duo_policy_allow_old_java.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Policy Allow Old Java
id: ff56d843-57de-4a87-b726-13b145f6bf96
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Administrator
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A policy has been created or updated to allow old java by user $user$ with email $admin_email$
risk_objects:
diff --git a/detections/application/cisco_duo_policy_allow_tampered_devices.yml b/detections/application/cisco_duo_policy_allow_tampered_devices.yml
index 95656389e6..522c98b6ba 100644
--- a/detections/application/cisco_duo_policy_allow_tampered_devices.yml
+++ b/detections/application/cisco_duo_policy_allow_tampered_devices.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Policy Allow Tampered Devices
id: 6b813efd-8859-406f-b677-719458387fac
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Administrator
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A policy has been created or updated to allow tampered devices by user $user$ with email $admin_email$
risk_objects:
diff --git a/detections/application/cisco_duo_policy_bypass_2fa.yml b/detections/application/cisco_duo_policy_bypass_2fa.yml
index 37ba16208c..d415a72637 100644
--- a/detections/application/cisco_duo_policy_bypass_2fa.yml
+++ b/detections/application/cisco_duo_policy_bypass_2fa.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Policy Bypass 2FA
id: 65862e8a-799a-4509-ae1c-4602aa139580
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Administrator
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A policy has been created or updated to allow access without 2FA by user $user$ with email $admin_email$
risk_objects:
diff --git a/detections/application/cisco_duo_policy_deny_access.yml b/detections/application/cisco_duo_policy_deny_access.yml
index 421190d81a..559d9b7aec 100644
--- a/detections/application/cisco_duo_policy_deny_access.yml
+++ b/detections/application/cisco_duo_policy_deny_access.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Policy Deny Access
id: abf39464-ed43-4d69-a56c-02750032a3fb
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Administrator
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A policy has been created or updated to deny access by user $user$ with email $admin_email$
risk_objects:
diff --git a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml
index 7822a09229..4bd29dd650 100644
--- a/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml
+++ b/detections/application/cisco_duo_policy_skip_2fa_for_other_countries.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Policy Skip 2FA for Other Countries
id: ab59d5ee-8694-4832-a332-cefcf66a9057
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Administrator
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A policy has been created or updated to allow access without 2FA for other countries by user $user$ with email $admin_email$
risk_objects:
diff --git a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml
index 3b13048d5d..9189f3b79b 100644
--- a/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml
+++ b/detections/application/cisco_duo_set_user_status_to_bypass_2fa.yml
@@ -1,7 +1,7 @@
name: Cisco Duo Set User Status to Bypass 2FA
id: 8728d224-9cd5-4aa7-b75f-f8520a569979
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
data_source:
- Cisco Duo Administrator
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user $user$ has set their status to bypass 2FA from IP Address - $src_ip$
risk_objects:
diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml
index 27edb7a6aa..5d048c67f9 100644
--- a/detections/application/crushftp_server_side_template_injection.yml
+++ b/detections/application/crushftp_server_side_template_injection.yml
@@ -1,7 +1,7 @@
name: CrushFTP Server Side Template Injection
id: ccf6b7a3-bd39-4bc9-a949-143a8d640dbc
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- CrushFTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential exploitation of CrushFTP Server Side Template Injection Vulnerability on $dest$ by $src_ip$.
risk_objects:
diff --git a/detections/application/detect_html_help_spawn_child_process.yml b/detections/application/detect_html_help_spawn_child_process.yml
index 5b400cc749..b8f37b135e 100644
--- a/detections/application/detect_html_help_spawn_child_process.yml
+++ b/detections/application/detect_html_help_spawn_child_process.yml
@@ -1,7 +1,7 @@
name: Detect HTML Help Spawn Child Process
id: 723716de-ee55-4cd4-9759-c44e7e55ba4b
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior.
risk_objects:
diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml
index a4a307185f..cbc6b82f6c 100644
--- a/detections/application/detect_password_spray_attempts.yml
+++ b/detections/application/detect_password_spray_attempts.yml
@@ -1,7 +1,7 @@
name: Detect Password Spray Attempts
id: 086ab581-8877-42b3-9aee-4a7ecb0923af
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$sourcetype$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$sourcetype$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$sourcetype$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts.
risk_objects:
diff --git a/detections/application/esxi_account_modified.yml b/detections/application/esxi_account_modified.yml
index dbb4f18824..dc8f7d11ae 100644
--- a/detections/application/esxi_account_modified.yml
+++ b/detections/application/esxi_account_modified.yml
@@ -1,7 +1,7 @@
name: ESXi Account Modified
id: b5e3b024-a7bb-4019-8975-46cf54485e78
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Local account created, deleted, or modified on ESXi $dest$.
risk_objects:
diff --git a/detections/application/esxi_audit_tampering.yml b/detections/application/esxi_audit_tampering.yml
index 744f5ef2d6..7921508765 100644
--- a/detections/application/esxi_audit_tampering.yml
+++ b/detections/application/esxi_audit_tampering.yml
@@ -1,7 +1,7 @@
name: ESXi Audit Tampering
id: c48a155b-2861-417a-813c-220f5272cf01
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Audit tampering activity on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_bulk_vm_termination.yml b/detections/application/esxi_bulk_vm_termination.yml
index 5f15de3fc5..6f3a6468f9 100644
--- a/detections/application/esxi_bulk_vm_termination.yml
+++ b/detections/application/esxi_bulk_vm_termination.yml
@@ -1,7 +1,7 @@
name: ESXi Bulk VM Termination
id: cfe094b4-0737-4a33-9d63-e0562ce2b883
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Bulk VM termination activity on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_download_errors.yml b/detections/application/esxi_download_errors.yml
index 4830ad0e2f..d9512862cc 100644
--- a/detections/application/esxi_download_errors.yml
+++ b/detections/application/esxi_download_errors.yml
@@ -1,7 +1,7 @@
name: ESXi Download Errors
id: 515cccd0-c4d8-4427-92d9-8a8f8b5a71dc
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Download Errors on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_encryption_settings_modified.yml b/detections/application/esxi_encryption_settings_modified.yml
index 19eb64c4a5..c2c6531f4e 100644
--- a/detections/application/esxi_encryption_settings_modified.yml
+++ b/detections/application/esxi_encryption_settings_modified.yml
@@ -1,7 +1,7 @@
name: ESXi Encryption Settings Modified
id: dbbbe26f-83fe-4ee3-8b77-ccf7fbd416c8
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Encryption settings modified on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_external_root_login_activity.yml b/detections/application/esxi_external_root_login_activity.yml
index c0486a69ad..d5edc73c9e 100644
--- a/detections/application/esxi_external_root_login_activity.yml
+++ b/detections/application/esxi_external_root_login_activity.yml
@@ -1,7 +1,7 @@
name: ESXi External Root Login Activity
id: 218bf991-6c63-4c26-a682-6ac1a53ad8f8
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Root logged in on ESXi host $dest$ from $SrcIpAddr.
risk_objects:
diff --git a/detections/application/esxi_firewall_disabled.yml b/detections/application/esxi_firewall_disabled.yml
index 0fc0e96430..7e14812edc 100644
--- a/detections/application/esxi_firewall_disabled.yml
+++ b/detections/application/esxi_firewall_disabled.yml
@@ -1,7 +1,7 @@
name: ESXi Firewall Disabled
id: e321804c-8eb5-42f2-a843-36b289a6c6b2
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Firewall disabled on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_lockdown_mode_disabled.yml b/detections/application/esxi_lockdown_mode_disabled.yml
index c2eb4612a7..1f394fcb38 100644
--- a/detections/application/esxi_lockdown_mode_disabled.yml
+++ b/detections/application/esxi_lockdown_mode_disabled.yml
@@ -1,7 +1,7 @@
name: ESXi Lockdown Mode Disabled
id: 07c0d28a-9a9b-409f-8d4b-65355bd19ead
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Lockdown Mode has been disabled on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_loghost_config_tampering.yml b/detections/application/esxi_loghost_config_tampering.yml
index 1a03eee074..500ebc4797 100644
--- a/detections/application/esxi_loghost_config_tampering.yml
+++ b/detections/application/esxi_loghost_config_tampering.yml
@@ -1,7 +1,7 @@
name: ESXi Loghost Config Tampering
id: 64bc2fa3-c493-44b4-8e94-3e5dbf71377e
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Syslog destination was modified on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_malicious_vib_forced_install.yml b/detections/application/esxi_malicious_vib_forced_install.yml
index 3216868ec1..caf9de9d55 100644
--- a/detections/application/esxi_malicious_vib_forced_install.yml
+++ b/detections/application/esxi_malicious_vib_forced_install.yml
@@ -1,7 +1,7 @@
name: ESXi Malicious VIB Forced Install
id: 5d4d2cd2-7b65-4474-97cf-e9b203bcd770
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A VIB was installed on ESXi $dest$ with the force flag.
risk_objects:
diff --git a/detections/application/esxi_reverse_shell_patterns.yml b/detections/application/esxi_reverse_shell_patterns.yml
index 784788d2ed..ed6c592a05 100644
--- a/detections/application/esxi_reverse_shell_patterns.yml
+++ b/detections/application/esxi_reverse_shell_patterns.yml
@@ -1,7 +1,7 @@
name: ESXi Reverse Shell Patterns
id: ee8b16a4-118e-4dd7-af4b-835530415610
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Reverse shell patterns seen on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_sensitive_files_accessed.yml b/detections/application/esxi_sensitive_files_accessed.yml
index 7477a57d7a..d533fb74e3 100644
--- a/detections/application/esxi_sensitive_files_accessed.yml
+++ b/detections/application/esxi_sensitive_files_accessed.yml
@@ -1,7 +1,7 @@
name: ESXi Sensitive Files Accessed
id: 6fa0073d-6ca0-4f93-913d-fb420c9de15b
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Sensitive files accessed on ESXi host $dest$ with $command$.
risk_objects:
diff --git a/detections/application/esxi_shared_or_stolen_root_account.yml b/detections/application/esxi_shared_or_stolen_root_account.yml
index 2f43c707f3..4521312f48 100644
--- a/detections/application/esxi_shared_or_stolen_root_account.yml
+++ b/detections/application/esxi_shared_or_stolen_root_account.yml
@@ -1,7 +1,7 @@
name: ESXi Shared or Stolen Root Account
id: 1bc8f235-5d7c-457c-95ca-5e92edcb52ea
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Root login from multiple IPs on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_shell_access_enabled.yml b/detections/application/esxi_shell_access_enabled.yml
index 6e770c2275..7af7123ca2 100644
--- a/detections/application/esxi_shell_access_enabled.yml
+++ b/detections/application/esxi_shell_access_enabled.yml
@@ -1,7 +1,7 @@
name: ESXi Shell Access Enabled
id: 15e79d0a-c659-42fd-9668-94108528f2ec
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: ESXi Shell access was enabled on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_ssh_brute_force.yml b/detections/application/esxi_ssh_brute_force.yml
index e629ecb668..d7ad239e88 100644
--- a/detections/application/esxi_ssh_brute_force.yml
+++ b/detections/application/esxi_ssh_brute_force.yml
@@ -1,7 +1,7 @@
name: ESXi SSH Brute Force
id: 68fe4efa-bbbb-44ee-9f09-d07d2f0f346b
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Attempted SSH brute force on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_ssh_enabled.yml b/detections/application/esxi_ssh_enabled.yml
index 369768b176..bede56f893 100644
--- a/detections/application/esxi_ssh_enabled.yml
+++ b/detections/application/esxi_ssh_enabled.yml
@@ -1,7 +1,7 @@
name: ESXi SSH Enabled
id: b8003567-c5b6-445b-8966-ecdacc81c24d
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: SSH was enabled on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_syslog_config_change.yml b/detections/application/esxi_syslog_config_change.yml
index d25f9a6206..d96fbfe629 100644
--- a/detections/application/esxi_syslog_config_change.yml
+++ b/detections/application/esxi_syslog_config_change.yml
@@ -1,7 +1,7 @@
name: ESXi Syslog Config Change
id: e530beb9-9b8c-4c9b-9776-0a05521ff32d
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Syslog config was modified on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_system_clock_manipulation.yml b/detections/application/esxi_system_clock_manipulation.yml
index 9b21d2cb1c..32ea02a4d8 100644
--- a/detections/application/esxi_system_clock_manipulation.yml
+++ b/detections/application/esxi_system_clock_manipulation.yml
@@ -1,7 +1,7 @@
name: ESXi System Clock Manipulation
id: 910df401-b215-4675-88c5-2ad7b06d82a5
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Large time change on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/esxi_system_information_discovery.yml b/detections/application/esxi_system_information_discovery.yml
index 120650613a..2f7af8bde2 100644
--- a/detections/application/esxi_system_information_discovery.yml
+++ b/detections/application/esxi_system_information_discovery.yml
@@ -1,7 +1,7 @@
name: ESXi System Information Discovery
id: b4d4217a-6673-4fb6-837d-07a522bdf9f7
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: System information discovery commands executed on ESXi host $dest$ by $user$.
risk_objects:
diff --git a/detections/application/esxi_user_granted_admin_role.yml b/detections/application/esxi_user_granted_admin_role.yml
index 91caeca9a8..75f14ec867 100644
--- a/detections/application/esxi_user_granted_admin_role.yml
+++ b/detections/application/esxi_user_granted_admin_role.yml
@@ -1,7 +1,7 @@
name: ESXi User Granted Admin Role
id: b0c64d6e-cfdf-441a-b6ce-d956e202563e
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $target_user$ granted Admin role on ESXi host $dest$ by $user$.
risk_objects:
diff --git a/detections/application/esxi_vib_acceptance_level_tampering.yml b/detections/application/esxi_vib_acceptance_level_tampering.yml
index 843eed29cb..283d4ed3b5 100644
--- a/detections/application/esxi_vib_acceptance_level_tampering.yml
+++ b/detections/application/esxi_vib_acceptance_level_tampering.yml
@@ -1,7 +1,7 @@
name: ESXi VIB Acceptance Level Tampering
id: d051d94f-c792-445e-b5d2-0b904f93ac09
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: VIB Acceptance level was modified on ESXi host $dest$ by $user$.
risk_objects:
diff --git a/detections/application/esxi_vm_discovery.yml b/detections/application/esxi_vm_discovery.yml
index 99b261e7a5..7dbfbe436d 100644
--- a/detections/application/esxi_vm_discovery.yml
+++ b/detections/application/esxi_vm_discovery.yml
@@ -1,7 +1,7 @@
name: ESXi VM Discovery
id: 5643cdc9-a0be-4123-860b-f13da0bf4fcb
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: VM discovery commands executed on ESXi host $dest$ by $user$.
risk_objects:
diff --git a/detections/application/esxi_vm_exported_via_remote_tool.yml b/detections/application/esxi_vm_exported_via_remote_tool.yml
index 2539422e16..c5391e6adc 100644
--- a/detections/application/esxi_vm_exported_via_remote_tool.yml
+++ b/detections/application/esxi_vm_exported_via_remote_tool.yml
@@ -1,7 +1,7 @@
name: ESXi VM Exported via Remote Tool
id: 2e155547-aaac-49d3-b0ef-ceabc31fd364
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: VM downloaded from datastore on ESXi host $dest$.
risk_objects:
diff --git a/detections/application/ivanti_vtm_new_account_creation.yml b/detections/application/ivanti_vtm_new_account_creation.yml
index 6646bf8781..e6087cc27a 100644
--- a/detections/application/ivanti_vtm_new_account_creation.yml
+++ b/detections/application/ivanti_vtm_new_account_creation.yml
@@ -1,7 +1,7 @@
name: Ivanti VTM New Account Creation
id: b04be6e5-2002-4349-8742-52285635b8f5
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Ivanti VTM Audit
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$MODUSER$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MODUSER$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MODUSER$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new administrator account, $MODUSER$, was created on Ivanti vTM device without proper authentication, which may indicate exploitation of CVE-2024-7593.
risk_objects:
diff --git a/detections/application/m365_copilot_agentic_jailbreak_attack.yml b/detections/application/m365_copilot_agentic_jailbreak_attack.yml
index ddd908cecb..dec749ac59 100644
--- a/detections/application/m365_copilot_agentic_jailbreak_attack.yml
+++ b/detections/application/m365_copilot_agentic_jailbreak_attack.yml
@@ -1,7 +1,7 @@
name: M365 Copilot Agentic Jailbreak Attack
id: e5c7b380-19da-42e9-9e53-0af4cd27aee3
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Rod Soto
status: experimental
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ attempted to establish persistent agentic control over M365 Copilot through advanced jailbreak techniques including rule injection, universal triggers, and system overrides, potentially compromising AI security across multiple sessions.
risk_objects:
diff --git a/detections/application/m365_copilot_application_usage_pattern_anomalies.yml b/detections/application/m365_copilot_application_usage_pattern_anomalies.yml
index 7072f0a977..e2da863289 100644
--- a/detections/application/m365_copilot_application_usage_pattern_anomalies.yml
+++ b/detections/application/m365_copilot_application_usage_pattern_anomalies.yml
@@ -1,7 +1,7 @@
name: M365 Copilot Application Usage Pattern Anomalies
id: e3308b0c-d1a1-40d5-9486-4500f0d34731
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Rod Soto
status: production
type: Anomaly
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ exhibited anomalous M365 Copilot usage patterns including multi-location access, excessive activity levels, or multiple application usage indicating potential account compromise or automated abuse.
risk_objects:
diff --git a/detections/application/m365_copilot_information_extraction_jailbreak_attack.yml b/detections/application/m365_copilot_information_extraction_jailbreak_attack.yml
index 9e91d63b07..c1954d1880 100644
--- a/detections/application/m365_copilot_information_extraction_jailbreak_attack.yml
+++ b/detections/application/m365_copilot_information_extraction_jailbreak_attack.yml
@@ -1,7 +1,7 @@
name: M365 Copilot Information Extraction Jailbreak Attack
id: c0ee37bb-ed43-4632-8e38-060fba80b0b2
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Rod Soto
status: experimental
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Use $user$ attempted M365 Copilot information extraction jailbreak with severity level $severity$ using extraction type $extraction_type$ techniques and $data_risk_flags$ patterns to obtain sensitive or classified information, potentially violating data protection policies and corporate security controls.
risk_objects:
diff --git a/detections/application/m365_copilot_jailbreak_attempts.yml b/detections/application/m365_copilot_jailbreak_attempts.yml
index 46ebda61a1..7ea16d0046 100644
--- a/detections/application/m365_copilot_jailbreak_attempts.yml
+++ b/detections/application/m365_copilot_jailbreak_attempts.yml
@@ -1,7 +1,7 @@
name: M365 Copilot Jailbreak Attempts
id: b05a4f25-e07d-436f-ab03-f954afa922c0
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Rod Soto
status: experimental
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ attempted M365 Copilot Jailbreak with score $jailbreak_score$ using prompt injection techniques to bypass AI safety controls and manipulate system behavior, potentially violating acceptable use policies.
risk_objects:
diff --git a/detections/application/m365_copilot_non_compliant_devices_accessing_m365_copilot.yml b/detections/application/m365_copilot_non_compliant_devices_accessing_m365_copilot.yml
index 540896e24e..a556a6eda6 100644
--- a/detections/application/m365_copilot_non_compliant_devices_accessing_m365_copilot.yml
+++ b/detections/application/m365_copilot_non_compliant_devices_accessing_m365_copilot.yml
@@ -1,7 +1,7 @@
name: M365 Copilot Non Compliant Devices Accessing M365 Copilot
id: e26bc52d-9cbc-4743-9745-e8781d935042
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Rod Soto
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ accessed M365 Copilot from non-compliant or unmanaged devices accross $unique_countries$ countries, violating corporate security policies and creating potential data exposure risks.
risk_objects:
diff --git a/detections/application/mcp_prompt_injection.yml b/detections/application/mcp_prompt_injection.yml
index 22f45108a4..5962836806 100644
--- a/detections/application/mcp_prompt_injection.yml
+++ b/detections/application/mcp_prompt_injection.yml
@@ -1,7 +1,7 @@
name: MCP Prompt Injection
id: 49779398-b738-4d64-bb3f-ead6eb97fe53
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Rod Soto
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$dest$" starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$dest$" | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: 'A prompt injection attempt was detected on $dest$ via MCP server. An attacker attempted to override AI instructions using phrases like IGNORE PREVIOUS INSTRUCTIONS or SYSTEM PROMPT OVERRIDE. This technique (AML.T0051) attempts to manipulate the LLM into bypassing security controls or executing unauthorized actions. Payload detected: $injection_payload$'
risk_objects:
diff --git a/detections/application/okta_authentication_failed_during_mfa_challenge.yml b/detections/application/okta_authentication_failed_during_mfa_challenge.yml
index 19cfac9feb..fb45e7c102 100644
--- a/detections/application/okta_authentication_failed_during_mfa_challenge.yml
+++ b/detections/application/okta_authentication_failed_during_mfa_challenge.yml
@@ -1,7 +1,7 @@
name: Okta Authentication Failed During MFA Challenge
id: e2b99e7d-d956-411a-a120-2b14adfdde93
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
data_source:
- Okta
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user [$user$] has failed to authenticate via MFA from IP Address - [$src$]"
risk_objects:
diff --git a/detections/application/okta_idp_lifecycle_modifications.yml b/detections/application/okta_idp_lifecycle_modifications.yml
index 7ae639c33a..3b4e6120e3 100644
--- a/detections/application/okta_idp_lifecycle_modifications.yml
+++ b/detections/application/okta_idp_lifecycle_modifications.yml
@@ -1,7 +1,7 @@
name: Okta IDP Lifecycle Modifications
id: e0be2c83-5526-4219-a14f-c3db2e763d15
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Bhavin Patel, Splunk
data_source:
- Okta
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user [$user$] is attempting IDP lifecycle modification - [$description$] from IP Address - [$src$]"
risk_objects:
diff --git a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml
index b8e3104d35..a763dfa68f 100644
--- a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml
+++ b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml
@@ -1,7 +1,7 @@
name: Okta Mismatch Between Source and Response for Verify Push Request
id: 8085b79b-9b85-4e67-ad63-351c9e9a5e9a
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: John Murphy and Jordan Ruocco, Okta, Michael Haag, Bhavin Patel, Splunk
type: TTP
status: production
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
references:
- https://attack.mitre.org/techniques/T1621
- https://splunkbase.splunk.com/app/6553
diff --git a/detections/application/okta_multi_factor_authentication_disabled.yml b/detections/application/okta_multi_factor_authentication_disabled.yml
index 9e174a2dfe..da4c9fd55c 100644
--- a/detections/application/okta_multi_factor_authentication_disabled.yml
+++ b/detections/application/okta_multi_factor_authentication_disabled.yml
@@ -1,7 +1,7 @@
name: Okta Multi-Factor Authentication Disabled
id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Okta
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: MFA was disabled for User [$user$] initiated by [$src$]. Investigate further to determine if this was authorized.
risk_objects:
diff --git a/detections/application/okta_multiple_accounts_locked_out.yml b/detections/application/okta_multiple_accounts_locked_out.yml
index 5187555063..2279fb9137 100644
--- a/detections/application/okta_multiple_accounts_locked_out.yml
+++ b/detections/application/okta_multiple_accounts_locked_out.yml
@@ -1,7 +1,7 @@
name: Okta Multiple Accounts Locked Out
id: a511426e-184f-4de6-8711-cfd2af29d1e1
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Mauricio Velazco, Splunk
data_source:
- Okta
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple accounts locked out in Okta from [$src$]. Investigate further to determine if this was authorized.
risk_objects:
diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml
index 243e207b4a..778684632f 100644
--- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml
+++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml
@@ -1,7 +1,7 @@
name: Okta Multiple Failed MFA Requests For User
id: 826dbaae-a1e6-4c8c-b384-d16898956e73
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Okta
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple failed MFA requests for user $src_user$ from IP Address - $src_ip$
risk_objects:
diff --git a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
index 24c75c77e7..a07210ada7 100644
--- a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
+++ b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
@@ -1,7 +1,7 @@
name: Okta Multiple Users Failing To Authenticate From Ip
id: de365ffa-42f5-46b5-b43f-fa72290b8218
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Mauricio Velazco, Splunk
data_source:
- Okta
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple users failing to authenticate from a single source IP Address - [$src$]. Investigate further to determine if this was authorized.
risk_objects:
diff --git a/detections/application/okta_new_api_token_created.yml b/detections/application/okta_new_api_token_created.yml
index 643253226b..f7c980e70f 100644
--- a/detections/application/okta_new_api_token_created.yml
+++ b/detections/application/okta_new_api_token_created.yml
@@ -1,7 +1,7 @@
name: Okta New API Token Created
id: c3d22720-35d3-4da4-bd0a-740d37192bd4
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new API token was created in Okta by [$user$]. Investigate further to determine if this was authorized.
risk_objects:
diff --git a/detections/application/okta_new_device_enrolled_on_account.yml b/detections/application/okta_new_device_enrolled_on_account.yml
index 5494f52e7f..d2a303d965 100644
--- a/detections/application/okta_new_device_enrolled_on_account.yml
+++ b/detections/application/okta_new_device_enrolled_on_account.yml
@@ -1,7 +1,7 @@
name: Okta New Device Enrolled on Account
id: bb27cbce-d4de-432c-932f-2e206e9130fb
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new device was enrolled on an Okta account for user [$user$]. Investigate further to determine if this was authorized.
risk_objects:
diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml
index 9c60ead0a9..19f7fff65f 100644
--- a/detections/application/okta_risk_threshold_exceeded.yml
+++ b/detections/application/okta_risk_threshold_exceeded.yml
@@ -1,7 +1,7 @@
name: Okta Risk Threshold Exceeded
id: d8b967dd-657f-4d88-93b5-c588bcd7218c
-version: 8
-date: '2026-02-25'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Bhavin Patel, Splunk
status: production
type: Correlation
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Okta Account Takeover
diff --git a/detections/application/okta_successful_single_factor_authentication.yml b/detections/application/okta_successful_single_factor_authentication.yml
index f08540734f..61682e8d63 100644
--- a/detections/application/okta_successful_single_factor_authentication.yml
+++ b/detections/application/okta_successful_single_factor_authentication.yml
@@ -1,7 +1,7 @@
name: Okta Successful Single Factor Authentication
id: 98f6ad4f-4325-4096-9d69-45dc8e638e82
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
data_source:
- Okta
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user [$user$] has successfully logged in to Okta Dashboard with single factor authentication from IP Address - [$src_ip$].
risk_objects:
diff --git a/detections/application/okta_suspicious_activity_reported.yml b/detections/application/okta_suspicious_activity_reported.yml
index 696bd0ee97..3e627f4455 100644
--- a/detections/application/okta_suspicious_activity_reported.yml
+++ b/detections/application/okta_suspicious_activity_reported.yml
@@ -1,7 +1,7 @@
name: Okta Suspicious Activity Reported
id: bfc840f5-c9c6-454c-aa13-b46fd0bf1e79
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user [$user$] reported suspicious activity in Okta. Investigate further to determine if this was authorized.
risk_objects:
diff --git a/detections/application/okta_suspicious_use_of_a_session_cookie.yml b/detections/application/okta_suspicious_use_of_a_session_cookie.yml
index 8c1af7aa87..03e314756c 100644
--- a/detections/application/okta_suspicious_use_of_a_session_cookie.yml
+++ b/detections/application/okta_suspicious_use_of_a_session_cookie.yml
@@ -1,7 +1,7 @@
name: Okta Suspicious Use of a Session Cookie
id: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959e
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk
type: Anomaly
status: production
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user [$user$] is attempting to use a session cookie from multiple IP addresses or devices. Investigate further to determine if this was authorized.
risk_objects:
diff --git a/detections/application/okta_threatinsight_threat_detected.yml b/detections/application/okta_threatinsight_threat_detected.yml
index dafbac02bc..d33e5c30d1 100644
--- a/detections/application/okta_threatinsight_threat_detected.yml
+++ b/detections/application/okta_threatinsight_threat_detected.yml
@@ -1,7 +1,7 @@
name: Okta ThreatInsight Threat Detected
id: 140504ae-5fe2-4d65-b2bc-a211813fbca6
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$app$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$app$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$app$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The following $src_ip$ has been identified as a threat by Okta ThreatInsight. Investigate further to determine if this was authorized.
risk_objects:
diff --git a/detections/application/okta_unauthorized_access_to_application.yml b/detections/application/okta_unauthorized_access_to_application.yml
index 17cdb9484f..48b9fa6a97 100644
--- a/detections/application/okta_unauthorized_access_to_application.yml
+++ b/detections/application/okta_unauthorized_access_to_application.yml
@@ -1,7 +1,7 @@
name: Okta Unauthorized Access to Application
id: 5f661629-9750-4cb9-897c-1f05d6db8727
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Bhavin Patel, Splunk
data_source:
- Okta
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user [$user$] is attempting to access an unauthorized application from IP Address - [$src$]
risk_objects:
diff --git a/detections/application/okta_user_logins_from_multiple_cities.yml b/detections/application/okta_user_logins_from_multiple_cities.yml
index b4a5920f10..e9497e1820 100644
--- a/detections/application/okta_user_logins_from_multiple_cities.yml
+++ b/detections/application/okta_user_logins_from_multiple_cities.yml
@@ -1,7 +1,7 @@
name: Okta User Logins from Multiple Cities
id: a3d1df37-c2a9-41d0-aa8f-59f82d6192a8
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Bhavin Patel, Splunk
data_source:
- Okta
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user [$user$] has logged in from multiple cities [$City$] from IP Address - [$src$]. Investigate further to determine if this was authorized.
risk_objects:
diff --git a/detections/application/ollama_abnormal_network_connectivity.yml b/detections/application/ollama_abnormal_network_connectivity.yml
index 41aa1e9d5c..e51ff11345 100644
--- a/detections/application/ollama_abnormal_network_connectivity.yml
+++ b/detections/application/ollama_abnormal_network_connectivity.yml
@@ -1,7 +1,7 @@
name: Ollama Abnormal Network Connectivity
id: 19ec30ad-faa2-496a-a6a9-f2e5f778fbdb
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Rod Soto
status: experimental
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$",) starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$",) | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: 'Abnormal network activity detected on $host$ with $incidents$ incidents from $src$. Investigation needed for network errors: $warning_messages$.'
risk_objects:
diff --git a/detections/application/ollama_abnormal_service_crash_availability_attack.yml b/detections/application/ollama_abnormal_service_crash_availability_attack.yml
index 25204cbb84..8dcc6e3b0f 100644
--- a/detections/application/ollama_abnormal_service_crash_availability_attack.yml
+++ b/detections/application/ollama_abnormal_service_crash_availability_attack.yml
@@ -1,7 +1,7 @@
name: Ollama Abnormal Service Crash Availability Attack
id: 327fa152-9b56-4e4e-bc0b-2795d4068afa
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Rod Soto
status: experimental
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: 'View risk events for the last 7 days for - "$host$"'
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: 'Abnormal Ollama service termination detected on host $host$ between $first_seen$ and $last_seen$. Service stopped $termination_count$ times with $unique_errors$ unique error types. Severity: $severity$. Potential cause: $attack_type$. Error messages: $error_messages$ require investigation.'
risk_objects:
diff --git a/detections/application/ollama_excessive_api_requests.yml b/detections/application/ollama_excessive_api_requests.yml
index eeec0e6719..29cc757848 100644
--- a/detections/application/ollama_excessive_api_requests.yml
+++ b/detections/application/ollama_excessive_api_requests.yml
@@ -1,7 +1,7 @@
name: Ollama Excessive API Requests
id: 1cfab663-9adc-4169-a88c-6bae29ba3c70
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Rod Soto
status: experimental
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible DDoS attack from $src$ against Ollama server detected with request count $request_count$ in 1 minute, potentially causing service degradation or complete unavailability.
risk_objects:
diff --git a/detections/application/ollama_possible_api_endpoint_scan_reconnaissance.yml b/detections/application/ollama_possible_api_endpoint_scan_reconnaissance.yml
index 17856216f4..416ab2d54e 100644
--- a/detections/application/ollama_possible_api_endpoint_scan_reconnaissance.yml
+++ b/detections/application/ollama_possible_api_endpoint_scan_reconnaissance.yml
@@ -1,7 +1,7 @@
name: Ollama Possible API Endpoint Scan Reconnaissance
id: ad3f352a-0347-48ee-86b9-670b5025a548
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Rod Soto
status: experimental
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: API reconnaissance activity detected from $src$ on $host$ with $total_requests$ requests across different endpoints using methods $methods$ and receiving status codes $status_codes$, indicating systematic endpoint enumeration to map API attack surface and identify potential vulnerabilities.
risk_objects:
diff --git a/detections/application/ollama_possible_memory_exhaustion_resource_abuse.yml b/detections/application/ollama_possible_memory_exhaustion_resource_abuse.yml
index d5756e276a..b41a0c1198 100644
--- a/detections/application/ollama_possible_memory_exhaustion_resource_abuse.yml
+++ b/detections/application/ollama_possible_memory_exhaustion_resource_abuse.yml
@@ -1,7 +1,7 @@
name: Ollama Possible Memory Exhaustion Resource Abuse
id: ca96297f-e82e-4749-8cc9-d1ab555abb57
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Rod Soto
status: experimental
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$host$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential resource exhaustion attack detected on $host$ with $operations$ memory operations in 5 minutes, utilizing $max_memory$ MiB peak memory and $total_runners$ runners, indicating possible attempts to exhaust system resources through excessive model loading or memory abuse.
risk_objects:
diff --git a/detections/application/ollama_possible_model_exfiltration_data_leakage.yml b/detections/application/ollama_possible_model_exfiltration_data_leakage.yml
index f90ff76b9d..b1ae5c6234 100644
--- a/detections/application/ollama_possible_model_exfiltration_data_leakage.yml
+++ b/detections/application/ollama_possible_model_exfiltration_data_leakage.yml
@@ -1,7 +1,7 @@
name: Ollama Possible Model Exfiltration Data Leakage
id: c9fd1a54-0eab-4470-8970-d5fcc3c740fb
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Rod Soto
status: experimental
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential model data exfiltration detected from $src$ with $avg_response_time$ attempts across endpoints, indicating systematic extraction of sensitive model configurations, architecture details, and proprietary customizations that may constitute intellectual property theft.
risk_objects:
diff --git a/detections/application/ollama_possible_rce_via_model_loading.yml b/detections/application/ollama_possible_rce_via_model_loading.yml
index ac3ca2c140..1e503740a6 100644
--- a/detections/application/ollama_possible_rce_via_model_loading.yml
+++ b/detections/application/ollama_possible_rce_via_model_loading.yml
@@ -1,7 +1,7 @@
name: Ollama Possible RCE via Model Loading
id: 3f28c930-5208-425d-a7b9-53d349756d91
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Rod Soto
status: experimental
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$host$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$", starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$", | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious model loading errors detected on $host$ with $error_count$ failures showing error messages $error_messages$, potentially indicating malicious model injection, path traversal exploitation, or attempts to achieve remote code execution through crafted model files.
risk_objects:
diff --git a/detections/application/ollama_suspicious_prompt_injection_jailbreak.yml b/detections/application/ollama_suspicious_prompt_injection_jailbreak.yml
index 5374b7c5ed..082fa1ba1f 100644
--- a/detections/application/ollama_suspicious_prompt_injection_jailbreak.yml
+++ b/detections/application/ollama_suspicious_prompt_injection_jailbreak.yml
@@ -1,7 +1,7 @@
name: Ollama Suspicious Prompt Injection Jailbreak
id: aac5df6f-9151-4da6-bdb2-5691aa6e376f
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Rod Soto
status: experimental
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential prompt injection or jailbreak attempt detected from $src$ with $long_request_count$ requests averaging $avg_response_time$ seconds, indicating possible attempts to bypass AI safety controls or extract sensitive information from the Ollama model.
risk_objects:
diff --git a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml
index 03372c1c09..93d27b9bfd 100644
--- a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml
+++ b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml
@@ -1,7 +1,7 @@
name: PingID Mismatch Auth Source and Verification Response
id: 15b0694e-caa2-4009-8d83-a1f98b86d086
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An authentication by [$user$] was detected from [$dest$ - $auth_Country$] and the verification was received from [$src$ - $verify_Country$].
risk_objects:
diff --git a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml
index 06d4512737..6a0d101edb 100644
--- a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml
+++ b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml
@@ -1,7 +1,7 @@
name: PingID Multiple Failed MFA Requests For User
id: c1bc706a-0025-4814-ad30-288f38865036
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple Failed MFA requests $mfa_prompts$ for user $user$ between $firstTime$ and $lastTime$.
risk_objects:
diff --git a/detections/application/pingid_new_mfa_method_after_credential_reset.yml b/detections/application/pingid_new_mfa_method_after_credential_reset.yml
index 1ac87a9656..93eb0411df 100644
--- a/detections/application/pingid_new_mfa_method_after_credential_reset.yml
+++ b/detections/application/pingid_new_mfa_method_after_credential_reset.yml
@@ -1,7 +1,7 @@
name: PingID New MFA Method After Credential Reset
id: 2fcbce12-cffa-4c84-b70c-192604d201d0
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An MFA configuration change was detected for [$user$] within [$timeDiff$] of a password reset. The device [$object$] was $action$.
risk_objects:
diff --git a/detections/application/pingid_new_mfa_method_registered_for_user.yml b/detections/application/pingid_new_mfa_method_registered_for_user.yml
index 9014a23c77..7e5389268b 100644
--- a/detections/application/pingid_new_mfa_method_registered_for_user.yml
+++ b/detections/application/pingid_new_mfa_method_registered_for_user.yml
@@ -1,7 +1,7 @@
name: PingID New MFA Method Registered For User
id: 892dfeaf-461d-4a78-aac8-b07e185c9bce
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An MFA configuration change was detected for [$user$], the device [$object$] was $action$.
risk_objects:
diff --git a/detections/application/splunk_appdynamics_secure_application_alerts.yml b/detections/application/splunk_appdynamics_secure_application_alerts.yml
index d07c47feff..d95b8b4012 100644
--- a/detections/application/splunk_appdynamics_secure_application_alerts.yml
+++ b/detections/application/splunk_appdynamics_secure_application_alerts.yml
@@ -1,7 +1,7 @@
name: Splunk AppDynamics Secure Application Alerts
id: d1a45d84-8dd1-4b31-8854-62b0b1d5da0b
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Ryan Long, Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$app_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$app_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$app_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $risk_message$
risk_objects:
diff --git a/detections/application/zoom_high_video_latency.yml b/detections/application/zoom_high_video_latency.yml
index 9d4a10e68d..389bee7e96 100644
--- a/detections/application/zoom_high_video_latency.yml
+++ b/detections/application/zoom_high_video_latency.yml
@@ -1,7 +1,7 @@
name: Zoom High Video Latency
id: 6ad6b548-adfa-452c-aa77-9ff94877e832
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Marissa Bower, Raven Tait
status: experimental
type: Anomaly
@@ -16,9 +16,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$email$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$email$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$email$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious latency from $email$ in Zoom activity.
risk_objects:
diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml
index e148466ff2..cfbfd514e6 100644
--- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml
+++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml
@@ -1,7 +1,7 @@
name: ASL AWS Concurrent Sessions From Different Ips
id: b3424bbe-3204-4469-887b-ec144483a336
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.
risk_objects:
diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml
index 1c966575d2..a1eddf8b56 100644
--- a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml
+++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml
@@ -1,7 +1,7 @@
name: ASL AWS Create Policy Version to allow all resources
id: 22cc7a62-3884-48c4-82da-592b8199b72f
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ created a policy version that allows them to access any resource in their account
risk_objects:
diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml
index 2957d01267..ff5530e32a 100644
--- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml
+++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml
@@ -1,7 +1,7 @@
name: ASL AWS Credential Access GetPasswordData
id: a79b607a-50cc-4704-bb9d-eff280cb78c2
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is seen to make `GetPasswordData` API calls
risk_objects:
diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml
index 3282d2dedb..0e8e2311e4 100644
--- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml
+++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml
@@ -1,7 +1,7 @@
name: ASL AWS Credential Access RDS Password reset
id: d15e9bd9-ef64-4d84-bc04-f62955a9fee8
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is seen to reset the password for database
risk_objects:
diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml
index cb6b01f882..4d4e217466 100644
--- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml
+++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml
@@ -1,7 +1,7 @@
name: ASL AWS Defense Evasion Delete Cloudtrail
id: 1f0b47e5-0134-43eb-851c-e3258638945e
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has deleted CloudTrail logging
risk_objects:
diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml
index a356decc1e..9fe61474af 100644
--- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml
+++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml
@@ -1,7 +1,7 @@
name: ASL AWS Defense Evasion Delete CloudWatch Log Group
id: 0f701b38-a0fb-43fd-a83d-d12265f71f33
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has deleted a CloudWatch logging group
risk_objects:
diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml
index 2f74b45fc0..5e4f3c13c0 100644
--- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml
+++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml
@@ -1,7 +1,7 @@
name: ASL AWS Defense Evasion Stop Logging Cloudtrail
id: 0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has stopped Cloudtrail logging for account id $vendor_account$ from IP $src$
risk_objects:
diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml
index 66ec0b9b5b..63f945a484 100644
--- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml
+++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml
@@ -1,7 +1,7 @@
name: ASL AWS Defense Evasion Update Cloudtrail
id: f3eb471c-16d0-404d-897c-7653f0a78cba
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has updated a cloudtrail logging for account id $vendor_account$ from IP $src$
risk_objects:
diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml
index 78b9fa09f1..45b4c9ac82 100644
--- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml
+++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml
@@ -1,7 +1,7 @@
name: ASL AWS Detect Users creating keys with encrypt policy without MFA
id: 16ae9076-d1d5-411c-8fdd-457504b33dac
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts
risk_objects:
diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml
index d7bf9aeb1e..5e317a6bf5 100644
--- a/detections/cloud/asl_aws_disable_bucket_versioning.yml
+++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml
@@ -1,7 +1,7 @@
name: ASL AWS Disable Bucket Versioning
id: f32598bb-fa5f-4afd-8ab3-0263cc28efbc
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Bucket Versioning is suspended for S3 buckets- $bucketName$ by user $user$ from IP address $src$
risk_objects:
diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml
index 88fd1595c3..ebc9e678bf 100644
--- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml
+++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml
@@ -1,7 +1,7 @@
name: ASL AWS EC2 Snapshot Shared Externally
id: 00af8f7f-e004-446b-9bba-2732f717ae27
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: AWS EC2 snapshot from user $user$ is shared publicly
risk_objects:
diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml
index f0cdcd768e..d141d43017 100644
--- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml
+++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml
@@ -1,7 +1,7 @@
name: ASL AWS ECR Container Upload Outside Business Hours
id: 739ed682-27e9-4ba0-80e5-a91b97698213
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Container uploaded outside business hours from $user$
risk_objects:
diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml
index 6bdef1fc03..d7d0f8b25b 100644
--- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml
+++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml
@@ -1,7 +1,7 @@
name: ASL AWS ECR Container Upload Unknown User
id: 886a8f46-d7e2-4439-b9ba-aec238e31732
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Container uploaded from unknown user $user$
risk_objects:
diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml
index d6978a5889..7eb66c0388 100644
--- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml
+++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml
@@ -1,7 +1,7 @@
name: ASL AWS IAM AccessDenied Discovery Events
id: a4f39755-b1e2-40bb-b2dc-4449c45b0bf2
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied.
risk_objects:
diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml
index d9fb146242..f1b0398606 100644
--- a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml
+++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml
@@ -1,7 +1,7 @@
name: ASL AWS IAM Assume Role Policy Brute Force
id: 726959fe-316d-445c-a584-fa187d64e295
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has caused multiple failures with errorCode AccessDenied, which potentially means adversary is attempting to identify a role name.
risk_objects:
diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml
index 77e03d16a2..b231de4fda 100644
--- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml
+++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml
@@ -1,7 +1,7 @@
name: ASL AWS IAM Failure Group Deletion
id: 8d12f268-c567-4557-9813-f8389e235c06
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has had mulitple failures while attempting to delete groups from $src$
risk_objects:
diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml
index 2c78c6b642..7f82f058e9 100644
--- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml
+++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml
@@ -1,7 +1,7 @@
name: ASL AWS Multi-Factor Authentication Disabled
id: 4d2df5e0-1092-4817-88a8-79c7fa054668
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has disabled Multi-Factor authentication
risk_objects:
diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml
index c33fc79920..86a12bfb36 100644
--- a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml
+++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml
@@ -1,7 +1,7 @@
name: ASL AWS Network Access Control List Created with All Open Ports
id: a2625034-c2de-44fc-b45c-7bac9c4a7974
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has created network ACLs with all the ports opens to $cidrBlock$
risk_objects:
diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml
index 3b86df5255..68810adeaa 100644
--- a/detections/cloud/asl_aws_network_access_control_list_deleted.yml
+++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml
@@ -1,7 +1,7 @@
name: ASL AWS Network Access Control List Deleted
id: e010ddf5-e9a5-44e5-bdd6-0c919ba8fc8b
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ from $src$ has sucessfully deleted network ACLs entry.
risk_objects:
diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml
index 55f9e786fb..ff25d23ca3 100644
--- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml
+++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml
@@ -1,7 +1,7 @@
name: ASL AWS New MFA Method Registered For User
id: 33ae0931-2a03-456b-b1d7-b016c5557fbd
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new virtual device is added to user $user$
risk_objects:
diff --git a/detections/cloud/asl_aws_saml_update_identity_provider.yml b/detections/cloud/asl_aws_saml_update_identity_provider.yml
index beb19dce7e..ae71515463 100644
--- a/detections/cloud/asl_aws_saml_update_identity_provider.yml
+++ b/detections/cloud/asl_aws_saml_update_identity_provider.yml
@@ -1,7 +1,7 @@
name: ASL AWS SAML Update identity provider
id: 635c26cc-0fd1-4098-8ec9-824bf9544b11
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ from IP address $src$ updated the SAML provider
risk_objects:
diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml
index 90ba009216..82ecc602cd 100644
--- a/detections/cloud/asl_aws_updateloginprofile.yml
+++ b/detections/cloud/asl_aws_updateloginprofile.yml
@@ -1,7 +1,7 @@
name: ASL AWS UpdateLoginProfile
id: 5b3f63a3-865b-4637-9941-f98bd1a50c0d
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ from IP address $src$ updated the login profile of another user
risk_objects:
diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml
index 7b4cda8000..a381b99051 100644
--- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml
+++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml
@@ -1,7 +1,7 @@
name: AWS AMI Attribute Modification for Exfiltration
id: f2132d74-cf81-4c5e-8799-ab069e67dc9f
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: AWS AMI from account $vendor_account$ is shared externally with $accounts_added$ from $src$ or AMI made is made Public.
risk_objects:
diff --git a/detections/cloud/aws_bedrock_delete_guardrails.yml b/detections/cloud/aws_bedrock_delete_guardrails.yml
index 22df03a62d..f0d7c12898 100644
--- a/detections/cloud/aws_bedrock_delete_guardrails.yml
+++ b/detections/cloud/aws_bedrock_delete_guardrails.yml
@@ -1,7 +1,7 @@
name: AWS Bedrock Delete GuardRails
id: 7a5e3d62-f743-11ee-9f6e-acde48001122
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ deleted AWS Bedrock GuardRails $guardrailIds$ from $src$
risk_objects:
diff --git a/detections/cloud/aws_bedrock_delete_knowledge_base.yml b/detections/cloud/aws_bedrock_delete_knowledge_base.yml
index 933db65843..224d77728c 100644
--- a/detections/cloud/aws_bedrock_delete_knowledge_base.yml
+++ b/detections/cloud/aws_bedrock_delete_knowledge_base.yml
@@ -1,7 +1,7 @@
name: AWS Bedrock Delete Knowledge Base
id: 8b4e3d62-f743-11ee-9f6e-acde48001123
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ deleted AWS Bedrock Knowledge Base $knowledgeBaseIds$ from $src$
risk_objects:
diff --git a/detections/cloud/aws_bedrock_delete_model_invocation_logging_configuration.yml b/detections/cloud/aws_bedrock_delete_model_invocation_logging_configuration.yml
index b43e452d9a..7f4dd70c56 100644
--- a/detections/cloud/aws_bedrock_delete_model_invocation_logging_configuration.yml
+++ b/detections/cloud/aws_bedrock_delete_model_invocation_logging_configuration.yml
@@ -1,7 +1,7 @@
name: AWS Bedrock Delete Model Invocation Logging Configuration
id: 9c5e3d62-f743-11ee-9f6e-acde48001124
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ deleted AWS Bedrock model invocation logging from $src$
risk_objects:
diff --git a/detections/cloud/aws_bedrock_high_number_list_foundation_model_failures.yml b/detections/cloud/aws_bedrock_high_number_list_foundation_model_failures.yml
index 61d56ba9eb..7f5d0db95d 100644
--- a/detections/cloud/aws_bedrock_high_number_list_foundation_model_failures.yml
+++ b/detections/cloud/aws_bedrock_high_number_list_foundation_model_failures.yml
@@ -1,7 +1,7 @@
name: AWS Bedrock High Number List Foundation Model Failures
id: e84b3c74-f742-11ee-9f6e-acde48001122
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ attempted to list AWS Bedrock foundation models $count$ times with failures from $src$
risk_objects:
diff --git a/detections/cloud/aws_bedrock_invoke_model_access_denied.yml b/detections/cloud/aws_bedrock_invoke_model_access_denied.yml
index 186488a979..2829bfcc7d 100644
--- a/detections/cloud/aws_bedrock_invoke_model_access_denied.yml
+++ b/detections/cloud/aws_bedrock_invoke_model_access_denied.yml
@@ -1,7 +1,7 @@
name: AWS Bedrock Invoke Model Access Denied
id: c53a8e62-f741-11ee-9f6e-acde48001122
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ access denied when attempting to invoke AWS Bedrock models from $src$
risk_objects:
diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml
index c7f5e0f005..f02a2ba27e 100644
--- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml
+++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml
@@ -1,7 +1,7 @@
name: AWS Concurrent Sessions From Different Ips
id: 51c04fdb-2746-465a-b86e-b413a09c9085
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has concurrent sessions from more than one unique IP address $src$ in the span of 5 minutes.
risk_objects:
diff --git a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml
index 9fbf171fa8..7d0b91ca9c 100644
--- a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml
+++ b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml
@@ -1,7 +1,7 @@
name: AWS Console Login Failed During MFA Challenge
id: 55349868-5583-466f-98ab-d3beb321961e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ failed to pass MFA challenge while logging into console from $src$
risk_objects:
diff --git a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml
index 9c544b174c..a5b9bc973b 100644
--- a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml
+++ b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml
@@ -1,7 +1,7 @@
name: AWS Create Policy Version to allow all resources
id: 2a9b80d3-6340-4345-b5ad-212bf3d0dac4
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ created a policy version that allows them to access any resource in their account.
risk_objects:
diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml
index bdc172b27a..e4d60a4d76 100644
--- a/detections/cloud/aws_createloginprofile.yml
+++ b/detections/cloud/aws_createloginprofile.yml
@@ -1,7 +1,7 @@
name: AWS CreateLoginProfile
id: 2a9b80d3-6340-4345-11ad-212bf444d111
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is attempting to create a login profile for $new_login_profile$ and did a console login from this IP $src_ip$
risk_objects:
diff --git a/detections/cloud/aws_credential_access_failed_login.yml b/detections/cloud/aws_credential_access_failed_login.yml
index 8f91f87084..97a9002018 100644
--- a/detections/cloud/aws_credential_access_failed_login.yml
+++ b/detections/cloud/aws_credential_access_failed_login.yml
@@ -1,7 +1,7 @@
name: AWS Credential Access Failed Login
id: a19b354d-0d7f-47f3-8ea6-1a7c36434968
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Bhavin Patel, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has a login failure from IP $src$
risk_objects:
diff --git a/detections/cloud/aws_credential_access_getpassworddata.yml b/detections/cloud/aws_credential_access_getpassworddata.yml
index 903023ce20..12e6d8081c 100644
--- a/detections/cloud/aws_credential_access_getpassworddata.yml
+++ b/detections/cloud/aws_credential_access_getpassworddata.yml
@@ -1,7 +1,7 @@
name: AWS Credential Access GetPasswordData
id: 4d347c4a-306e-41db-8d10-b46baf71b3e2
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is seen to make mulitple `GetPasswordData` API calls to multiple instances from IP $src$
risk_objects:
diff --git a/detections/cloud/aws_credential_access_rds_password_reset.yml b/detections/cloud/aws_credential_access_rds_password_reset.yml
index f3ff784b0d..747d2886db 100644
--- a/detections/cloud/aws_credential_access_rds_password_reset.yml
+++ b/detections/cloud/aws_credential_access_rds_password_reset.yml
@@ -1,7 +1,7 @@
name: AWS Credential Access RDS Password reset
id: 6153c5ea-ed30-4878-81e6-21ecdb198189
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $database_id$ password has been reset from IP $src$
risk_objects:
diff --git a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml
index a8cbdfedd0..0a5e41ef7c 100644
--- a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml
+++ b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml
@@ -1,7 +1,7 @@
name: AWS Defense Evasion Delete Cloudtrail
id: 82092925-9ca1-4e06-98b8-85a2d3889552
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has delete a CloudTrail logging for account id $vendor_account$ from IP $src$
risk_objects:
diff --git a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml
index 97825f6b26..d8bc32bec3 100644
--- a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml
+++ b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml
@@ -1,7 +1,7 @@
name: AWS Defense Evasion Delete CloudWatch Log Group
id: d308b0f1-edb7-4a62-a614-af321160710f
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has deleted a CloudWatch logging group for account id $vendor_account$ from IP $src$
risk_objects:
diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml
index 2579eaed78..a84c1df67b 100644
--- a/detections/cloud/aws_defense_evasion_impair_security_services.yml
+++ b/detections/cloud/aws_defense_evasion_impair_security_services.yml
@@ -1,7 +1,7 @@
name: AWS Defense Evasion Impair Security Services
id: b28c4957-96a6-47e0-a965-6c767aac1458
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Bhavin Patel, Gowthamaraj Rajendran, Splunk, PashFW, Github Community
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has deleted a security service by attempting to $signature$ for account id $vendor_account$ from IP $src$
risk_objects:
diff --git a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml
index a580885694..607869c415 100644
--- a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml
+++ b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml
@@ -1,7 +1,7 @@
name: AWS Defense Evasion Stop Logging Cloudtrail
id: 8a2f3ca2-4eb5-4389-a549-14063882e537
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has stopped Cloudtrail logging for account id $vendor_account$ from IP $src$
risk_objects:
diff --git a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml
index aec7c80767..6068d8f0c2 100644
--- a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml
+++ b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml
@@ -1,7 +1,7 @@
name: AWS Defense Evasion Update Cloudtrail
id: 7c921d28-ef48-4f1b-85b3-0af8af7697db
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has updated a cloudtrail logging for account id $vendor_account$ from IP $src$
risk_objects:
diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml
index 80cc2c0b28..16c5591b0a 100644
--- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml
+++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml
@@ -1,7 +1,7 @@
name: AWS Detect Users creating keys with encrypt policy without MFA
id: c79c164f-4b21-4847-98f9-cf6a9f49179e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Rod Soto, Patrick Bareiss Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts.
risk_objects:
diff --git a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml
index 8029ee0035..513de0ae13 100644
--- a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml
+++ b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml
@@ -1,7 +1,7 @@
name: AWS Detect Users with KMS keys performing encryption S3
id: 884a5f59-eec7-4f4a-948b-dbde18225fdc
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Rod Soto, Patrick Bareiss Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ with KMS keys is performing encryption, against S3 buckets on these files $dest_file$
risk_objects:
diff --git a/detections/cloud/aws_disable_bucket_versioning.yml b/detections/cloud/aws_disable_bucket_versioning.yml
index 8dcef92f1b..4ce918a128 100644
--- a/detections/cloud/aws_disable_bucket_versioning.yml
+++ b/detections/cloud/aws_disable_bucket_versioning.yml
@@ -1,7 +1,7 @@
name: AWS Disable Bucket Versioning
id: 657902a9-987d-4879-a1b2-e7a65512824b
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user$ from IP address $src$
risk_objects:
diff --git a/detections/cloud/aws_ec2_snapshot_shared_externally.yml b/detections/cloud/aws_ec2_snapshot_shared_externally.yml
index 10a030450e..a5be355fd9 100644
--- a/detections/cloud/aws_ec2_snapshot_shared_externally.yml
+++ b/detections/cloud/aws_ec2_snapshot_shared_externally.yml
@@ -1,7 +1,7 @@
name: AWS EC2 Snapshot Shared Externally
id: 2a9b80d3-6340-4345-b5ad-290bf3d222c4
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: AWS EC2 snapshot from account $vendor_account$ is shared with $requested_account_id$ by user $user$ from $src$
risk_objects:
diff --git a/detections/cloud/aws_ecr_container_scanning_findings_high.yml b/detections/cloud/aws_ecr_container_scanning_findings_high.yml
index d10363396f..c3cbc9f587 100644
--- a/detections/cloud/aws_ecr_container_scanning_findings_high.yml
+++ b/detections/cloud/aws_ecr_container_scanning_findings_high.yml
@@ -1,7 +1,7 @@
name: AWS ECR Container Scanning Findings High
id: 30a0e9f8-f1dd-4f9d-8fc2-c622461d781c
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Vulnerabilities with severity high found in repository $repository$
risk_objects:
diff --git a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml
index 8d6fdedc96..1b6af74e04 100644
--- a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml
+++ b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml
@@ -1,7 +1,7 @@
name: AWS ECR Container Scanning Findings Low Informational Unknown
id: cbc95e44-7c22-443f-88fd-0424478f5589
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Patrick Bareiss, Eric McGinnis Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Vulnerabilities found in repository $repository$
risk_objects:
diff --git a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml
index 49330f6f06..08ae26085e 100644
--- a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml
+++ b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml
@@ -1,7 +1,7 @@
name: AWS ECR Container Scanning Findings Medium
id: 0b80e2c8-c746-4ddb-89eb-9efd892220cf
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Vulnerabilities with severity medium found in repository $repository$
risk_objects:
diff --git a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml
index b675818ca5..2ac81f26c4 100644
--- a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml
+++ b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml
@@ -1,7 +1,7 @@
name: AWS ECR Container Upload Outside Business Hours
id: d4c4d4eb-3994-41ca-a25e-a82d64e125bb
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Container uploaded outside business hours from $user$
risk_objects:
diff --git a/detections/cloud/aws_ecr_container_upload_unknown_user.yml b/detections/cloud/aws_ecr_container_upload_unknown_user.yml
index b92e936825..83bf6950b0 100644
--- a/detections/cloud/aws_ecr_container_upload_unknown_user.yml
+++ b/detections/cloud/aws_ecr_container_upload_unknown_user.yml
@@ -1,7 +1,7 @@
name: AWS ECR Container Upload Unknown User
id: 300688e4-365c-4486-a065-7c884462b31d
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Container uploaded from unknown user $user$
risk_objects:
diff --git a/detections/cloud/aws_excessive_security_scanning.yml b/detections/cloud/aws_excessive_security_scanning.yml
index 5c03b070d7..a5ab89123f 100644
--- a/detections/cloud/aws_excessive_security_scanning.yml
+++ b/detections/cloud/aws_excessive_security_scanning.yml
@@ -1,7 +1,7 @@
name: AWS Excessive Security Scanning
id: 1fdd164a-def8-4762-83a9-9ffe24e74d5a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has excessive number of api calls $dc_events$ from these IP addresses $src$, violating the threshold of 50, using the following actions $signature$.
risk_objects:
diff --git a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml
index 7e533a009b..6002e86a93 100644
--- a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml
+++ b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml
@@ -1,7 +1,7 @@
name: AWS Exfiltration via Anomalous GetObject API Activity
id: e4384bbf-5835-4831-8d85-694de6ad2cc6
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Anomalous S3 activities detected by user $user$ from $src$
risk_objects:
diff --git a/detections/cloud/aws_exfiltration_via_batch_service.yml b/detections/cloud/aws_exfiltration_via_batch_service.yml
index 5aa5e7d88a..788bc983b0 100644
--- a/detections/cloud/aws_exfiltration_via_batch_service.yml
+++ b/detections/cloud/aws_exfiltration_via_batch_service.yml
@@ -1,7 +1,7 @@
name: AWS Exfiltration via Batch Service
id: 04455dd3-ced7-480f-b8e6-5469b99e98e2
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: AWS Batch Job is created on account id - $vendor_account$ from src_ip $src$
risk_objects:
diff --git a/detections/cloud/aws_exfiltration_via_bucket_replication.yml b/detections/cloud/aws_exfiltration_via_bucket_replication.yml
index a6023cd06b..9289a827bc 100644
--- a/detections/cloud/aws_exfiltration_via_bucket_replication.yml
+++ b/detections/cloud/aws_exfiltration_via_bucket_replication.yml
@@ -1,7 +1,7 @@
name: AWS Exfiltration via Bucket Replication
id: eeb432d6-2212-43b6-9e89-fcd753f7da4c
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_arn$" and "$aws_account_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$", "$aws_account_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$", "$aws_account_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: AWS Bucket Replication rule added to $bucket_name$ by user $user$ from IP Address - $src$
risk_objects:
diff --git a/detections/cloud/aws_exfiltration_via_datasync_task.yml b/detections/cloud/aws_exfiltration_via_datasync_task.yml
index 29dd6642ad..e3b3b4f45c 100644
--- a/detections/cloud/aws_exfiltration_via_datasync_task.yml
+++ b/detections/cloud/aws_exfiltration_via_datasync_task.yml
@@ -1,7 +1,7 @@
name: AWS Exfiltration via DataSync Task
id: 05c4b09f-ea28-4c7c-a7aa-a246f665c8a2
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: DataSync task created on account id - $vendor_account$ by user $user$ from src_ip $src$
risk_objects:
diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml
index 9a3281d19c..72cc5317ec 100644
--- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml
+++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml
@@ -1,7 +1,7 @@
name: AWS Exfiltration via EC2 Snapshot
id: ac90b339-13fc-4f29-a18c-4abbba1f2171
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential AWS EC2 Exfiltration detected on account id - $vendor_account$ by user $user$ from src_ip $src$
risk_objects:
diff --git a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml
index b0bfbd365d..1739662915 100644
--- a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml
+++ b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml
@@ -1,7 +1,7 @@
name: AWS High Number Of Failed Authentications For User
id: e3236f49-daf3-4b70-b808-9290912ac64d
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $vendor_account$
risk_objects:
diff --git a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml
index 32681ad6fc..880550fef9 100644
--- a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml
+++ b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml
@@ -1,7 +1,7 @@
name: AWS High Number Of Failed Authentications From Ip
id: f75b7f1a-b8eb-4975-a214-ff3e0a944757
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: 'Multiple failed console login attempts (Count: $failed_attempts$) against users from IP Address - $src$'
risk_objects:
diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml
index 6580cd33af..80d723c1a7 100644
--- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml
+++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml
@@ -1,7 +1,7 @@
name: AWS IAM AccessDenied Discovery Events
id: 3e1f1568-9633-11eb-a69c-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied.
risk_objects:
diff --git a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml
index 66c5fc75e0..ae83914fc3 100644
--- a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml
+++ b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml
@@ -1,7 +1,7 @@
name: AWS IAM Assume Role Policy Brute Force
id: f19e09b0-9308-11eb-b7ec-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name.
risk_objects:
diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml
index 9088b0ded8..0f2d349569 100644
--- a/detections/cloud/aws_iam_failure_group_deletion.yml
+++ b/detections/cloud/aws_iam_failure_group_deletion.yml
@@ -1,7 +1,7 @@
name: AWS IAM Failure Group Deletion
id: 723b861a-92eb-11eb-93b8-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has had mulitple failures while attempting to delete groups from $src$
risk_objects:
diff --git a/detections/cloud/aws_multi_factor_authentication_disabled.yml b/detections/cloud/aws_multi_factor_authentication_disabled.yml
index 51b43e7f07..05bb026189 100644
--- a/detections/cloud/aws_multi_factor_authentication_disabled.yml
+++ b/detections/cloud/aws_multi_factor_authentication_disabled.yml
@@ -1,7 +1,7 @@
name: AWS Multi-Factor Authentication Disabled
id: 374832b1-3603-420c-b456-b373e24d34c0
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$vendor_account$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$vendor_account$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$vendor_account$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has disabled Multi-Factor authentication for AWS account $vendor_account$
risk_objects:
diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml
index feec67f78c..ed5d2b1b33 100644
--- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml
+++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml
@@ -1,7 +1,7 @@
name: AWS Multiple Failed MFA Requests For User
id: 1fece617-e614-4329-9e61-3ba228c0f353
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is seen to have high number of MFA prompt failures within a short period of time.
risk_objects:
diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml
index aaacd3bc30..c0f36b9c12 100644
--- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml
+++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml
@@ -1,7 +1,7 @@
name: AWS Multiple Users Failing To Authenticate From Ip
id: 71e1fb89-dd5f-4691-8523-575420de4630
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: 'Multiple failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src$'
risk_objects:
diff --git a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml
index 4a83bc3565..0415cd8040 100644
--- a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml
+++ b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml
@@ -1,7 +1,7 @@
name: AWS Network Access Control List Created with All Open Ports
id: ada0f478-84a8-4641-a3f1-d82362d6bd75
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel, Patrick Bareiss, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$
risk_objects:
diff --git a/detections/cloud/aws_network_access_control_list_deleted.yml b/detections/cloud/aws_network_access_control_list_deleted.yml
index 125aec3504..5184f39872 100644
--- a/detections/cloud/aws_network_access_control_list_deleted.yml
+++ b/detections/cloud/aws_network_access_control_list_deleted.yml
@@ -1,7 +1,7 @@
name: AWS Network Access Control List Deleted
id: ada0f478-84a8-4641-a3f1-d82362d6fd75
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel, Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ from $src$ has sucessfully deleted network ACLs entry, such that the instance is accessible from anywhere
risk_objects:
diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml
index 5d0a832ee0..9a5f94393f 100644
--- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml
+++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml
@@ -1,7 +1,7 @@
name: AWS New MFA Method Registered For User
id: 4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new virtual device is added to user $user$
risk_objects:
diff --git a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml
index c7a89af8f1..6891405645 100644
--- a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml
+++ b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml
@@ -1,7 +1,7 @@
name: AWS S3 Exfiltration Behavior Identified
id: 85096389-a443-42df-b89d-200efbb1b560
-version: 8
-date: '2026-02-25'
+version: 9
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Correlation
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Suspicious Cloud Instance Activities
diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml
index dcd64e826d..94ebd8a610 100644
--- a/detections/cloud/aws_saml_update_identity_provider.yml
+++ b/detections/cloud/aws_saml_update_identity_provider.yml
@@ -1,7 +1,7 @@
name: AWS SAML Update identity provider
id: 2f0604c6-6030-11eb-ae93-0242ac130002
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Rod Soto, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ from IP address $src$ has trigged an event $signature$ to update the SAML provider to $request_parameters$
risk_objects:
diff --git a/detections/cloud/aws_setdefaultpolicyversion.yml b/detections/cloud/aws_setdefaultpolicyversion.yml
index 89fa29a93e..4c9f2687c9 100644
--- a/detections/cloud/aws_setdefaultpolicyversion.yml
+++ b/detections/cloud/aws_setdefaultpolicyversion.yml
@@ -1,7 +1,7 @@
name: AWS SetDefaultPolicyVersion
id: 2a9b80d3-6340-4345-11ad-212bf3d0dac4
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: From IP address $src$, user $user$ has trigged an action $signature$ for updating the the default policy version
risk_objects:
diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml
index 1538e42a24..6b0b362703 100644
--- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml
+++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml
@@ -1,7 +1,7 @@
name: AWS Successful Console Authentication From Multiple IPs
id: 395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has successfully logged into the AWS Console from different IP addresses $src$ within 5 mins
risk_objects:
diff --git a/detections/cloud/aws_successful_single_factor_authentication.yml b/detections/cloud/aws_successful_single_factor_authentication.yml
index 76c81e4b82..5c09736af0 100644
--- a/detections/cloud/aws_successful_single_factor_authentication.yml
+++ b/detections/cloud/aws_successful_single_factor_authentication.yml
@@ -1,7 +1,7 @@
name: AWS Successful Single-Factor Authentication
id: a520b1fe-cc9e-4f56-b762-18354594c52f
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$
risk_objects:
diff --git a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml
index bbbf7ca334..6cec614384 100644
--- a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml
+++ b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml
@@ -1,7 +1,7 @@
name: AWS Unusual Number of Failed Authentications From Ip
id: 0b5c9c2b-e2cb-4831-b4f1-af125ceb1386
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$tried_accounts$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: 'Unusual number of failed console login attempts (Count: $distinct_attempts$) against users from IP Address - $src$'
risk_objects:
diff --git a/detections/cloud/aws_updateloginprofile.yml b/detections/cloud/aws_updateloginprofile.yml
index 0848f3b1a1..16e9bd8aba 100644
--- a/detections/cloud/aws_updateloginprofile.yml
+++ b/detections/cloud/aws_updateloginprofile.yml
@@ -1,7 +1,7 @@
name: AWS UpdateLoginProfile
id: 2a9b80d3-6a40-4115-11ad-212bf3d0d111
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: From IP address $src$, user agent $user_agent$ has trigged an event UpdateLoginProfile for updating the existing login profile, potentially giving user $user$ more access privilleges
risk_objects:
diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml
index 6b2372dd43..88d113f006 100644
--- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml
+++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml
@@ -1,7 +1,7 @@
name: Azure Active Directory High Risk Sign-in
id: 1ecff169-26d7-4161-9a7b-2ac4c8e61bea
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A high risk event was identified by Identify Protection for user $user$
risk_objects:
diff --git a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml
index efa08989c5..6b9e0df0d7 100644
--- a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml
+++ b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml
@@ -1,7 +1,7 @@
name: Azure AD Admin Consent Bypassed by Service Principal
id: 9d4fea43-9182-4c5a-ada8-13701fd5615d
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Azure Active Directory Add app role assignment to service principal
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Service principal $src_user$ bypassed the admin consent process and granted permissions to $user$
risk_objects:
diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml
index 2cf700c6c7..3d599520c1 100644
--- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml
+++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml
@@ -1,7 +1,7 @@
name: Azure AD Application Administrator Role Assigned
id: eac4de87-7a56-4538-a21b-277897af6d8d
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The privileged Azure AD role Application Administrator was assigned for User $user$ initiated by $initiatedBy$
risk_objects:
diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml
index 3054a629f0..9cbd97d41c 100644
--- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml
+++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml
@@ -1,7 +1,7 @@
name: Azure AD Authentication Failed During MFA Challenge
id: e62c9c2e-bf51-4719-906c-3074618fcc1c
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk, 0xC0FFEEEE
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ failed to pass MFA challenge
risk_objects:
diff --git a/detections/cloud/azure_ad_azurehound_useragent_detected.yml b/detections/cloud/azure_ad_azurehound_useragent_detected.yml
index dcf6d6a7a1..a1231bd0bd 100644
--- a/detections/cloud/azure_ad_azurehound_useragent_detected.yml
+++ b/detections/cloud/azure_ad_azurehound_useragent_detected.yml
@@ -1,7 +1,7 @@
name: Azure AD AzureHound UserAgent Detected
id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Dean Luxton
data_source:
- Azure Active Directory NonInteractiveUserSignInLogs
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: AzureHound UserAgent String $user_agent$ Detected on Tenant $dest$
risk_objects:
diff --git a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml
index 4e44bd1cd0..740533b6b6 100644
--- a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml
+++ b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml
@@ -1,7 +1,7 @@
name: Azure AD Block User Consent For Risky Apps Disabled
id: 875de3d7-09bc-4916-8c0a-0929f4ced3d8
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ disabled the BlockUserConsentForRiskyApps Azure AD setting.
risk_objects:
diff --git a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml
index 974ad9c9c0..380a3efd4f 100644
--- a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml
+++ b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml
@@ -1,7 +1,7 @@
name: Azure AD Concurrent Sessions From Different Ips
id: a9126f73-9a9b-493d-96ec-0dd06695490d
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Mauricio Velazco, Bhavin Patel, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.
risk_objects:
diff --git a/detections/cloud/azure_ad_device_code_authentication.yml b/detections/cloud/azure_ad_device_code_authentication.yml
index 543cc33899..76f4604af6 100644
--- a/detections/cloud/azure_ad_device_code_authentication.yml
+++ b/detections/cloud/azure_ad_device_code_authentication.yml
@@ -1,7 +1,7 @@
name: Azure AD Device Code Authentication
id: d68d8732-6f7e-4ee5-a6eb-737f2b990b91
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Device code requested for $user$ from $src$
risk_objects:
diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml
index 9d688d1126..d2e5212718 100644
--- a/detections/cloud/azure_ad_external_guest_user_invited.yml
+++ b/detections/cloud/azure_ad_external_guest_user_invited.yml
@@ -1,7 +1,7 @@
name: Azure AD External Guest User Invited
id: c1fb4edb-cab1-4359-9b40-925ffd797fb5
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: External Guest User $user$ initiated by $initiatedBy$
risk_objects:
diff --git a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml
index 493e4e1ee9..46b33fc00b 100644
--- a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml
+++ b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml
@@ -1,7 +1,7 @@
name: Azure AD FullAccessAsApp Permission Assigned
id: ae286126-f2ad-421c-b240-4ea83bd1c43a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ assigned the full_access_as_app permission to the app registration $object$
risk_objects:
diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml
index a884fb33de..c75ee6fe17 100644
--- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml
+++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml
@@ -1,7 +1,7 @@
name: Azure AD Global Administrator Role Assigned
id: 825fed20-309d-4fd1-8aaf-cd49c1bb093c
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Global Administrator Role assigned for User $user$ initiated by $initiatedBy$
risk_objects:
diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml
index a72648c7b2..f7dc1ed1ba 100644
--- a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml
+++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml
@@ -1,7 +1,7 @@
name: Azure AD High Number Of Failed Authentications For User
id: 630b1694-210a-48ee-a450-6f79e7679f2c
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ failed to authenticate more than 20 times in the span of 10 minutes.
risk_objects:
diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml
index 96d38a90d3..58b62d4340 100644
--- a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml
+++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml
@@ -1,7 +1,7 @@
name: Azure AD High Number Of Failed Authentications From Ip
id: e5ab41bf-745d-4f72-a393-2611151afd8e
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Bhavin Patel, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src$ failed to authenticate more than 20 times in the span of 10 minutes.
risk_objects:
diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml
index 8b389637e0..332e120a5d 100644
--- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml
+++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml
@@ -1,7 +1,7 @@
name: Azure AD Multi-Factor Authentication Disabled
id: 482dd42a-acfa-486b-a0bb-d6fcda27318e
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: MFA disabled for User $user$ initiated by $initiatedBy$
risk_objects:
diff --git a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml
index dd559c8ae0..fe8a2e7787 100644
--- a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml
+++ b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml
@@ -1,7 +1,7 @@
name: Azure AD Multiple AppIDs and UserAgents Authentication Spike
id: 5d8bb1f0-f65a-4b4e-af2e-fcdb88276314
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ authenticated in a short periof of time with more than 5 different user agents across 3 or more unique application ids.
risk_objects:
diff --git a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml
index cfc93c30e5..6054281568 100644
--- a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml
+++ b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml
@@ -1,7 +1,7 @@
name: Azure AD Multiple Denied MFA Requests For User
id: d0895c20-de71-4fd2-b56c-3fcdb888eba1
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ denied more than 9 MFA requests in a timespan of 10 minutes.
risk_objects:
diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml
index 0816210947..ee88cd0d3a 100644
--- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml
+++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml
@@ -1,7 +1,7 @@
name: Azure AD Multiple Failed MFA Requests For User
id: 264ea131-ab1f-41b8-90e0-33ad1a1888ea
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ failed to complete MFA authentication more than 9 times in a timespan of 10 minutes.
risk_objects:
diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml
index 370860f351..308f9dcc40 100644
--- a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml
+++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml
@@ -1,7 +1,7 @@
name: Azure AD Multiple Service Principals Created by SP
id: 66cb378f-234d-4fe1-bb4c-e7878ff6b017
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Azure Active Directory Add service principal
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple OAuth applications were created by $src_user$ in a short period of time
risk_objects:
diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml
index dfb66929ad..3d63c655f8 100644
--- a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml
+++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml
@@ -1,7 +1,7 @@
name: Azure AD Multiple Service Principals Created by User
id: 32880707-f512-414e-bd7f-204c0c85b758
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Azure Active Directory Add service principal
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple OAuth applications were created by $src_user$ in a short period of time
risk_objects:
diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml
index adeb26491e..01fbb22db8 100644
--- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml
+++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml
@@ -1,7 +1,7 @@
name: Azure AD Multiple Users Failing To Authenticate From Ip
id: 94481a6a-8f59-4c86-957f-55a71e3612a6
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Source Ip $src$ failed to authenticate with 30 users within 5 minutes.
risk_objects:
diff --git a/detections/cloud/azure_ad_new_custom_domain_added.yml b/detections/cloud/azure_ad_new_custom_domain_added.yml
index 344be2cba9..217aab4398 100644
--- a/detections/cloud/azure_ad_new_custom_domain_added.yml
+++ b/detections/cloud/azure_ad_new_custom_domain_added.yml
@@ -1,7 +1,7 @@
name: Azure AD New Custom Domain Added
id: 30c47f45-dd6a-4720-9963-0bca6c8686ef
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new custom domain, $domain$ , was added by $user$
risk_objects:
diff --git a/detections/cloud/azure_ad_new_federated_domain_added.yml b/detections/cloud/azure_ad_new_federated_domain_added.yml
index 01001880a9..9ab4dd64e7 100644
--- a/detections/cloud/azure_ad_new_federated_domain_added.yml
+++ b/detections/cloud/azure_ad_new_federated_domain_added.yml
@@ -1,7 +1,7 @@
name: Azure AD New Federated Domain Added
id: a87cd633-076d-4ab2-9047-977751a3c1a0
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new federated domain, $domain$ , was added by $user$
risk_objects:
diff --git a/detections/cloud/azure_ad_new_mfa_method_registered.yml b/detections/cloud/azure_ad_new_mfa_method_registered.yml
index 6a5d2b9797..88b6e7b7bd 100644
--- a/detections/cloud/azure_ad_new_mfa_method_registered.yml
+++ b/detections/cloud/azure_ad_new_mfa_method_registered.yml
@@ -1,7 +1,7 @@
name: Azure AD New MFA Method Registered
id: 0488e814-eb81-42c3-9f1f-b2244973e3a3
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new MFA method was registered for user $user$
risk_objects:
diff --git a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml
index 4753ff3424..de0bbd54f8 100644
--- a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml
+++ b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml
@@ -1,7 +1,7 @@
name: Azure AD New MFA Method Registered For User
id: 2628b087-4189-403f-9044-87403f777a1b
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new MFA method was registered for user $user$
risk_objects:
diff --git a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml
index c76f0713d8..e1050017d2 100644
--- a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml
+++ b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml
@@ -1,7 +1,7 @@
name: Azure AD OAuth Application Consent Granted By User
id: 10ec9031-015b-4617-b453-c0c1ab729007
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ consented an OAuth application.
risk_objects:
diff --git a/detections/cloud/azure_ad_pim_role_assigned.yml b/detections/cloud/azure_ad_pim_role_assigned.yml
index e780460d45..6fcaac99a2 100644
--- a/detections/cloud/azure_ad_pim_role_assigned.yml
+++ b/detections/cloud/azure_ad_pim_role_assigned.yml
@@ -1,7 +1,7 @@
name: Azure AD PIM Role Assigned
id: fcd6dfeb-191c-46a0-a29c-c306382145ab
-version: 12
-date: '2026-03-13'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An Azure AD PIM role assignment was assiged to $user$
risk_objects:
diff --git a/detections/cloud/azure_ad_pim_role_assignment_activated.yml b/detections/cloud/azure_ad_pim_role_assignment_activated.yml
index 8e3faa6a59..f959ef21b6 100644
--- a/detections/cloud/azure_ad_pim_role_assignment_activated.yml
+++ b/detections/cloud/azure_ad_pim_role_assignment_activated.yml
@@ -1,7 +1,7 @@
name: Azure AD PIM Role Assignment Activated
id: 952e80d0-e343-439b-83f4-808c3e6fbf2e
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An Azure AD PIM role assignment was activated by $initiatedBy$ by $user$
risk_objects:
diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml
index 303e031685..dea882bc5f 100644
--- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml
+++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml
@@ -1,7 +1,7 @@
name: Azure AD Privileged Authentication Administrator Role Assigned
id: a7da845d-6fae-41cf-b823-6c0b8c55814a
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$
risk_objects:
diff --git a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml
index 84fd6d2cb6..9492cf9c79 100644
--- a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml
+++ b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml
@@ -1,7 +1,7 @@
name: Azure AD Privileged Graph API Permission Assigned
id: 5521f8c5-1aa3-473c-9eb7-853701924a06
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ assigned privileged Graph API permissions to $Permissions$
risk_objects:
diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml
index 58e967472c..361a904be1 100644
--- a/detections/cloud/azure_ad_privileged_role_assigned.yml
+++ b/detections/cloud/azure_ad_privileged_role_assigned.yml
@@ -1,7 +1,7 @@
name: Azure AD Privileged Role Assigned
id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$
risk_objects:
diff --git a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml
index 0733bf7ed7..a255859a78 100644
--- a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml
+++ b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml
@@ -1,7 +1,7 @@
name: Azure AD Privileged Role Assigned to Service Principal
id: 5dfaa3d3-e2e4-4053-8252-16d9ee528c41
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$initiatedBy$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$initiatedBy$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$initiatedBy$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A privileged Azure AD role was assigned to the Service Principal $displayName$ initiated by $initiatedBy$
risk_objects:
diff --git a/detections/cloud/azure_ad_service_principal_authentication.yml b/detections/cloud/azure_ad_service_principal_authentication.yml
index 83893566a9..4a2f4e7b33 100644
--- a/detections/cloud/azure_ad_service_principal_authentication.yml
+++ b/detections/cloud/azure_ad_service_principal_authentication.yml
@@ -1,7 +1,7 @@
name: Azure AD Service Principal Authentication
id: 5a2ec401-60bb-474e-b936-1e66e7aa4060
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Azure Active Directory Sign-in activity
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Service Principal $user$ authenticated from $src$
risk_objects:
diff --git a/detections/cloud/azure_ad_service_principal_created.yml b/detections/cloud/azure_ad_service_principal_created.yml
index 8d5eb915d7..812cb0251f 100644
--- a/detections/cloud/azure_ad_service_principal_created.yml
+++ b/detections/cloud/azure_ad_service_principal_created.yml
@@ -1,7 +1,7 @@
name: Azure AD Service Principal Created
id: f8ba49e7-ffd3-4b53-8f61-e73974583c5d
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$displayName$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$displayName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$displayName$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Service Principal named $displayName$ created by $user$
risk_objects:
diff --git a/detections/cloud/azure_ad_service_principal_enumeration.yml b/detections/cloud/azure_ad_service_principal_enumeration.yml
index babf8bafb1..16850cce7b 100644
--- a/detections/cloud/azure_ad_service_principal_enumeration.yml
+++ b/detections/cloud/azure_ad_service_principal_enumeration.yml
@@ -1,7 +1,7 @@
name: Azure AD Service Principal Enumeration
id: 3f0647ce-add5-4436-8039-cbd1abe74563
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
data_source:
- Azure Active Directory MicrosoftGraphActivityLogs
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $spn_count$ Service Principals have been enumerated by $user_id$ from IP $src$
risk_objects:
diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml
index 1f2a04f350..82606a9a54 100644
--- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml
+++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml
@@ -1,7 +1,7 @@
name: Azure AD Service Principal New Client Credentials
id: e3adc0d3-9e4b-4b5d-b662-12cec1adff2a
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: New credentials added for Service Principal by $user$
risk_objects:
diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml
index 7485337760..971220c13f 100644
--- a/detections/cloud/azure_ad_service_principal_owner_added.yml
+++ b/detections/cloud/azure_ad_service_principal_owner_added.yml
@@ -1,7 +1,7 @@
name: Azure AD Service Principal Owner Added
id: 7ddf2084-6cf3-4a44-be83-474f7b73c701
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$displayName$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$displayName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$displayName$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new owner was added for service principal $displayName$ by $initiatedBy$
risk_objects:
diff --git a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml
index 38eb99215d..d51e204cda 100644
--- a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml
+++ b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Azure AD Service Principal Privilege Escalation
id: 29eb39d3-2bc8-49cc-99b3-35593191a588
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
data_source:
- Azure Active Directory Add app role assignment to service principal
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$servicePrincipal$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$servicePrincipal$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$servicePrincipal$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$
risk_objects:
diff --git a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml
index c544ba4d7d..7a074d37c6 100644
--- a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml
+++ b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml
@@ -1,7 +1,7 @@
name: Azure AD Successful Authentication From Different Ips
id: be6d868d-33b6-4aaa-912e-724fb555b11a
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes.
risk_objects:
diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml
index e89864632e..613d0ab61d 100644
--- a/detections/cloud/azure_ad_successful_powershell_authentication.yml
+++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml
@@ -1,7 +1,7 @@
name: Azure AD Successful PowerShell Authentication
id: 62f10052-d7b3-4e48-b57b-56f8e3ac7ceb
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Successful authentication for user $user$ using PowerShell.
risk_objects:
diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml
index 7ddbcdd173..7a7114d899 100644
--- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml
+++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml
@@ -1,7 +1,7 @@
name: Azure AD Successful Single-Factor Authentication
id: a560e7f6-1711-4353-885b-40be53101fcd
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Successful authentication for user $user$ without MFA
risk_objects:
diff --git a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml
index 16d2bef3f1..ffa31b350e 100644
--- a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml
+++ b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml
@@ -1,7 +1,7 @@
name: Azure AD Tenant Wide Admin Consent Granted
id: dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Administrator $user$ consented an OAuth application for the tenant.
risk_objects:
diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml
index 0100adaf5c..4fa0c17d5c 100644
--- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml
+++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml
@@ -1,7 +1,7 @@
name: Azure AD Unusual Number of Failed Authentications From Ip
id: 3d8d3a36-93b8-42d7-8d91-c5f24cec223d
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$userPrincipalName$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userPrincipalName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userPrincipalName$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible Password Spraying attack against Azure AD from source ip $src$
risk_objects:
diff --git a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml
index fe909f9396..0afecd57b6 100644
--- a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml
+++ b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml
@@ -1,7 +1,7 @@
name: Azure AD User Consent Blocked for Risky Application
id: 06b8ec9a-d3b5-4882-8f16-04b4d10f5eab
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Azure AD has blocked $user$ attempt to grant to consent to an application deemed risky.
risk_objects:
diff --git a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml
index 3a714dbfa8..e2147ab230 100644
--- a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml
+++ b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml
@@ -1,7 +1,7 @@
name: Azure AD User Consent Denied for OAuth Application
id: bb093c30-d860-4858-a56e-cd0895d5b49c
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ denied consent for an OAuth application.
risk_objects:
diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml
index 0795d12a3d..596204c149 100644
--- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml
+++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml
@@ -1,7 +1,7 @@
name: Azure AD User Enabled And Password Reset
id: 1347b9e8-2daa-4a6f-be73-b421d3d9e268
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$
risk_objects:
diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml
index f11946ea0f..2d7e2ec09d 100644
--- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml
+++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml
@@ -1,7 +1,7 @@
name: Azure AD User ImmutableId Attribute Updated
id: 0c0badad-4536-4a84-a561-5ff760f3c00e
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$
risk_objects:
diff --git a/detections/cloud/azure_automation_account_created.yml b/detections/cloud/azure_automation_account_created.yml
index 009bce4be6..3af017b2d9 100644
--- a/detections/cloud/azure_automation_account_created.yml
+++ b/detections/cloud/azure_automation_account_created.yml
@@ -1,7 +1,7 @@
name: Azure Automation Account Created
id: 860902fd-2e76-46b3-b050-ba548dab576c
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Brian Serocki, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new Azure Automation account $object$ was created by $user$
risk_objects:
diff --git a/detections/cloud/azure_automation_runbook_created.yml b/detections/cloud/azure_automation_runbook_created.yml
index cbc7f5476b..b664307075 100644
--- a/detections/cloud/azure_automation_runbook_created.yml
+++ b/detections/cloud/azure_automation_runbook_created.yml
@@ -1,7 +1,7 @@
name: Azure Automation Runbook Created
id: 178d696d-6dc6-4ee8-9d25-93fee34eaf5b
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Brian Serocki, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new Azure Automation Runbook $object$ was created by $user$
risk_objects:
diff --git a/detections/cloud/azure_runbook_webhook_created.yml b/detections/cloud/azure_runbook_webhook_created.yml
index 5780bbaa23..d2630b8e57 100644
--- a/detections/cloud/azure_runbook_webhook_created.yml
+++ b/detections/cloud/azure_runbook_webhook_created.yml
@@ -1,7 +1,7 @@
name: Azure Runbook Webhook Created
id: e98944a9-92e4-443c-81b8-a322e33ce75a
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Mauricio Velazco, Brian Serocki, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new Azure Runbook Webhook $object$ was created by $user$
risk_objects:
diff --git a/detections/cloud/circle_ci_disable_security_job.yml b/detections/cloud/circle_ci_disable_security_job.yml
index 964576e891..6a7758f340 100644
--- a/detections/cloud/circle_ci_disable_security_job.yml
+++ b/detections/cloud/circle_ci_disable_security_job.yml
@@ -1,7 +1,7 @@
name: Circle CI Disable Security Job
id: 4a2fdd41-c578-4cd4-9ef7-980e352517f2
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$
risk_objects:
diff --git a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml
index 405c5fbd22..cf9a9c0264 100644
--- a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml
+++ b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml
@@ -1,7 +1,7 @@
name: Cloud API Calls From Previously Unseen User Roles
id: 2181ad1f-1e73-4d0c-9780-e8880482a08f
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ of type AssumedRole attempting to execute new API calls $command$ that have not been seen before
risk_objects:
diff --git a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml
index b628b013ac..1a2fd52741 100644
--- a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml
+++ b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml
@@ -1,7 +1,7 @@
name: Cloud Compute Instance Created By Previously Unseen User
id: 37a0ec8d-827e-4d6d-8025-cedf31f3a149
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Rico Valdez, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is creating a new instance $dest$ for the first time
risk_objects:
diff --git a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml
index 658ac94497..666e545c4c 100644
--- a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml
+++ b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml
@@ -1,7 +1,7 @@
name: Cloud Compute Instance Created In Previously Unused Region
id: fa4089e2-50e3-40f7-8469-d2cc1564ca59
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is creating an instance $dest$ in a new region for the first time
risk_objects:
diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml
index e8139feaa5..0f41df03f7 100644
--- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml
+++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml
@@ -1,7 +1,7 @@
name: Cloud Compute Instance Created With Previously Unseen Image
id: bc24922d-987c-4645-b288-f8c73ec194c4
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is creating an instance $dest$ with an image that has not been previously seen.
risk_objects:
diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml
index 2fb994226d..42ad5ca5b3 100644
--- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml
+++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml
@@ -1,7 +1,7 @@
name: Cloud Compute Instance Created With Previously Unseen Instance Type
id: c6ddbf53-9715-49f3-bb4c-fb2e8a309cda
-version: 9
-date: '2026-03-25'
+version: 10
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: Anomaly
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen.
risk_objects:
diff --git a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml
index 66ac30ba92..edc7a63b7e 100644
--- a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml
+++ b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml
@@ -1,7 +1,7 @@
name: Cloud Instance Modified By Previously Unseen User
id: 7fb15084-b14e-405a-bd61-a6de15a40722
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Rico Valdez, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is modifying an instance $object_id$ for the first time.
risk_objects:
diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml
index 286f1952e1..55eb3f2fc6 100644
--- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml
+++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml
@@ -1,7 +1,7 @@
name: Cloud Provisioning Activity From Previously Unseen City
id: e7ecc5e0-88df-48b9-91af-51104c68f02f
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Rico Valdez, Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is starting or creating an instance $object$ for the first time in City $City$ from IP address $src$
risk_objects:
diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml
index 2b6ced2ac7..2945023715 100644
--- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml
+++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml
@@ -1,7 +1,7 @@
name: Cloud Provisioning Activity From Previously Unseen Country
id: 94994255-3acf-4213-9b3f-0494df03bb31
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Rico Valdez, Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is starting or creating an instance $object$ for the first time in Country $Country$ from IP address $src$
risk_objects:
diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml
index 81e4fda193..98e89566cc 100644
--- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml
+++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml
@@ -1,7 +1,7 @@
name: Cloud Provisioning Activity From Previously Unseen IP Address
id: f86a8ec9-b042-45eb-92f4-e9ed1d781078
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Rico Valdez, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$object_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is starting or creating an instance $object_id$ for the first time from IP address $src$
risk_objects:
diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml
index 3122ed6917..2cc2043f36 100644
--- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml
+++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml
@@ -1,7 +1,7 @@
name: Cloud Provisioning Activity From Previously Unseen Region
id: 5aba1860-9617-4af9-b19d-aecac16fe4f2
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Rico Valdez, Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ is starting or creating an instance $object$ for the first time in region $Region$ from IP address $src$
risk_objects:
diff --git a/detections/cloud/cloud_security_groups_modifications_by_user.yml b/detections/cloud/cloud_security_groups_modifications_by_user.yml
index 875493530e..84373d58ff 100644
--- a/detections/cloud/cloud_security_groups_modifications_by_user.yml
+++ b/detections/cloud/cloud_security_groups_modifications_by_user.yml
@@ -1,7 +1,7 @@
name: Cloud Security Groups Modifications by User
id: cfe7cca7-2746-4bdf-b712-b01ed819b9de
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Bhavin Patel, Splunk
data_source:
- AWS CloudTrail
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Unsual number cloud security group modifications detected by user - $user$
risk_objects:
diff --git a/detections/cloud/detect_new_open_s3_buckets.yml b/detections/cloud/detect_new_open_s3_buckets.yml
index e8c230a39a..994c71dc4b 100644
--- a/detections/cloud/detect_new_open_s3_buckets.yml
+++ b/detections/cloud/detect_new_open_s3_buckets.yml
@@ -1,7 +1,7 @@
name: Detect New Open S3 buckets
id: 2a9b80d3-6340-4345-b5ad-290bf3d0dac4
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Patrick Bareiss, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_arn$" and "$bucketName$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$", "$bucketName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$", "$bucketName$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user_arn$ has created an open/public bucket $bucketName$ with the following permissions $permission$
risk_objects:
diff --git a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml
index 04d26cbdd3..b585685922 100644
--- a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml
+++ b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml
@@ -1,7 +1,7 @@
name: Detect New Open S3 Buckets over AWS CLI
id: 39c61d09-8b30-4154-922b-2d0a694ecc22
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has created an open/public bucket $bucketName$ using AWS CLI with the following permissions - $requestParameters.accessControlList.x-amz-grant-read$ $requestParameters.accessControlList.x-amz-grant-read-acp$ $requestParameters.accessControlList.x-amz-grant-write$ $requestParameters.accessControlList.x-amz-grant-write-acp$ $requestParameters.accessControlList.x-amz-grant-full-control$
risk_objects:
diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml
index 5f8c1550f0..127c383968 100644
--- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml
+++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml
@@ -1,7 +1,7 @@
name: Detect Spike in AWS Security Hub Alerts for EC2 Instance
id: 2a9b80d3-6340-4345-b5ad-290bf5d0d222
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Spike in AWS security Hub alerts with title $Title$ for EC2 instance $dest$
risk_objects:
diff --git a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml
index 587d27f529..60ed2b21c0 100644
--- a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml
+++ b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml
@@ -1,7 +1,7 @@
name: GCP Authentication Failed During MFA Challenge
id: 345f7e1d-a3fe-4158-abd8-e630f9878323
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Bhavin Patel, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ failed to pass MFA challenge
risk_objects:
diff --git a/detections/cloud/gcp_multi_factor_authentication_disabled.yml b/detections/cloud/gcp_multi_factor_authentication_disabled.yml
index a1cb5858fb..64aabfee13 100644
--- a/detections/cloud/gcp_multi_factor_authentication_disabled.yml
+++ b/detections/cloud/gcp_multi_factor_authentication_disabled.yml
@@ -1,7 +1,7 @@
name: GCP Multi-Factor Authentication Disabled
id: b9bc5513-6fc1-4821-85a3-e1d81e451c83
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Bhavin Patel, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: MFA disabled for User $user$ initiated by $actor.email$
risk_objects:
diff --git a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml
index a6e2f115f5..d03e3ae914 100644
--- a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml
+++ b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml
@@ -1,7 +1,7 @@
name: GCP Multiple Failed MFA Requests For User
id: cbb3cb84-c06f-4393-adcc-5cb6195621f1
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple Failed MFA requests for user $user$
risk_objects:
diff --git a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml
index cc73159c09..a27780d86d 100644
--- a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml
+++ b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml
@@ -1,7 +1,7 @@
name: GCP Multiple Users Failing To Authenticate From Ip
id: da20828e-d6fb-4ee5-afb7-d0ac200923d5
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$tried_accounts$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: 'Multiple failed login attempts (Count: $unique_accounts$) against users seen from $src$'
risk_objects:
diff --git a/detections/cloud/gcp_successful_single_factor_authentication.yml b/detections/cloud/gcp_successful_single_factor_authentication.yml
index f59dba0cdd..a3de1edbef 100644
--- a/detections/cloud/gcp_successful_single_factor_authentication.yml
+++ b/detections/cloud/gcp_successful_single_factor_authentication.yml
@@ -1,7 +1,7 @@
name: GCP Successful Single-Factor Authentication
id: 40e17d88-87da-414e-b253-8dc1e4f9555b
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Bhavin Patel, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Successful authentication for user $user$ without MFA
risk_objects:
diff --git a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml
index fec44283d2..2256be6be8 100644
--- a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml
+++ b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml
@@ -1,7 +1,7 @@
name: GCP Unusual Number of Failed Authentications From Ip
id: bd8097ed-958a-4873-87d9-44f2b4d85705
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$tried_accounts$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: 'Unusual number of failed console login attempts (Count: $unique_accounts$) against users from IP Address - $src$'
risk_objects:
diff --git a/detections/cloud/geographic_improbable_location.yml b/detections/cloud/geographic_improbable_location.yml
index 84a25a0d39..8e529b20d6 100644
--- a/detections/cloud/geographic_improbable_location.yml
+++ b/detections/cloud/geographic_improbable_location.yml
@@ -1,7 +1,7 @@
name: Geographic Improbable Location
id: 64f91df1-49ec-46aa-81bd-2282d3cea765
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Marissa Bower, Raven Tait
status: experimental
type: Anomaly
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Improbable travel speed between locations observed for $user$.
risk_objects:
diff --git a/detections/cloud/github_enterprise_delete_branch_ruleset.yml b/detections/cloud/github_enterprise_delete_branch_ruleset.yml
index bd4524a14d..92a6535aa3 100644
--- a/detections/cloud/github_enterprise_delete_branch_ruleset.yml
+++ b/detections/cloud/github_enterprise_delete_branch_ruleset.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Delete Branch Ruleset
id: 6169ea23-3719-439f-957a-0ea5174b70e2
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ deleted a branch ruleset in repo $repo$
risk_objects:
diff --git a/detections/cloud/github_enterprise_disable_2fa_requirement.yml b/detections/cloud/github_enterprise_disable_2fa_requirement.yml
index b0d20bfaa9..a30eb308c5 100644
--- a/detections/cloud/github_enterprise_disable_2fa_requirement.yml
+++ b/detections/cloud/github_enterprise_disable_2fa_requirement.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Disable 2FA Requirement
id: 5a773226-ebd7-480c-a819-fccacfeddcd9
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ disabled 2FA requirement
risk_objects:
diff --git a/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml b/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml
index 654f14fbca..854da85499 100644
--- a/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml
+++ b/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Disable Audit Log Event Stream
id: 7bc111cc-7f1b-4be7-99fa-50cf8d2e7564
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Audit log event streaming is disabled by $user$
risk_objects:
diff --git a/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml b/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml
index bc73fb06dc..0c091a3141 100644
--- a/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml
+++ b/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Disable Classic Branch Protection Rule
id: 372176ba-450c-4abd-9b86-419bb44c1b76
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ disabled a classic branch protection rule in repo $repo$
risk_objects:
diff --git a/detections/cloud/github_enterprise_disable_dependabot.yml b/detections/cloud/github_enterprise_disable_dependabot.yml
index a1fe336746..9a8d8152e3 100644
--- a/detections/cloud/github_enterprise_disable_dependabot.yml
+++ b/detections/cloud/github_enterprise_disable_dependabot.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Disable Dependabot
id: 787dd1c1-eb3a-4a31-8e8c-2ad24b214bc8
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Dependabot security features are disabled in repository $repo$ by $user$
risk_objects:
diff --git a/detections/cloud/github_enterprise_disable_ip_allow_list.yml b/detections/cloud/github_enterprise_disable_ip_allow_list.yml
index 1f9f24dd9b..4de117ae55 100644
--- a/detections/cloud/github_enterprise_disable_ip_allow_list.yml
+++ b/detections/cloud/github_enterprise_disable_ip_allow_list.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Disable IP Allow List
id: afed020e-edcd-4913-a675-cebedf81d4fb
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ disabled an IP allow list in GitHub Enterprise
risk_objects:
diff --git a/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml b/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml
index f7d6086a6a..f172ea981c 100644
--- a/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml
+++ b/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Modify Audit Log Event Stream
id: 99abf2e1-863c-4ec6-82f8-714391590a4c
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Audit log event streaming is modified by $user$
risk_objects:
diff --git a/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml b/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml
index ff624c85d3..4b303e3b2c 100644
--- a/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml
+++ b/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Pause Audit Log Event Stream
id: 21083dcb-276d-4ef9-8f7e-2113ca5e8094
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Audit log event streaming is paused by $user$
risk_objects:
diff --git a/detections/cloud/github_enterprise_register_self_hosted_runner.yml b/detections/cloud/github_enterprise_register_self_hosted_runner.yml
index 67083a8519..2cc8f88b0d 100644
--- a/detections/cloud/github_enterprise_register_self_hosted_runner.yml
+++ b/detections/cloud/github_enterprise_register_self_hosted_runner.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Register Self Hosted Runner
id: b27685a2-8826-4123-ab78-2d9d0d419ed0
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ created a self-hosted runner in GitHub Enterprise
risk_objects:
diff --git a/detections/cloud/github_enterprise_remove_organization.yml b/detections/cloud/github_enterprise_remove_organization.yml
index ecc34fe222..ae83a06c00 100644
--- a/detections/cloud/github_enterprise_remove_organization.yml
+++ b/detections/cloud/github_enterprise_remove_organization.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Remove Organization
id: 94cb89aa-aec1-4585-91b1-affcdacf357e
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ removed an organization from GitHub Enterprise
risk_objects:
diff --git a/detections/cloud/github_enterprise_repository_archived.yml b/detections/cloud/github_enterprise_repository_archived.yml
index 01fd099f4e..e723ae0d92 100644
--- a/detections/cloud/github_enterprise_repository_archived.yml
+++ b/detections/cloud/github_enterprise_repository_archived.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Repository Archived
id: 8367cb99-bae1-4748-ae3b-0927bb381424
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ archived a repository in GitHub Enterprise
risk_objects:
diff --git a/detections/cloud/github_enterprise_repository_deleted.yml b/detections/cloud/github_enterprise_repository_deleted.yml
index 1d7a3a2b96..f0af02eda1 100644
--- a/detections/cloud/github_enterprise_repository_deleted.yml
+++ b/detections/cloud/github_enterprise_repository_deleted.yml
@@ -1,7 +1,7 @@
name: GitHub Enterprise Repository Deleted
id: f709e736-3e6c-492f-b865-bc7696cc24a7
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ deleted a repository in GitHub Enterprise
risk_objects:
diff --git a/detections/cloud/github_organizations_delete_branch_ruleset.yml b/detections/cloud/github_organizations_delete_branch_ruleset.yml
index 049d630811..7d4d008454 100644
--- a/detections/cloud/github_organizations_delete_branch_ruleset.yml
+++ b/detections/cloud/github_organizations_delete_branch_ruleset.yml
@@ -1,7 +1,7 @@
name: GitHub Organizations Delete Branch Ruleset
id: 8e454f64-4bd6-45e6-8a94-1b482593d721
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ deleted a branch ruleset in repo $repo$
risk_objects:
diff --git a/detections/cloud/github_organizations_disable_2fa_requirement.yml b/detections/cloud/github_organizations_disable_2fa_requirement.yml
index c555e7014a..1100825a51 100644
--- a/detections/cloud/github_organizations_disable_2fa_requirement.yml
+++ b/detections/cloud/github_organizations_disable_2fa_requirement.yml
@@ -1,7 +1,7 @@
name: GitHub Organizations Disable 2FA Requirement
id: 3ed0d6ba-4791-4fa8-a1ef-403e438c7033
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ disabled 2FA requirement in GitHub Organizations
risk_objects:
diff --git a/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml b/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml
index 48c298b4c0..4b7da82e61 100644
--- a/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml
+++ b/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml
@@ -1,7 +1,7 @@
name: GitHub Organizations Disable Classic Branch Protection Rule
id: 33cffee0-41ee-402e-a238-d37825f2d788
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ disabled a classic branch protection rule in repo $repo$
risk_objects:
diff --git a/detections/cloud/github_organizations_disable_dependabot.yml b/detections/cloud/github_organizations_disable_dependabot.yml
index d8e790a4d5..aba3431928 100644
--- a/detections/cloud/github_organizations_disable_dependabot.yml
+++ b/detections/cloud/github_organizations_disable_dependabot.yml
@@ -1,7 +1,7 @@
name: GitHub Organizations Disable Dependabot
id: 69078d8c-0de6-45de-bb00-14e78e042fd6
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Dependabot security features are disabled in repository $repo$ by $user$
risk_objects:
diff --git a/detections/cloud/github_organizations_repository_archived.yml b/detections/cloud/github_organizations_repository_archived.yml
index f7a056b81a..75b58ee069 100644
--- a/detections/cloud/github_organizations_repository_archived.yml
+++ b/detections/cloud/github_organizations_repository_archived.yml
@@ -1,7 +1,7 @@
name: GitHub Organizations Repository Archived
id: 4f568a0e-896f-4d94-a2f7-fa6d82ab1f77
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ archived a repository in GitHub Organizations
risk_objects:
diff --git a/detections/cloud/github_organizations_repository_deleted.yml b/detections/cloud/github_organizations_repository_deleted.yml
index 471c4399e9..0e541cf68e 100644
--- a/detections/cloud/github_organizations_repository_deleted.yml
+++ b/detections/cloud/github_organizations_repository_deleted.yml
@@ -1,7 +1,7 @@
name: GitHub Organizations Repository Deleted
id: 9ff4ca95-fdae-4eea-9ffa-6d8e1c202a71
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ deleted a repository in GitHub Organizations
risk_objects:
diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml
index 9387a97d19..d8425237c5 100644
--- a/detections/cloud/gsuite_drive_share_in_external_email.yml
+++ b/detections/cloud/gsuite_drive_share_in_external_email.yml
@@ -1,7 +1,7 @@
name: Gsuite Drive Share In External Email
id: f6ee02d6-fea0-11eb-b2c2-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: experimental
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious share gdrive from $user$ to $dst_email_list$ namely as $doc_title$
risk_objects:
diff --git a/detections/cloud/gsuite_email_suspicious_attachment.yml b/detections/cloud/gsuite_email_suspicious_attachment.yml
index 6196d1ba0b..e2246bb4bd 100644
--- a/detections/cloud/gsuite_email_suspicious_attachment.yml
+++ b/detections/cloud/gsuite_email_suspicious_attachment.yml
@@ -1,7 +1,7 @@
name: GSuite Email Suspicious Attachment
id: 6d663014-fe92-11eb-ab07-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$destination{}.address$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious email from $source.address$ to $destination{}.address$
risk_objects:
diff --git a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml
index 3769f374d2..bc6d6f59aa 100644
--- a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml
+++ b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml
@@ -1,7 +1,7 @@
name: Gsuite Email Suspicious Subject With Attachment
id: 8ef3971e-00f2-11ec-b54f-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$destination{}.address$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious email from $source.address$ to $destination{}.address$
risk_objects:
diff --git a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml
index d3037dee21..20aa18bb52 100644
--- a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml
+++ b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml
@@ -1,7 +1,7 @@
name: Gsuite Email With Known Abuse Web Service Link
id: 8630aa22-042b-11ec-af39-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$destination{}.address$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$destination{}.address$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious email from $source.address$ to $destination{}.address$
risk_objects:
diff --git a/detections/cloud/gsuite_suspicious_shared_file_name.yml b/detections/cloud/gsuite_suspicious_shared_file_name.yml
index 0678eed5a6..9f1d2b52eb 100644
--- a/detections/cloud/gsuite_suspicious_shared_file_name.yml
+++ b/detections/cloud/gsuite_suspicious_shared_file_name.yml
@@ -1,7 +1,7 @@
name: Gsuite Suspicious Shared File Name
id: 07eed200-03f5-11ec-98fb-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: experimental
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$email$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$email$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$email$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: suspicious share gdrive from $parameters.owner$ to $email$ namely as $parameters.doc_title$
risk_objects:
diff --git a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml
index 32904adc01..6928fabed2 100644
--- a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml
+++ b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml
@@ -1,7 +1,7 @@
name: High Number of Login Failures from a single source
id: 7f398cfb-918d-41f4-8db8-2e2474e02222
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel, Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute
risk_objects:
diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml
index fd0bf0bfe7..181eac52b9 100644
--- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml
+++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml
@@ -1,7 +1,7 @@
name: Kubernetes Abuse of Secret by Unusual Location
id: 40a064c1-4ec1-4381-9e35-61192ba8ef82
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Access of Kubernetes secret $objectRef.name$ from unusual location $Country$ by $user$
risk_objects:
diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml
index b20b62659f..d948e5ef1b 100644
--- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml
+++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml
@@ -1,7 +1,7 @@
name: Kubernetes Abuse of Secret by Unusual User Agent
id: 096ab390-05ca-462c-884e-343acd5b9240
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Access of Kubernetes secret $objectRef.name$ from unusual user agent $userAgent$ by $user$
risk_objects:
diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml
index 2c7df92a5d..93f8569432 100644
--- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml
+++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml
@@ -1,7 +1,7 @@
name: Kubernetes Abuse of Secret by Unusual User Group
id: b6f45bbc-4ea9-4068-b3bc-0477f6997ae2
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Access of Kubernetes secret $objectRef.name$ from unusual user group $user.groups{}$ by user name $user$
risk_objects:
diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml
index 9883558b9d..83e1f796ed 100644
--- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml
+++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml
@@ -1,7 +1,7 @@
name: Kubernetes Abuse of Secret by Unusual User Name
id: df6e9cae-5257-4a34-8f3a-df49fa0f5c46
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Access of Kubernetes secret $objectRef.name$ from unusual user name $user$
risk_objects:
diff --git a/detections/cloud/kubernetes_access_scanning.yml b/detections/cloud/kubernetes_access_scanning.yml
index 2a0c0a5f3c..0ecc84e7a9 100644
--- a/detections/cloud/kubernetes_access_scanning.yml
+++ b/detections/cloud/kubernetes_access_scanning.yml
@@ -1,7 +1,7 @@
name: Kubernetes Access Scanning
id: 2f4abe6d-5991-464d-8216-f90f42999764
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Kubernetes scanning from ip $src_ip$
risk_objects:
diff --git a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml
index 60de876267..835e28d69b 100644
--- a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml
+++ b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml
@@ -1,7 +1,7 @@
name: Kubernetes Create or Update Privileged Pod
id: 3c6bd734-334d-4818-ae7c-5234313fc5da
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Kubernetes privileged pod created by user $user$.
risk_objects:
diff --git a/detections/cloud/kubernetes_cron_job_creation.yml b/detections/cloud/kubernetes_cron_job_creation.yml
index 67d1846857..5cdc481b5b 100644
--- a/detections/cloud/kubernetes_cron_job_creation.yml
+++ b/detections/cloud/kubernetes_cron_job_creation.yml
@@ -1,7 +1,7 @@
name: Kubernetes Cron Job Creation
id: 5984dbe8-572f-47d7-9251-3dff6c3f0c0d
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Kubernetes cron job creation from user $user$
risk_objects:
diff --git a/detections/cloud/kubernetes_daemonset_deployed.yml b/detections/cloud/kubernetes_daemonset_deployed.yml
index ff08144236..5ca0edf8d0 100644
--- a/detections/cloud/kubernetes_daemonset_deployed.yml
+++ b/detections/cloud/kubernetes_daemonset_deployed.yml
@@ -1,7 +1,7 @@
name: Kubernetes DaemonSet Deployed
id: bf39c3a3-b191-4d42-8738-9d9797bd0c3a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: DaemonSet deployed to Kubernetes by user $user$
risk_objects:
diff --git a/detections/cloud/kubernetes_falco_shell_spawned.yml b/detections/cloud/kubernetes_falco_shell_spawned.yml
index 919fbd2f66..000fa689a4 100644
--- a/detections/cloud/kubernetes_falco_shell_spawned.yml
+++ b/detections/cloud/kubernetes_falco_shell_spawned.yml
@@ -1,7 +1,7 @@
name: Kubernetes Falco Shell Spawned
id: d2feef92-d54a-4a19-8306-b47c6ceba5b2
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A shell is spawned in the container $container_name$ by user $user$.
risk_objects:
diff --git a/detections/cloud/kubernetes_nginx_ingress_lfi.yml b/detections/cloud/kubernetes_nginx_ingress_lfi.yml
index 6dfaca42e9..200defe366 100644
--- a/detections/cloud/kubernetes_nginx_ingress_lfi.yml
+++ b/detections/cloud/kubernetes_nginx_ingress_lfi.yml
@@ -1,7 +1,7 @@
name: Kubernetes Nginx Ingress LFI
id: 0f83244b-425b-4528-83db-7a88c5f66e48
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$host$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Local File Inclusion Attack detected on $host$
risk_objects:
diff --git a/detections/cloud/kubernetes_nginx_ingress_rfi.yml b/detections/cloud/kubernetes_nginx_ingress_rfi.yml
index 033dde1408..b247654ada 100644
--- a/detections/cloud/kubernetes_nginx_ingress_rfi.yml
+++ b/detections/cloud/kubernetes_nginx_ingress_rfi.yml
@@ -1,7 +1,7 @@
name: Kubernetes Nginx Ingress RFI
id: fc5531ae-62fd-4de6-9c36-b4afdae8ca95
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$host$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Remote File Inclusion Attack detected on $host$
risk_objects:
diff --git a/detections/cloud/kubernetes_node_port_creation.yml b/detections/cloud/kubernetes_node_port_creation.yml
index f1cef2935c..de025e22e9 100644
--- a/detections/cloud/kubernetes_node_port_creation.yml
+++ b/detections/cloud/kubernetes_node_port_creation.yml
@@ -1,7 +1,7 @@
name: Kubernetes Node Port Creation
id: d7fc865e-b8a1-4029-a960-cf4403b821b6
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Kubernetes node port creation from user $user$
risk_objects:
diff --git a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml
index b6170f3d58..5cd5408e4f 100644
--- a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml
+++ b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml
@@ -1,7 +1,7 @@
name: Kubernetes Pod Created in Default Namespace
id: 3d6b1a81-367b-42d5-a925-6ef90b6b9f1e
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Kubernetes Pod Created in Default Namespace by $user$
risk_objects:
diff --git a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml
index 86561af95c..39d7c4fb3d 100644
--- a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml
+++ b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml
@@ -1,7 +1,7 @@
name: Kubernetes Pod With Host Network Attachment
id: cce357cf-43a4-494a-814b-67cea90fe990
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Kubernetes pod with host network attachment from user $user$.
risk_objects:
diff --git a/detections/cloud/kubernetes_scanner_image_pulling.yml b/detections/cloud/kubernetes_scanner_image_pulling.yml
index cba06ca731..6ff934455b 100644
--- a/detections/cloud/kubernetes_scanner_image_pulling.yml
+++ b/detections/cloud/kubernetes_scanner_image_pulling.yml
@@ -1,7 +1,7 @@
name: Kubernetes Scanner Image Pulling
id: 4890cd6b-0112-4974-a272-c5c153aee551
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$host$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Kubernetes Scanner image pulled on host $host$
risk_objects:
diff --git a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml
index f12496176b..482c046e40 100644
--- a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml
+++ b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml
@@ -1,7 +1,7 @@
name: Kubernetes Scanning by Unauthenticated IP Address
id: f9cadf4e-df22-4f4e-a08f-9d3344c2165d
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Kubernetes scanning from ip $src_ip$
risk_objects:
diff --git a/detections/cloud/kubernetes_suspicious_image_pulling.yml b/detections/cloud/kubernetes_suspicious_image_pulling.yml
index 454799096c..4d21df1f9a 100644
--- a/detections/cloud/kubernetes_suspicious_image_pulling.yml
+++ b/detections/cloud/kubernetes_suspicious_image_pulling.yml
@@ -1,7 +1,7 @@
name: Kubernetes Suspicious Image Pulling
id: 4d3a17b3-0a6d-4ae0-9421-46623a69c122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious image $objectRef.name$ pulled in Kubernetes from ip $src_ip$ by user $user$
risk_objects:
diff --git a/detections/cloud/kubernetes_unauthorized_access.yml b/detections/cloud/kubernetes_unauthorized_access.yml
index 9bf4b73b1f..517f26d646 100644
--- a/detections/cloud/kubernetes_unauthorized_access.yml
+++ b/detections/cloud/kubernetes_unauthorized_access.yml
@@ -1,7 +1,7 @@
name: Kubernetes Unauthorized Access
id: 9b5f1832-e8b9-453f-93df-07a3d6a72a45
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Unauthorized access to Kubernetes from user $user$
risk_objects:
diff --git a/detections/cloud/o365_add_app_role_assignment_grant_user.yml b/detections/cloud/o365_add_app_role_assignment_grant_user.yml
index 75416d9f9c..a5ed07e839 100644
--- a/detections/cloud/o365_add_app_role_assignment_grant_user.yml
+++ b/detections/cloud/o365_add_app_role_assignment_grant_user.yml
@@ -1,7 +1,7 @@
name: O365 Add App Role Assignment Grant User
id: b2c81cc6-6040-11eb-ae93-0242ac130002
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Rod Soto, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ added a new app role assignment
risk_objects:
diff --git a/detections/cloud/o365_added_service_principal.yml b/detections/cloud/o365_added_service_principal.yml
index 70fbaf57e5..9093bcd350 100644
--- a/detections/cloud/o365_added_service_principal.yml
+++ b/detections/cloud/o365_added_service_principal.yml
@@ -1,7 +1,7 @@
name: O365 Added Service Principal
id: 1668812a-6047-11eb-ae93-0242ac130002
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Rod Soto, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has created new service principal in AzureActiveDirectory
risk_objects:
diff --git a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml
index e8b00f2071..9929a2c4fa 100644
--- a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml
+++ b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml
@@ -1,7 +1,7 @@
name: O365 Admin Consent Bypassed by Service Principal
id: 8a1b22eb-50ce-4e26-a691-97ff52349569
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- O365 Add app role assignment to service principal.
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Service principal $user$ bypassed the admin consent process and granted permissions to $dest_user$
risk_objects:
diff --git a/detections/cloud/o365_advanced_audit_disabled.yml b/detections/cloud/o365_advanced_audit_disabled.yml
index e63f7a0f6b..ce29fd9b98 100644
--- a/detections/cloud/o365_advanced_audit_disabled.yml
+++ b/detections/cloud/o365_advanced_audit_disabled.yml
@@ -1,7 +1,7 @@
name: O365 Advanced Audit Disabled
id: 49862dd4-9cb2-4c48-a542-8c8a588d9361
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Michael Haag, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Advanced auditing for user $object$ was disabled by $user$
risk_objects:
diff --git a/detections/cloud/o365_application_available_to_other_tenants.yml b/detections/cloud/o365_application_available_to_other_tenants.yml
index c8481e4dac..3faed3fc43 100644
--- a/detections/cloud/o365_application_available_to_other_tenants.yml
+++ b/detections/cloud/o365_application_available_to_other_tenants.yml
@@ -1,7 +1,7 @@
name: O365 Application Available To Other Tenants
id: 942548a3-0273-47a4-8dbd-e5202437395c
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An Azure Application [$object_name$] was configured by [$user$] as accessible to external tenants.
risk_objects:
diff --git a/detections/cloud/o365_application_registration_owner_added.yml b/detections/cloud/o365_application_registration_owner_added.yml
index b6b071ce39..85dc4f929f 100644
--- a/detections/cloud/o365_application_registration_owner_added.yml
+++ b/detections/cloud/o365_application_registration_owner_added.yml
@@ -1,7 +1,7 @@
name: O365 Application Registration Owner Added
id: c068d53f-6aaa-4558-8011-3734df878266
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Application registration $app_displayName$ was assigned a new owner $object$
risk_objects:
diff --git a/detections/cloud/o365_applicationimpersonation_role_assigned.yml b/detections/cloud/o365_applicationimpersonation_role_assigned.yml
index 12790aeccd..4f663efee4 100644
--- a/detections/cloud/o365_applicationimpersonation_role_assigned.yml
+++ b/detections/cloud/o365_applicationimpersonation_role_assigned.yml
@@ -1,7 +1,7 @@
name: O365 ApplicationImpersonation Role Assigned
id: 49cdce75-f814-4d56-a7a4-c64ec3a481f2
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$target_user$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$target_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$target_user$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ granted the ApplicationImpersonation role to $target_user$
risk_objects:
diff --git a/detections/cloud/o365_bec_email_hiding_rule_created.yml b/detections/cloud/o365_bec_email_hiding_rule_created.yml
index 83cad21dcf..c7e761269d 100644
--- a/detections/cloud/o365_bec_email_hiding_rule_created.yml
+++ b/detections/cloud/o365_bec_email_hiding_rule_created.yml
@@ -1,7 +1,7 @@
name: O365 BEC Email Hiding Rule Created
id: 603ebac2-f157-4df7-a6ac-34e8d0350f86
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: '0xC0FFEEEE, Github Community'
type: TTP
status: production
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $user$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential BEC mailbox rule - $Name$ was created by user - $user$
risk_objects:
diff --git a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml
index 053bf68688..0973e11c1a 100644
--- a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml
+++ b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml
@@ -1,7 +1,7 @@
name: O365 Block User Consent For Risky Apps Disabled
id: 12a23592-e3da-4344-8545-205d3290647c
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Risk-based step-up consent security setting was disabled by $user$
risk_objects:
diff --git a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml
index dcc2e718b0..176dee2843 100644
--- a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml
+++ b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml
@@ -1,7 +1,7 @@
name: O365 Bypass MFA via Trusted IP
id: c783dd98-c703-4252-9e8a-f19d9f66949e
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has added new IP addresses $ip_addresses_new_added$ to a list of trusted IPs to bypass MFA
risk_objects:
diff --git a/detections/cloud/o365_compliance_content_search_exported.yml b/detections/cloud/o365_compliance_content_search_exported.yml
index d22f0d93b0..2362b9e0fe 100644
--- a/detections/cloud/o365_compliance_content_search_exported.yml
+++ b/detections/cloud/o365_compliance_content_search_exported.yml
@@ -1,7 +1,7 @@
name: O365 Compliance Content Search Exported
id: 2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source: []
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new compliance content search export was started by $user$
risk_objects:
diff --git a/detections/cloud/o365_compliance_content_search_started.yml b/detections/cloud/o365_compliance_content_search_started.yml
index f18caddca8..b0a4157285 100644
--- a/detections/cloud/o365_compliance_content_search_started.yml
+++ b/detections/cloud/o365_compliance_content_search_started.yml
@@ -1,7 +1,7 @@
name: O365 Compliance Content Search Started
id: f4cabbc7-c19a-4e41-8be5-98daeaccbb50
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source: []
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new compliance content search was started by $user$
risk_objects:
diff --git a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml
index ffe46edf71..f2a3e7c3e0 100644
--- a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml
+++ b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml
@@ -1,7 +1,7 @@
name: O365 Concurrent Sessions From Different Ips
id: 58e034de-1f87-4812-9dc3-a4f68c7db930
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has logged in with the same session id from more than one unique IP address
risk_objects:
diff --git a/detections/cloud/o365_cross_tenant_access_change.yml b/detections/cloud/o365_cross_tenant_access_change.yml
index 571911c8fc..38e4cb9c7a 100644
--- a/detections/cloud/o365_cross_tenant_access_change.yml
+++ b/detections/cloud/o365_cross_tenant_access_change.yml
@@ -1,7 +1,7 @@
name: O365 Cross-Tenant Access Change
id: 7c0fa490-12b0-4d0b-b9f5-e101d1e0e06f
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The user [$user$] changed the Azure cross-tenant access settings
risk_objects:
diff --git a/detections/cloud/o365_disable_mfa.yml b/detections/cloud/o365_disable_mfa.yml
index 32ee160d81..59d7450efa 100644
--- a/detections/cloud/o365_disable_mfa.yml
+++ b/detections/cloud/o365_disable_mfa.yml
@@ -1,7 +1,7 @@
name: O365 Disable MFA
id: c783dd98-c703-4252-9e8a-f19d9f5c949e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Rod Soto, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $src_user$ has executed an operation $signature$ for user $user$
risk_objects:
diff --git a/detections/cloud/o365_dlp_rule_triggered.yml b/detections/cloud/o365_dlp_rule_triggered.yml
index a9cc1c4d59..6d50cdc9ed 100644
--- a/detections/cloud/o365_dlp_rule_triggered.yml
+++ b/detections/cloud/o365_dlp_rule_triggered.yml
@@ -1,7 +1,7 @@
name: O365 DLP Rule Triggered
id: 63a8a537-36fd-4aac-a3ea-1a96afd2c871
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ triggered a Microsoft Office DLP rule.
risk_objects:
diff --git a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml
index 3247997761..41e9c32c31 100644
--- a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml
+++ b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml
@@ -1,7 +1,7 @@
name: O365 Elevated Mailbox Permission Assigned
id: 2246c142-a678-45f8-8546-aaed7e0efd30
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Patrick Bareiss, Mauricio Velazco, Splunk
data_source:
- O365 Add-MailboxPermission
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Elevated mailbox permissions were assigned on $dest_user$
risk_objects:
diff --git a/detections/cloud/o365_email_access_by_security_administrator.yml b/detections/cloud/o365_email_access_by_security_administrator.yml
index a4e9089e98..d6c72182fa 100644
--- a/detections/cloud/o365_email_access_by_security_administrator.yml
+++ b/detections/cloud/o365_email_access_by_security_administrator.yml
@@ -1,7 +1,7 @@
name: O365 Email Access By Security Administrator
id: c6998a30-fef4-4e89-97ac-3bb0123719b4
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A security administrator $src_user$ accessed email messages for $user$
risk_objects:
diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml
index 2fcb8ac6b3..081fbf8a53 100644
--- a/detections/cloud/o365_email_hard_delete_excessive_volume.yml
+++ b/detections/cloud/o365_email_hard_delete_excessive_volume.yml
@@ -1,7 +1,7 @@
name: O365 Email Hard Delete Excessive Volume
id: c7fe0949-348a-41ce-8f17-a09a7fe5fd7d
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate Email for $user$
search: '`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml
index 3dec50f02d..de91953c0b 100644
--- a/detections/cloud/o365_email_new_inbox_rule_created.yml
+++ b/detections/cloud/o365_email_new_inbox_rule_created.yml
@@ -1,7 +1,7 @@
name: O365 Email New Inbox Rule Created
id: 449f525a-7b42-47be-96a7-d9724e336c19
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate Inbox Rules for $user$
search: '`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) AND UserId = "$user$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml
index c06c53cda4..0f080bf3c1 100644
--- a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml
+++ b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml
@@ -1,7 +1,7 @@
name: O365 Email Password and Payroll Compromise Behavior
id: e36de71a-6bdc-4002-98ff-e3e51b0d8f96
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate Email for $user$
search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*password*","*passcode*") RecipientAddress = "$user$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml
index 727b56437b..7936e6a8d7 100644
--- a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml
+++ b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml
@@ -1,7 +1,7 @@
name: O365 Email Receive and Hard Delete Takeover Behavior
id: b66aeaa4-586f-428b-8a2b-c4fd3039d8d3
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate Email for $user$
search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") AND RecipientAddress = "$user$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_email_reported_by_admin_found_malicious.yml b/detections/cloud/o365_email_reported_by_admin_found_malicious.yml
index bb859eb2d8..29ea72ed77 100644
--- a/detections/cloud/o365_email_reported_by_admin_found_malicious.yml
+++ b/detections/cloud/o365_email_reported_by_admin_found_malicious.yml
@@ -1,7 +1,7 @@
name: O365 Email Reported By Admin Found Malicious
id: 94396c3e-7728-422a-9956-e4b77b53dbdf
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: O365 security admin $user$ manually reported a suspicious email from $src_user$
risk_objects:
diff --git a/detections/cloud/o365_email_reported_by_user_found_malicious.yml b/detections/cloud/o365_email_reported_by_user_found_malicious.yml
index f7583cb2c7..c934927f6f 100644
--- a/detections/cloud/o365_email_reported_by_user_found_malicious.yml
+++ b/detections/cloud/o365_email_reported_by_user_found_malicious.yml
@@ -1,7 +1,7 @@
name: O365 Email Reported By User Found Malicious
id: 7698b945-238e-4bb9-b172-81f5ca1685a1
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The user $user$ reported an email classified from $src_user$
risk_objects:
diff --git a/detections/cloud/o365_email_security_feature_changed.yml b/detections/cloud/o365_email_security_feature_changed.yml
index 3fea46cc98..f99ebc7efc 100644
--- a/detections/cloud/o365_email_security_feature_changed.yml
+++ b/detections/cloud/o365_email_security_feature_changed.yml
@@ -1,7 +1,7 @@
name: O365 Email Security Feature Changed
id: 4d28013d-3a0f-4d65-a33f-4e8009fee0ae
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An O365 security object [$object$] was altered by user $user$ using $signature$
risk_objects:
diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml
index 245ee66c3f..4b14b91e87 100644
--- a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml
+++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml
@@ -1,7 +1,7 @@
name: O365 Email Send and Hard Delete Exfiltration Behavior
id: dd7798cf-c4f5-4114-ad0f-beacd9a33708
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate Email for $user$
search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml
index ec869ed87b..0b6d628ab3 100644
--- a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml
+++ b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml
@@ -1,7 +1,7 @@
name: O365 Email Send and Hard Delete Suspicious Behavior
id: c97b3d72-0a47-46f9-b742-b89f1cc2d551
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate Email for $user$
search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$" AND "$subject$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml
index 6d017ae798..a97c4d11fa 100644
--- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml
+++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml
@@ -1,7 +1,7 @@
name: O365 Email Send Attachments Excessive Volume
id: 70a050a2-8537-488a-a628-b60a9558d96a
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate Email for $user$
search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) AND Item.Attachments=* AND UserId = "$user$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_email_suspicious_behavior_alert.yml b/detections/cloud/o365_email_suspicious_behavior_alert.yml
index 814cbf8dc6..7e68894b8e 100644
--- a/detections/cloud/o365_email_suspicious_behavior_alert.yml
+++ b/detections/cloud/o365_email_suspicious_behavior_alert.yml
@@ -1,7 +1,7 @@
name: O365 Email Suspicious Behavior Alert
id: 85c7555a-05af-4322-81aa-76b4ddf52baa
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The user $user$ triggered the O365 security alert [$signature$]
risk_objects:
diff --git a/detections/cloud/o365_email_suspicious_search_behavior.yml b/detections/cloud/o365_email_suspicious_search_behavior.yml
index 364aacaa72..9d8af060b4 100644
--- a/detections/cloud/o365_email_suspicious_search_behavior.yml
+++ b/detections/cloud/o365_email_suspicious_search_behavior.yml
@@ -1,7 +1,7 @@
name: O365 Email Suspicious Search Behavior
id: 3b6e1d36-6916-4eec-a7d5-bc98953ba595
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate search behavior by $user$
search: '`o365_management_activity` AND Operation=SearchQueryInitiatedExchange AND UserId = "$user$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml
index e388e4a6d0..819f5e6d39 100644
--- a/detections/cloud/o365_email_transport_rule_changed.yml
+++ b/detections/cloud/o365_email_transport_rule_changed.yml
@@ -1,7 +1,7 @@
name: O365 Email Transport Rule Changed
id: 11ebb7c2-46bd-41c9-81e1-d0b4b34583a2
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate changes by $user$
search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*Transport*" UserId=$user$'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_excessive_authentication_failures_alert.yml b/detections/cloud/o365_excessive_authentication_failures_alert.yml
index be724408ca..3f88b930f6 100644
--- a/detections/cloud/o365_excessive_authentication_failures_alert.yml
+++ b/detections/cloud/o365_excessive_authentication_failures_alert.yml
@@ -1,7 +1,7 @@
name: O365 Excessive Authentication Failures Alert
id: d441364c-349c-453b-b55f-12eccab67cf9
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Rod Soto, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has caused excessive number of authentication failures from $src$ using UserAgent $user_agent$.
risk_objects:
diff --git a/detections/cloud/o365_excessive_sso_logon_errors.yml b/detections/cloud/o365_excessive_sso_logon_errors.yml
index 0694190028..e54746305b 100644
--- a/detections/cloud/o365_excessive_sso_logon_errors.yml
+++ b/detections/cloud/o365_excessive_sso_logon_errors.yml
@@ -1,7 +1,7 @@
name: O365 Excessive SSO logon errors
id: 8158ccc4-6038-11eb-ae93-0242ac130002
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Rod Soto, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Excessive number of SSO logon errors from $src$ using UserAgent $user_agent$.
risk_objects:
diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml
index a6deeca5c9..d4a92d03e3 100644
--- a/detections/cloud/o365_exfiltration_via_file_access.yml
+++ b/detections/cloud/o365_exfiltration_via_file_access.yml
@@ -1,7 +1,7 @@
name: O365 Exfiltration via File Access
id: 80b44ae2-60ff-43f1-8e56-34beb49a340a
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate file access by $user$
search: '`o365_management_activity` Operation IN ("fileaccessed") UserId="$UserId$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml
index ea138603de..86459447fa 100644
--- a/detections/cloud/o365_exfiltration_via_file_download.yml
+++ b/detections/cloud/o365_exfiltration_via_file_download.yml
@@ -1,7 +1,7 @@
name: O365 Exfiltration via File Download
id: 06b23921-bfe2-4576-89dd-616f06e129da
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate file downloads by $user$
search: '`o365_management_activity` Operation IN ("filedownloaded") UserId="$UserId$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml
index 8aa012e23c..ae0341e264 100644
--- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml
+++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml
@@ -1,7 +1,7 @@
name: O365 Exfiltration via File Sync Download
id: 350837b5-13d3-4c06-b688-db07afbe5050
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate file sync downloads by $user$
search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserId="$UserId$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_external_guest_user_invited.yml b/detections/cloud/o365_external_guest_user_invited.yml
index f543eb8455..a80ae54c1f 100644
--- a/detections/cloud/o365_external_guest_user_invited.yml
+++ b/detections/cloud/o365_external_guest_user_invited.yml
@@ -1,7 +1,7 @@
name: O365 External Guest User Invited
id: 8c6d52ec-d5f2-4b2f-8ba1-f32c047a71fa
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Azure Guest User $user$ invited by $src_user$
risk_objects:
diff --git a/detections/cloud/o365_external_identity_policy_changed.yml b/detections/cloud/o365_external_identity_policy_changed.yml
index 5b2ee16661..6123503bba 100644
--- a/detections/cloud/o365_external_identity_policy_changed.yml
+++ b/detections/cloud/o365_external_identity_policy_changed.yml
@@ -1,7 +1,7 @@
name: O365 External Identity Policy Changed
id: 29af1725-7a72-4d2d-8a18-e697e79a62d3
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ changed the external identity [$object_name$] policy
risk_objects:
diff --git a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml
index d66b88189d..17ab45d16d 100644
--- a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml
+++ b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml
@@ -1,7 +1,7 @@
name: O365 File Permissioned Application Consent Granted by User
id: 6c382336-22b8-4023-9b80-1689e799f21f
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ consented an OAuth application that requests file-related permissions.
risk_objects:
diff --git a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml
index 6714b424b7..2026ab4b83 100644
--- a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml
+++ b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml
@@ -1,7 +1,7 @@
name: O365 FullAccessAsApp Permission Assigned
id: 01a510b3-a6ac-4d50-8812-7e8a3cde3d79
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ assigned the full_access_as_app permission to the app registration $object$
risk_objects:
diff --git a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml
index b9d89ed26e..853c5ccc35 100644
--- a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml
+++ b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml
@@ -1,7 +1,7 @@
name: O365 High Number Of Failed Authentications for User
id: 31641378-2fa9-42b1-948e-25e281cb98f7
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ failed to authenticate more than 10 times in the span of 5 minutes.
risk_objects:
diff --git a/detections/cloud/o365_high_privilege_role_granted.yml b/detections/cloud/o365_high_privilege_role_granted.yml
index 628f5d14b3..f8b2236b7f 100644
--- a/detections/cloud/o365_high_privilege_role_granted.yml
+++ b/detections/cloud/o365_high_privilege_role_granted.yml
@@ -1,7 +1,7 @@
name: O365 High Privilege Role Granted
id: e78a1037-4548-4072-bb1b-ad99ae416426
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ granted high privilege roles to $ObjectId$
risk_objects:
diff --git a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml
index 86ff80779a..742720f856 100644
--- a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml
+++ b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml
@@ -1,7 +1,7 @@
name: O365 Mail Permissioned Application Consent Granted by User
id: fddad083-cdf5-419d-83c6-baa85e329595
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ consented an OAuth application that requests mail-related permissions.
risk_objects:
diff --git a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml
index 807d50a315..f52bf11a07 100644
--- a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml
+++ b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml
@@ -1,7 +1,7 @@
name: O365 Mailbox Email Forwarding Enabled
id: 0b6bc75c-05d1-4101-9fc3-97e706168f24
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Patrick Bareiss, Mauricio Velazco, Splunk
data_source: []
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Email forwarding configured by $user$ on mailbox $ObjectId$
risk_objects:
diff --git a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml
index 032d18865d..c2633890cf 100644
--- a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml
+++ b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml
@@ -1,7 +1,7 @@
name: O365 Mailbox Folder Read Permission Assigned
id: 1435475e-2128-4417-a34f-59770733b0d5
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- O365 ModifyFolderPermissions
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A folder was granted read permission by $user$
risk_objects:
diff --git a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml
index 6a5f0b296f..a92f5c549f 100644
--- a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml
+++ b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml
@@ -1,7 +1,7 @@
name: O365 Mailbox Folder Read Permission Granted
id: cd15c0a8-470e-4b12-9517-046e4927db30
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- O365 ModifyFolderPermissions
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A folder was granted read permission by $user$
risk_objects:
diff --git a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml
index 5ca3097c97..50b7956a87 100644
--- a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml
+++ b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml
@@ -1,7 +1,7 @@
name: O365 Mailbox Inbox Folder Shared with All Users
id: 21421896-a692-4594-9888-5faeb8a53106
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$MailboxOwnerUPN$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MailboxOwnerUPN$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$MailboxOwnerUPN$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Inbox folder for the $MailboxOwnerUPN$ mailbox was shared with all users.
risk_objects:
diff --git a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml
index 359d1d8152..b47dce6925 100644
--- a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml
+++ b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml
@@ -1,7 +1,7 @@
name: O365 Mailbox Read Access Granted to Application
id: 27ab61c5-f08a-438a-b4d3-325e666490b3
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Application registration $object$ was grandes mailbox read access by $user$
risk_objects:
diff --git a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml
index d84cfdf732..00d947ecc3 100644
--- a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml
+++ b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml
@@ -1,7 +1,7 @@
name: O365 Multiple AppIDs and UserAgents Authentication Spike
id: 66adc486-224d-45c1-8e4d-9e7eeaba988f
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids.
risk_objects:
diff --git a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml
index 5e1458acaf..0da22d2a03 100644
--- a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml
+++ b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml
@@ -1,7 +1,7 @@
name: O365 Multiple Failed MFA Requests For User
id: fd22124e-dbac-4744-a8ce-be10d8ec3e26
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple failed MFA requestes for $user$
risk_objects:
diff --git a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml
index f0d2e72a5b..a4ae534717 100644
--- a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml
+++ b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml
@@ -1,7 +1,7 @@
name: O365 Multiple Mailboxes Accessed via API
id: 7cd853e9-d370-412f-965d-a2bcff2a2908
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- O365 MailItemsAccessed
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An Oauth application identified with id $ClientAppId$ accessed multiple mailboxes in a short period of time via an API.
risk_objects:
diff --git a/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml b/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml
index 0e99d244af..6693335991 100644
--- a/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml
+++ b/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml
@@ -1,7 +1,7 @@
name: O365 Multiple OS Vendors Authenticating From User
id: 3451e58a-9457-4985-a600-b616b0cbfda1
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate logons from $user$
search: '`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn) "$user$"'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml
index 474ecee16a..65587c26fb 100644
--- a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml
+++ b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml
@@ -1,7 +1,7 @@
name: O365 Multiple Service Principals Created by SP
id: ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- O365 Add service principal.
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple OAuth applications were created by $src_user$ in a short period of time
risk_objects:
diff --git a/detections/cloud/o365_multiple_service_principals_created_by_user.yml b/detections/cloud/o365_multiple_service_principals_created_by_user.yml
index b2f6f91977..43b67589da 100644
--- a/detections/cloud/o365_multiple_service_principals_created_by_user.yml
+++ b/detections/cloud/o365_multiple_service_principals_created_by_user.yml
@@ -1,7 +1,7 @@
name: O365 Multiple Service Principals Created by User
id: a34e65d0-54de-4b02-9db8-5a04522067f6
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- O365 Add service principal.
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple OAuth applications were created by $src_user$ in a short period of time
risk_objects:
diff --git a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml
index 4e3514c9ac..b763a3d04f 100644
--- a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml
+++ b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml
@@ -1,7 +1,7 @@
name: O365 Multiple Users Failing To Authenticate From Ip
id: 8d486e2e-3235-4cfe-ac35-0d042e24ecb4
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Source Ip $src$ failed to authenticate with 20 users within 5 minutes.
risk_objects:
diff --git a/detections/cloud/o365_new_email_forwarding_rule_created.yml b/detections/cloud/o365_new_email_forwarding_rule_created.yml
index 55635f5348..455f1e9ae7 100644
--- a/detections/cloud/o365_new_email_forwarding_rule_created.yml
+++ b/detections/cloud/o365_new_email_forwarding_rule_created.yml
@@ -1,7 +1,7 @@
name: O365 New Email Forwarding Rule Created
id: 68469fd0-1315-44ba-b7e4-e92847bb76d6
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source: []
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A forwarding email inbox rule was created for $user$
risk_objects:
diff --git a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml
index bc483717f6..f1571a122c 100644
--- a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml
+++ b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml
@@ -1,7 +1,7 @@
name: O365 New Email Forwarding Rule Enabled
id: ac7c4d0a-06a3-4278-aa59-88a5e537f981
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source: []
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A forwarding email inbox rule was created for $user$
risk_objects:
diff --git a/detections/cloud/o365_new_federated_domain_added.yml b/detections/cloud/o365_new_federated_domain_added.yml
index 5aee723bea..cbb7c6743a 100644
--- a/detections/cloud/o365_new_federated_domain_added.yml
+++ b/detections/cloud/o365_new_federated_domain_added.yml
@@ -1,7 +1,7 @@
name: O365 New Federated Domain Added
id: e155876a-6048-11eb-ae93-0242ac130002
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Rod Soto, Mauricio Velazco Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has added a new federated domain $new_value$
risk_objects:
diff --git a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml
index 0a17620825..0830d9f7e2 100644
--- a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml
+++ b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml
@@ -1,7 +1,7 @@
name: O365 New Forwarding Mailflow Rule Created
id: 289ed0a1-4c78-4a43-9321-44ea2e089c14
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source: []
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new forwarding mailflow rule was created by $user$
risk_objects:
diff --git a/detections/cloud/o365_new_mfa_method_registered.yml b/detections/cloud/o365_new_mfa_method_registered.yml
index 4eecdb401c..e004d12322 100644
--- a/detections/cloud/o365_new_mfa_method_registered.yml
+++ b/detections/cloud/o365_new_mfa_method_registered.yml
@@ -1,7 +1,7 @@
name: O365 New MFA Method Registered
id: 4e12db1f-f7c7-486d-8152-a221cad6ac2b
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new MFA method was added for $user$
risk_objects:
diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml
index b9c2e7ca45..ff360d7845 100644
--- a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml
+++ b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml
@@ -1,7 +1,7 @@
name: O365 OAuth App Mailbox Access via EWS
id: e600cf1a-0bef-4426-b42e-00176d610a4d
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
data_source:
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API.
risk_objects:
diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml
index fb919a27da..f2f05f3c38 100644
--- a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml
+++ b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml
@@ -1,7 +1,7 @@
name: O365 OAuth App Mailbox Access via Graph API
id: 9db0d5b0-4058-4cb7-baaf-77d8143539a2
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
data_source:
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An OAuth application identified with id $ClientAppId$ accesed mailboxes through the Graph API.
risk_objects:
diff --git a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml
index 9b3682abc0..5f7bac0d11 100644
--- a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml
+++ b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml
@@ -1,7 +1,7 @@
name: O365 Privileged Graph API Permission Assigned
id: 868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ assigned privileged Graph API permissions to $object$
risk_objects:
diff --git a/detections/cloud/o365_privileged_role_assigned.yml b/detections/cloud/o365_privileged_role_assigned.yml
index af319cbef2..169a5b56fd 100644
--- a/detections/cloud/o365_privileged_role_assigned.yml
+++ b/detections/cloud/o365_privileged_role_assigned.yml
@@ -1,7 +1,7 @@
name: O365 Privileged Role Assigned
id: db435700-4ddc-4c23-892e-49e7525d7d39
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A privileged Azure AD role [$object_name$] was assigned to user $user$ by $src_user$
risk_objects:
diff --git a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml
index 94d8f5c09a..2dd0d69e2b 100644
--- a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml
+++ b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml
@@ -1,7 +1,7 @@
name: O365 Privileged Role Assigned To Service Principal
id: 80f3fc1b-705f-4080-bf08-f61bf013b900
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A privileged Azure AD role [$object_name$] was assigned to the Service Principal $user$ initiated by $src_user$
risk_objects:
diff --git a/detections/cloud/o365_pst_export_alert.yml b/detections/cloud/o365_pst_export_alert.yml
index 00b1f094f3..d378dd83dc 100644
--- a/detections/cloud/o365_pst_export_alert.yml
+++ b/detections/cloud/o365_pst_export_alert.yml
@@ -1,7 +1,7 @@
name: O365 PST export alert
id: 5f694cc4-a678-4a60-9410-bffca1b647dc
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Rod Soto, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ has exported a PST file from the search using this operation- $signature$ with a severity of $Severity$
risk_objects:
diff --git a/detections/cloud/o365_safe_links_detection.yml b/detections/cloud/o365_safe_links_detection.yml
index 1954b42954..f562c06372 100644
--- a/detections/cloud/o365_safe_links_detection.yml
+++ b/detections/cloud/o365_safe_links_detection.yml
@@ -1,7 +1,7 @@
name: O365 Safe Links Detection
id: 711d9e8c-2cb0-45cf-8813-5f191ecb9b26
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ triggered a Microsoft Safe Links detection.
risk_objects:
diff --git a/detections/cloud/o365_security_and_compliance_alert_triggered.yml b/detections/cloud/o365_security_and_compliance_alert_triggered.yml
index 8931ba59b9..c107a21942 100644
--- a/detections/cloud/o365_security_and_compliance_alert_triggered.yml
+++ b/detections/cloud/o365_security_and_compliance_alert_triggered.yml
@@ -1,7 +1,7 @@
name: O365 Security And Compliance Alert Triggered
id: 5b367cdd-8dfc-49ac-a9b7-6406cf27f33e
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source: []
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Security and Compliance triggered an alert for $user$
risk_objects:
diff --git a/detections/cloud/o365_service_principal_new_client_credentials.yml b/detections/cloud/o365_service_principal_new_client_credentials.yml
index 3069f086c8..c84c97abfd 100644
--- a/detections/cloud/o365_service_principal_new_client_credentials.yml
+++ b/detections/cloud/o365_service_principal_new_client_credentials.yml
@@ -1,7 +1,7 @@
name: O365 Service Principal New Client Credentials
id: a1b229e9-d962-4222-8c62-905a8a010453
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: New credentials added for Service Principal $object$
risk_objects:
diff --git a/detections/cloud/o365_service_principal_privilege_escalation.yml b/detections/cloud/o365_service_principal_privilege_escalation.yml
index eb36f1e139..f61b9ffe45 100644
--- a/detections/cloud/o365_service_principal_privilege_escalation.yml
+++ b/detections/cloud/o365_service_principal_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: O365 Service Principal Privilege Escalation
id: b686d0bd-cca7-44ca-ae07-87f6465131d9
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Dean Luxton
data_source:
- O365 Add app role assignment grant to user.
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$servicePrincipal$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$servicePrincipal$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$servicePrincipal$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Service Principal $servicePrincipal$ has elevated privileges by adding themself to app role $appRole$
risk_objects:
diff --git a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml
index 979ebb2014..50a1fb1cfe 100644
--- a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml
+++ b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml
@@ -1,7 +1,7 @@
name: O365 SharePoint Allowed Domains Policy Changed
id: b0cc6fa8-39b1-49ac-a4fe-f2f2a668e06c
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The SharePoint Online domain allowlist was changed by $user$, $result$
risk_objects:
diff --git a/detections/cloud/o365_sharepoint_malware_detection.yml b/detections/cloud/o365_sharepoint_malware_detection.yml
index a69a6fcabb..5b5dfe54cf 100644
--- a/detections/cloud/o365_sharepoint_malware_detection.yml
+++ b/detections/cloud/o365_sharepoint_malware_detection.yml
@@ -1,7 +1,7 @@
name: O365 SharePoint Malware Detection
id: 583c5de3-7709-44cb-abfc-0e828d301b59
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: SharePoint detected a potentially malicious file $file_name$
risk_objects:
diff --git a/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml b/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml
index 9de9a11b6e..6efd872b29 100644
--- a/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml
+++ b/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml
@@ -1,7 +1,7 @@
name: O365 SharePoint Suspicious Search Behavior
id: 6ca919db-52f3-4c95-a4e9-7b189e8a043d
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate search behavior by $user$
search: '`o365_management_activity` (Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search* AND UserId = "$user$") OR (OR Operation=SearchQueryInitiatedSharepoint AND UserId = "$user$")'
earliest_offset: $info_min_time$
diff --git a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml
index 13ea392dc8..654fb129ca 100644
--- a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml
+++ b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml
@@ -1,7 +1,7 @@
name: O365 Tenant Wide Admin Consent Granted
id: 50eaabf8-5180-4e86-bfb2-011472c359fc
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The $object$ application registration was granted tenant wide admin consent.
risk_objects:
diff --git a/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml b/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml
index 2e9aaae913..7a5042b025 100644
--- a/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml
+++ b/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml
@@ -1,7 +1,7 @@
name: O365 Threat Intelligence Suspicious Email Delivered
id: 605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious email was delivered to $user$ by $src_user$ matching the $signature$ signature
risk_objects:
diff --git a/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml b/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml
index 5a77ff5bc4..c2d28ede75 100644
--- a/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml
+++ b/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml
@@ -1,7 +1,7 @@
name: O365 Threat Intelligence Suspicious File Detected
id: 00958c7b-35db-4e7a-ad13-31550a7a7c64
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Threat Intelligence workload detected a malicious file [$file_name$] from user $user$
risk_objects:
diff --git a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml
index 590b297c55..a7e7e65e19 100644
--- a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml
+++ b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml
@@ -1,7 +1,7 @@
name: O365 User Consent Blocked for Risky Application
id: 242e4d30-cb59-4051-b0cf-58895e218f40
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: O365 has blocked $user$ attempt to grant to consent to an application deemed risky.
risk_objects:
diff --git a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml
index 6a16c588ba..8573370e6d 100644
--- a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml
+++ b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml
@@ -1,7 +1,7 @@
name: O365 User Consent Denied for OAuth Application
id: 2d8679ef-b075-46be-8059-c25116cb1072
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ denifed consent for an OAuth application.
risk_objects:
diff --git a/detections/cloud/o365_zap_activity_detection.yml b/detections/cloud/o365_zap_activity_detection.yml
index 83279a5f6f..7788d08296 100644
--- a/detections/cloud/o365_zap_activity_detection.yml
+++ b/detections/cloud/o365_zap_activity_detection.yml
@@ -1,7 +1,7 @@
name: O365 ZAP Activity Detection
id: 4df275fd-a0e5-4246-8b92-d3201edaef7a
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ was included in a ZAP protection activity.
risk_objects:
diff --git a/detections/cloud/okta_non_standard_vpn_usage.yml b/detections/cloud/okta_non_standard_vpn_usage.yml
index fc7ac88ea9..03545dc8d0 100644
--- a/detections/cloud/okta_non_standard_vpn_usage.yml
+++ b/detections/cloud/okta_non_standard_vpn_usage.yml
@@ -1,7 +1,7 @@
name: Okta Non-Standard VPN Usage
id: 58eb9f80-896c-42f8-86c6-27ab59026c9c
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Marissa Bower, Raven Tait
status: experimental
type: TTP
@@ -17,9 +17,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Uncommon VPN software used by $user$ to connect to Okta.
risk_objects:
diff --git a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml
index 2581b1d60a..17aeb70afe 100644
--- a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml
+++ b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml
@@ -1,7 +1,7 @@
name: Risk Rule for Dev Sec Ops by Repository
id: 161bc0ca-4651-4c13-9c27-27770660cf67
-version: 10
-date: '2026-02-25'
+version: 11
+date: '2026-03-31'
author: Bhavin Patel
status: production
type: Correlation
@@ -25,9 +25,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Dev Sec Ops
diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml
index f7dcd42d7d..5c21daff5e 100644
--- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml
+++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml
@@ -1,7 +1,7 @@
name: Access LSASS Memory for Dump Creation
id: fb4c31b0-13e8-4155-8aa5-24de4b8d6717
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process $SourceImage$ injected into $TargetImage$ and was attempted dump LSASS on $dest$. Adversaries tend to do this when trying to accesss credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
risk_objects:
diff --git a/detections/endpoint/active_directory_lateral_movement_identified.yml b/detections/endpoint/active_directory_lateral_movement_identified.yml
index 829c9df7c8..1398f6a739 100644
--- a/detections/endpoint/active_directory_lateral_movement_identified.yml
+++ b/detections/endpoint/active_directory_lateral_movement_identified.yml
@@ -1,7 +1,7 @@
name: Active Directory Lateral Movement Identified
id: 6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037
-version: 8
-date: '2026-02-25'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Correlation
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Active Directory Lateral Movement
diff --git a/detections/endpoint/active_directory_privilege_escalation_identified.yml b/detections/endpoint/active_directory_privilege_escalation_identified.yml
index 37d19b0b99..664adf6df2 100644
--- a/detections/endpoint/active_directory_privilege_escalation_identified.yml
+++ b/detections/endpoint/active_directory_privilege_escalation_identified.yml
@@ -1,7 +1,7 @@
name: Active Directory Privilege Escalation Identified
id: 583e8a68-f2f7-45be-8fc9-bf725f0e22fd
-version: 8
-date: '2026-02-25'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: experimental
type: Correlation
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Active Directory Privilege Escalation
diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml
index f0062199f5..5040f1c163 100644
--- a/detections/endpoint/active_setup_registry_autostart.yml
+++ b/detections/endpoint/active_setup_registry_autostart.yml
@@ -1,7 +1,7 @@
name: Active Setup Registry Autostart
id: f64579c0-203f-11ec-abcc-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml
index d15edb1e4e..c42046bc70 100644
--- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml
+++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml
@@ -1,7 +1,7 @@
name: Add DefaultUser And Password In Registry
id: d4a3eb62-0f1e-11ec-a971-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon
risk_objects:
diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml
index b9af439d16..82e54e3eff 100644
--- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml
+++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml
@@ -1,7 +1,7 @@
name: Add or Set Windows Defender Exclusion
id: 773b66fe-4dd9-11ec-8289-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -63,9 +63,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: exclusion command $process$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/adsisearcher_account_discovery.yml b/detections/endpoint/adsisearcher_account_discovery.yml
index f9e665e7a6..731d2dff87 100644
--- a/detections/endpoint/adsisearcher_account_discovery.yml
+++ b/detections/endpoint/adsisearcher_account_discovery.yml
@@ -1,7 +1,7 @@
name: AdsiSearcher Account Discovery
id: de7fcadc-04f3-11ec-a241-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Powershell process have been used for user enumeration on $dest$
risk_objects:
diff --git a/detections/endpoint/advanced_ip_or_port_scanner_execution.yml b/detections/endpoint/advanced_ip_or_port_scanner_execution.yml
index b51ed4683c..42930bee5a 100644
--- a/detections/endpoint/advanced_ip_or_port_scanner_execution.yml
+++ b/detections/endpoint/advanced_ip_or_port_scanner_execution.yml
@@ -1,7 +1,7 @@
name: Advanced IP or Port Scanner Execution
id: 9a4e50c7-5b62-4d52-93b4-f2b61332e9a5
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -63,9 +63,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Execution of Advanced IP or Port Scanner detected via $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml
index 5b4b9a4355..66a1df0378 100644
--- a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml
+++ b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml
@@ -1,7 +1,7 @@
name: Allow File And Printing Sharing In Firewall
id: ce27646e-d411-11eb-8a00-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious modification of firewall to allow file and printer sharing detected on host - $dest$
risk_objects:
diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml
index 921293e9f0..4861002366 100644
--- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml
+++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml
@@ -1,7 +1,7 @@
name: Allow Inbound Traffic By Firewall Rule Registry
id: 0a46537c-be02-11eb-92ca-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious firewall allow rule modifications were detected via the registry on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml
index e616a0d3a2..41b4137c1e 100644
--- a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml
+++ b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml
@@ -1,7 +1,7 @@
name: Allow Inbound Traffic In Firewall Rule
id: a5d85486-b89c-11eb-8267-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious firewall modification detected on endpoint $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/allow_network_discovery_in_firewall.yml b/detections/endpoint/allow_network_discovery_in_firewall.yml
index c6548c85e2..7f32b4025b 100644
--- a/detections/endpoint/allow_network_discovery_in_firewall.yml
+++ b/detections/endpoint/allow_network_discovery_in_firewall.yml
@@ -1,7 +1,7 @@
name: Allow Network Discovery In Firewall
id: ccd6a38c-d40b-11eb-85a5-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious modification to the firewall to allow network discovery detected on host - $dest$
risk_objects:
diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml
index c782a1cf5d..932b03e166 100644
--- a/detections/endpoint/allow_operation_with_consent_admin.yml
+++ b/detections/endpoint/allow_operation_with_consent_admin.yml
@@ -1,7 +1,7 @@
name: Allow Operation with Consent Admin
id: 7de17d7a-c9d8-11eb-a812-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious registry modification was performed on endpoint $dest$ by user $user$. This behavior is indicative of privilege escalation.
risk_objects:
diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml
index 38b6591253..899fb28a5c 100644
--- a/detections/endpoint/anomalous_usage_of_7zip.yml
+++ b/detections/endpoint/anomalous_usage_of_7zip.yml
@@ -1,7 +1,7 @@
name: Anomalous usage of 7zip
id: 9364ee8e-a39a-11eb-8f1d-acde48001122
-version: 13
-date: '2026-03-26'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading of 7zip.
risk_objects:
diff --git a/detections/endpoint/attacker_tools_on_endpoint.yml b/detections/endpoint/attacker_tools_on_endpoint.yml
index af07cdbd97..97b011c802 100644
--- a/detections/endpoint/attacker_tools_on_endpoint.yml
+++ b/detections/endpoint/attacker_tools_on_endpoint.yml
@@ -1,7 +1,7 @@
name: Attacker Tools On Endpoint
id: a51bfe1a-94f0-48cc-b4e4-16a110145893
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Bhavin Patel, Splunk, sventec, Github Community
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An attacker tool $process_name$, listed in attacker_tools.csv is executed on host $dest$ by User $user$. This process $process_name$ is known to do- $description$
risk_objects:
diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml
index 57de86262c..26ac6d3b36 100644
--- a/detections/endpoint/auto_admin_logon_registry_entry.yml
+++ b/detections/endpoint/auto_admin_logon_registry_entry.yml
@@ -1,7 +1,7 @@
name: Auto Admin Logon Registry Entry
id: 1379d2b8-0f18-11ec-8ca3-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified registry key $registry_key_name$ with registry value $registry_value_name$ to prepare autoadminlogon
risk_objects:
diff --git a/detections/endpoint/batch_file_write_to_system32.yml b/detections/endpoint/batch_file_write_to_system32.yml
index 15cc73f96f..3ee04778ac 100644
--- a/detections/endpoint/batch_file_write_to_system32.yml
+++ b/detections/endpoint/batch_file_write_to_system32.yml
@@ -1,7 +1,7 @@
name: Batch File Write to System32
id: 503d17cb-9eab-4cf8-a20e-01d5c6987ae3
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Steven Dick, Michael Haag, Rico Valdez, Splunk
status: production
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file - $file_name$ was written to system32 has occurred on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml
index d5eea0eee2..34cd6fdf1c 100644
--- a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml
+++ b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml
@@ -1,7 +1,7 @@
name: Bcdedit Command Back To Normal Mode Boot
id: dc7a8004-0f18-11ec-8c54-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: bcdedit process with commandline $process$ to bring back to normal boot configuration the $dest$
risk_objects:
diff --git a/detections/endpoint/bcdedit_failure_recovery_modification.yml b/detections/endpoint/bcdedit_failure_recovery_modification.yml
index 666f9ed88c..2863bb0487 100644
--- a/detections/endpoint/bcdedit_failure_recovery_modification.yml
+++ b/detections/endpoint/bcdedit_failure_recovery_modification.yml
@@ -1,7 +1,7 @@
name: BCDEdit Failure Recovery Modification
id: 809b31d2-5462-11eb-ae93-0242ac130002
-version: 13
-date: '2026-03-16'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable the ability to recover the endpoint.
risk_objects:
diff --git a/detections/endpoint/bits_job_persistence.yml b/detections/endpoint/bits_job_persistence.yml
index 39aa864f44..82f4adbc4a 100644
--- a/detections/endpoint/bits_job_persistence.yml
+++ b/detections/endpoint/bits_job_persistence.yml
@@ -1,7 +1,7 @@
name: BITS Job Persistence
id: e97a5ffe-90bf-11eb-928a-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to persist using BITS.
risk_objects:
diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml
index d7a3c8f747..65fef57d1f 100644
--- a/detections/endpoint/bitsadmin_download_file.yml
+++ b/detections/endpoint/bitsadmin_download_file.yml
@@ -1,7 +1,7 @@
name: BITSAdmin Download File
id: 80630ff4-8e4c-11eb-aab5-acde48001122
-version: 16
-date: '2026-03-10'
+version: 17
+date: '2026-03-31'
author: Michael Haag, Sittikorn S
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.
risk_objects:
diff --git a/detections/endpoint/certutil_exe_certificate_extraction.yml b/detections/endpoint/certutil_exe_certificate_extraction.yml
index 29e386e928..070e81f4e8 100644
--- a/detections/endpoint/certutil_exe_certificate_extraction.yml
+++ b/detections/endpoint/certutil_exe_certificate_extraction.yml
@@ -1,7 +1,7 @@
name: Certutil exe certificate extraction
id: 337a46be-600f-11eb-ae93-0242ac130002
-version: 14
-date: '2026-03-25'
+version: 15
+date: '2026-03-31'
author: Rod Soto, Splunk
status: production
type: TTP
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting export a certificate.
risk_objects:
diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml
index 6e532008f7..94b897c4b5 100644
--- a/detections/endpoint/certutil_with_decode_argument.yml
+++ b/detections/endpoint/certutil_with_decode_argument.yml
@@ -1,7 +1,7 @@
name: CertUtil With Decode Argument
id: bfe94226-8c10-11eb-a4b3-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.
risk_objects:
diff --git a/detections/endpoint/change_to_safe_mode_with_network_config.yml b/detections/endpoint/change_to_safe_mode_with_network_config.yml
index 103fe12371..8e3e6dad6d 100644
--- a/detections/endpoint/change_to_safe_mode_with_network_config.yml
+++ b/detections/endpoint/change_to_safe_mode_with_network_config.yml
@@ -1,7 +1,7 @@
name: Change To Safe Mode With Network Config
id: 81f1dce0-0f18-11ec-a5d7-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: bcdedit process with commandline $process$ to force safemode boot the $dest$
risk_objects:
diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml
index e6f915ce19..07b260f44d 100644
--- a/detections/endpoint/check_elevated_cmd_using_whoami.yml
+++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml
@@ -1,7 +1,7 @@
name: Check Elevated CMD using whoami
id: a9079b18-1633-11ec-859c-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process name $process_name$ with commandline $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/cisco_isovalent___access_to_cloud_metadata_service.yml b/detections/endpoint/cisco_isovalent___access_to_cloud_metadata_service.yml
index f4e4c84768..f1ed7759ad 100644
--- a/detections/endpoint/cisco_isovalent___access_to_cloud_metadata_service.yml
+++ b/detections/endpoint/cisco_isovalent___access_to_cloud_metadata_service.yml
@@ -1,7 +1,7 @@
name: Cisco Isovalent - Access To Cloud Metadata Service
id: 7f2e1a9a-1e8e-4d2e-8b7c-5f2c3d6a9b21
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Bhavin Patel, Splunk
type: Anomaly
data_source:
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$pod_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Pod [$pod_name$] accessed the cloud metadata service [$dest_ip$] in cluster [$cluster_name$]
risk_objects:
diff --git a/detections/endpoint/cisco_isovalent___cron_job_creation.yml b/detections/endpoint/cisco_isovalent___cron_job_creation.yml
index 6da29673b5..b248c99570 100644
--- a/detections/endpoint/cisco_isovalent___cron_job_creation.yml
+++ b/detections/endpoint/cisco_isovalent___cron_job_creation.yml
@@ -1,7 +1,7 @@
name: Cisco Isovalent - Cron Job Creation
id: 94531a31-a041-4777-909f-cd92ed3b71ad
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Bhavin Patel, Splunk
type: Anomaly
data_source:
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$pod_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: cron job creation detected in pod [$pod_name$] in the cluster [$cluster_name$]
risk_objects:
diff --git a/detections/endpoint/cisco_isovalent___curl_execution_with_insecure_flags.yml b/detections/endpoint/cisco_isovalent___curl_execution_with_insecure_flags.yml
index 6849d049f1..c95842ba8a 100644
--- a/detections/endpoint/cisco_isovalent___curl_execution_with_insecure_flags.yml
+++ b/detections/endpoint/cisco_isovalent___curl_execution_with_insecure_flags.yml
@@ -1,7 +1,7 @@
name: Cisco Isovalent - Curl Execution With Insecure Flags
id: c16c4899-d3f7-461b-92c2-cc0ef5758855
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Bhavin Patel, Splunk
type: Anomaly
data_source:
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$pod_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A curl execution with insecure flags has been detected on pod_name [$pod_name$] in the cluster [$cluster_name$]
risk_objects:
diff --git a/detections/endpoint/cisco_isovalent___late_process_execution.yml b/detections/endpoint/cisco_isovalent___late_process_execution.yml
index 8341289870..c991ffbc77 100644
--- a/detections/endpoint/cisco_isovalent___late_process_execution.yml
+++ b/detections/endpoint/cisco_isovalent___late_process_execution.yml
@@ -1,7 +1,7 @@
name: Cisco Isovalent - Late Process Execution
id: 7f4b9b8e-5d6a-4a21-9e3f-0f1e8f2d1c3a
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Bhavin Patel, Splunk
type: Anomaly
data_source:
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$pod_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Late process execution [$process_name$] detected in pod [$pod_name$]
risk_objects:
diff --git a/detections/endpoint/cisco_isovalent___non_allowlisted_image_use.yml b/detections/endpoint/cisco_isovalent___non_allowlisted_image_use.yml
index 8eeb316deb..96e6ef783e 100644
--- a/detections/endpoint/cisco_isovalent___non_allowlisted_image_use.yml
+++ b/detections/endpoint/cisco_isovalent___non_allowlisted_image_use.yml
@@ -1,7 +1,7 @@
name: Cisco Isovalent - Non Allowlisted Image Use
id: 9f2b7b1d-6c2f-4f2d-9a8b-8a1d7c5f2e11
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$pod_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Non Allowlisted image [$pod_image_name$] used by pod [$pod_name$] in the cluster [$cluster_name$]
risk_objects:
diff --git a/detections/endpoint/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml b/detections/endpoint/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml
index 4e68c11429..346571285b 100644
--- a/detections/endpoint/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml
+++ b/detections/endpoint/cisco_isovalent___nsenter_usage_in_kubernetes_pod.yml
@@ -1,7 +1,7 @@
name: Cisco Isovalent - Nsenter Usage in Kubernetes Pod
id: cd07120d-4265-481a-ba0f-3b91fbc5a02f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Bhavin Patel, Splunk
type: Anomaly
data_source:
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$pod_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An nsenter escape attempt has been detected by user on container pod - [$pod_name$]
risk_objects:
diff --git a/detections/endpoint/cisco_isovalent___pods_running_offensive_tools.yml b/detections/endpoint/cisco_isovalent___pods_running_offensive_tools.yml
index 9499bc4f58..3c8aa6058e 100644
--- a/detections/endpoint/cisco_isovalent___pods_running_offensive_tools.yml
+++ b/detections/endpoint/cisco_isovalent___pods_running_offensive_tools.yml
@@ -1,7 +1,7 @@
name: Cisco Isovalent - Pods Running Offensive Tools
id: e9d0b9e6-2f3c-4a8a-9d61-2b6f4a9c1c2e
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Bhavin Patel, Splunk
type: Anomaly
data_source:
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$pod_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Offensive tool execution [$process_name$] detected in pod [$pod_name$] on cluster [$cluster_name$]
risk_objects:
diff --git a/detections/endpoint/cisco_isovalent___potential_escape_to_host.yml b/detections/endpoint/cisco_isovalent___potential_escape_to_host.yml
index 4009a3e0ac..ddad3e8c97 100644
--- a/detections/endpoint/cisco_isovalent___potential_escape_to_host.yml
+++ b/detections/endpoint/cisco_isovalent___potential_escape_to_host.yml
@@ -1,7 +1,7 @@
name: Cisco Isovalent - Potential Escape to Host
id: 2b8a7a21-bec6-4e1f-84c4-7b319f45d2ab
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Bhavin Patel, Splunk
type: Anomaly
data_source:
@@ -51,9 +51,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$pod_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$pod_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Escape-to-host attempt detected in pod $pod_name$ on cluster $cluster_name$ using a command - [$process$]
risk_objects:
diff --git a/detections/endpoint/cisco_isovalent___shell_execution.yml b/detections/endpoint/cisco_isovalent___shell_execution.yml
index f14c08ffea..d06e623299 100644
--- a/detections/endpoint/cisco_isovalent___shell_execution.yml
+++ b/detections/endpoint/cisco_isovalent___shell_execution.yml
@@ -1,7 +1,7 @@
name: Cisco Isovalent - Shell Execution
id: 12345678-abcd-1234-ef00-1234567890ab
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Bhavin Patel, Splunk
type: Anomaly
data_source:
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$node_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$node_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$node_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The shell [$process_name$] was executed on container pod namespace [$node_name$]
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml
index 7b01b4743d..432dadaa91 100644
--- a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml
+++ b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Curl Execution With Insecure Flags
id: cc695238-3117-4e60-aa83-4beac2a42c69
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -63,9 +63,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The host $src$ executed curl with insecure flags and communicated with $dest$ / $dest_hostname$ over port $dest_port$
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml b/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml
index 264b127eef..5a4391156d 100644
--- a/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml
+++ b/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Installation of Typosquatted Python Package
id: 5e3f6b44-42cb-4f8a-99f0-59e78a52ea1d
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -63,9 +63,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Host $src$ used pip or poetry to install a likely typosquatted python package $package_name$ from $dest_hostname$
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml
index 9bb05a6c4e..06deb52d36 100644
--- a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml
+++ b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
id: f2a9df84-9b01-4a21-9e3a-7aa1a217f69e
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -68,9 +68,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The host $src$ executed $process_name$ with potential obfuscated logic and initiated a network connection to $dest_hostname$ / $dest$ over $dest_port$.
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml b/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml
index ac33b61f99..3728404460 100644
--- a/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml
+++ b/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Non-Network Binary Making Network Connection
id: c6db35af-8a0e-4b61-88ed-738e66f15715
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -65,9 +65,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The host $src$ observed $process_path$ initiating a network connection to $dest$ over port $dest_port$, which is highly unusual
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml b/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml
index 3de5d7abc7..fde3d70c4f 100644
--- a/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml
+++ b/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Outbound Connection to Suspicious Port
id: fc32a8d5-bc79-4437-b48f-4646ab7bed9d
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -62,9 +62,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The host $src$ established an outbound network connection via the process $process_path$ with the commandline arguments $process_arguments$ to $dest$ over suspicious port $dest_port$.
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml b/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml
index 12445145e7..e448627a66 100644
--- a/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml
+++ b/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Rclone Execution With Network Activity
id: 719f8c78-b20d-4bb9-8c33-6d1a762e7a9a
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -72,9 +72,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Rclone was executed on $src$ using flags $process_arguments$ and connected to $dest_hostname$ over $dest_port$.
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml b/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml
index 3aea42e4a5..0b59c182fe 100644
--- a/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml
+++ b/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
id: 18f0d27d-569e-4bc4-96e1-09b214fa73c0
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -60,9 +60,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $process_path$ was executed on $src$ leveraging the mshtml.dll and the RunHTMLApplication export to download a potentially suspicious file from $dest_hostname$.
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml b/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml
index 31fab1a12d..0f5721d056 100644
--- a/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml
+++ b/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Susp Script From Archive Triggering Network Activity
id: 8b07c2c9-0cde-4c44-9fa6-59dcf2b25777
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -58,9 +58,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $process_path$ running from $parent_process_name$ with archive-related execution in Temp was observed from host $src$ performing network a connection towards $dest$ / $dest_hostname$ over port $dest_port$.
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml
index 6f98b6f837..b79cad2582 100644
--- a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml
+++ b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Suspicious Download From File Sharing Website
id: 94ebc001-35e7-4ae8-9b0e-52766b2f99c7
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -78,9 +78,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The host $src$ used $process_path$ to download content from the file-sharing domain $dest_hostname$ over port $dest_port$
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml
index 517453d5c4..eb4cccdf91 100644
--- a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml
+++ b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Suspicious File Download via Headless Browser
id: cd0e816f-f67d-4dbe-a153-480b546e867e
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -96,9 +96,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious file download using the Chromium-based browser $parent_process_name$ via the commandline $process_arguments$. Observed on host $src$ communicating with $dest$ / $dest_hostname$
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml
index af80f50a35..8deb3bc78f 100644
--- a/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml
+++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Suspicious Network Connection From Process With No Args
id: 54fa06c5-96a2-4406-a4a7-44d93ddbd173
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -68,9 +68,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The $process_name$ was seen on host $src$ executing without any command-line arguments and initiating a network connection towards $dest$. This might indicate a potential communication with a C&C server.
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml
index cf57cb806a..0c7401703b 100644
--- a/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml
+++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Suspicious Network Connection Initiated via MsXsl
id: 1cbcf75f-0e45-4f29-8c1b-7fcd7e55cc55
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -62,9 +62,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Host $src$ used msxsl.exe to initiate a suspicious network connection to $dest$
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml
index 13d5db83a9..6151e4268c 100644
--- a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml
+++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Suspicious Network Connection to IP Lookup Service API
id: 568cb83e-d79e-4a23-85ec-6e1f6c30cb2f
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk, Janantha Marasinghe
status: production
type: Anomaly
@@ -72,9 +72,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The host $src$ made a network request to IP lookup service $dest_hostname$ using suspicious process $process_path$
risk_objects:
diff --git a/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml
index 3a8fd7d163..cfcb0d5d1c 100644
--- a/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml
+++ b/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml
@@ -1,7 +1,7 @@
name: Cisco NVM - Webserver Download From File Sharing Website
id: 1984f997-3b49-4d4b-a7e9-dc5dbf88370e
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -76,9 +76,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- GhostRedirector IIS Module and Rungan Backdoor
diff --git a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml
index e2cab24e1e..c146c8cfe1 100644
--- a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml
+++ b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml
@@ -1,7 +1,7 @@
name: Clear Unallocated Sector Using Cipher App
id: cd80a6ac-c9d9-11eb-8839-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to clear the unallocated sectors of a specific disk.
risk_objects:
diff --git a/detections/endpoint/clop_common_exec_parameter.yml b/detections/endpoint/clop_common_exec_parameter.yml
index bcf7dd7c96..0515bff1d4 100644
--- a/detections/endpoint/clop_common_exec_parameter.yml
+++ b/detections/endpoint/clop_common_exec_parameter.yml
@@ -1,7 +1,7 @@
name: Clop Common Exec Parameter
id: 5a8a2a72-8322-11eb-9ee9-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting using arguments to execute its main code or feature of its code related to Clop ransomware.
risk_objects:
diff --git a/detections/endpoint/clop_ransomware_known_service_name.yml b/detections/endpoint/clop_ransomware_known_service_name.yml
index 6b9beaf853..55bb7a0668 100644
--- a/detections/endpoint/clop_ransomware_known_service_name.yml
+++ b/detections/endpoint/clop_ransomware_known_service_name.yml
@@ -1,7 +1,7 @@
name: Clop Ransomware Known Service Name
id: 07e08a12-870c-11eb-b5f9-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of a known Clop Ransomware Service Name detected on $dest$
risk_objects:
diff --git a/detections/endpoint/cmd_echo_pipe___escalation.yml b/detections/endpoint/cmd_echo_pipe___escalation.yml
index a979490b2c..1a8a39ece4 100644
--- a/detections/endpoint/cmd_echo_pipe___escalation.yml
+++ b/detections/endpoint/cmd_echo_pipe___escalation.yml
@@ -1,7 +1,7 @@
name: CMD Echo Pipe - Escalation
id: eb277ba0-b96b-11eb-b00e-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks.
risk_objects:
diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
index 582dbf941b..8d65ecc62f 100644
--- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
+++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
@@ -1,7 +1,7 @@
name: CMLUA Or CMSTPLUA UAC Bypass
id: f87b5062-b405-11eb-a889-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/common_ransomware_extensions.yml b/detections/endpoint/common_ransomware_extensions.yml
index fca5525126..30e4cd6c54 100644
--- a/detections/endpoint/common_ransomware_extensions.yml
+++ b/detections/endpoint/common_ransomware_extensions.yml
@@ -1,7 +1,7 @@
name: Common Ransomware Extensions
id: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec
-version: 19
-date: '2026-03-10'
+version: 20
+date: '2026-03-31'
author: David Dorsey, Michael Haag, Splunk, Steven Dick
status: production
type: TTP
@@ -87,9 +87,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The device $dest$ wrote $file_count$ files to $path_count$ path(s) with the $file_extension$ extension. This extension and behavior may indicate a $Name$ ransomware attack.
risk_objects:
diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal.yml b/detections/endpoint/connectwise_screenconnect_path_traversal.yml
index a09ad825b1..affd9db50f 100644
--- a/detections/endpoint/connectwise_screenconnect_path_traversal.yml
+++ b/detections/endpoint/connectwise_screenconnect_path_traversal.yml
@@ -1,7 +1,7 @@
name: ConnectWise ScreenConnect Path Traversal
id: 56a3ac65-e747-41f7-b014-dff7423c1dda
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Sysmon EventID 11
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A path traversal attack against ScreenConnect has been detected on $dest$.
risk_objects:
diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml
index 33aace88e7..611cef3f47 100644
--- a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml
+++ b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml
@@ -1,7 +1,7 @@
name: ConnectWise ScreenConnect Path Traversal Windows SACL
id: 4e127857-1fc9-4c95-9d69-ba24c91d52d7
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Windows Event Log Security 4663
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A path traversal attack against ScreenConnect has been detected on $dest$.
risk_objects:
diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml
index 1fe0bcf79c..cfc5c3ddcd 100644
--- a/detections/endpoint/conti_common_exec_parameter.yml
+++ b/detections/endpoint/conti_common_exec_parameter.yml
@@ -1,7 +1,7 @@
name: Conti Common Exec parameter
id: 624919bc-c382-11eb-adcc-acde48001122
-version: 13
-date: '2026-03-26'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing specific Conti Ransomware related parameters.
risk_objects:
diff --git a/detections/endpoint/control_loading_from_world_writable_directory.yml b/detections/endpoint/control_loading_from_world_writable_directory.yml
index 8b0a48dbf7..b3f3e496c3 100644
--- a/detections/endpoint/control_loading_from_world_writable_directory.yml
+++ b/detections/endpoint/control_loading_from_world_writable_directory.yml
@@ -1,7 +1,7 @@
name: Control Loading from World Writable Directory
id: 10423ac4-10c9-11ec-8dc4-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -25,9 +25,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.
risk_objects:
diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml
index 57395ab311..a4b3e613bf 100644
--- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml
+++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml
@@ -1,7 +1,7 @@
name: Create or delete windows shares using net exe
id: 743a322c-9a68-4a0f-9c17-85d9cce2a27c
-version: 16
-date: '2026-03-10'
+version: 17
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumerating Windows file shares.
risk_objects:
diff --git a/detections/endpoint/create_remote_thread_in_shell_application.yml b/detections/endpoint/create_remote_thread_in_shell_application.yml
index a820e4cde9..e41a15343c 100644
--- a/detections/endpoint/create_remote_thread_in_shell_application.yml
+++ b/detections/endpoint/create_remote_thread_in_shell_application.yml
@@ -1,7 +1,7 @@
name: Create Remote Thread In Shell Application
id: 10399c1e-f51e-11eb-b920-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process $process_name$ create a remote thread to shell app process $TargetImage$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml
index 3cf4c31364..b8894ed4de 100644
--- a/detections/endpoint/create_remote_thread_into_lsass.yml
+++ b/detections/endpoint/create_remote_thread_into_lsass.yml
@@ -1,7 +1,7 @@
name: Create Remote Thread into LSASS
id: 67d4dbef-9564-4699-8da8-03a151529edc
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process has created a remote thread into $TargetImage$ on $dest$. This behavior is indicative of credential dumping and should be investigated.
risk_objects:
diff --git a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml
index c3b9ee225b..5f05d819aa 100644
--- a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml
+++ b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml
@@ -1,7 +1,7 @@
name: Creation of lsass Dump with Taskmgr
id: b2fbe95a-9c62-4c12-8a29-24b97e84c0cd
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.
risk_objects:
diff --git a/detections/endpoint/creation_of_shadow_copy.yml b/detections/endpoint/creation_of_shadow_copy.yml
index 11e3e399b4..cb5a3014a6 100644
--- a/detections/endpoint/creation_of_shadow_copy.yml
+++ b/detections/endpoint/creation_of_shadow_copy.yml
@@ -1,7 +1,7 @@
name: Creation of Shadow Copy
id: eb120f5f-b879-4a63-97c1-93352b5df844
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.
risk_objects:
diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml
index c72d208659..dd43eb1b43 100644
--- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml
+++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml
@@ -1,7 +1,7 @@
name: Creation of Shadow Copy with wmic and powershell
id: 2ed8b538-d284-449a-be1d-82ad1dbd186b
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a shadow copy to perform offline password cracking.
risk_objects:
diff --git a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml
index 77bf251e98..1d9036603a 100644
--- a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml
+++ b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml
@@ -1,7 +1,7 @@
name: Credential Dumping via Copy Command from Shadow Copy
id: d8c406fe-23d2-45f3-a983-1abe7b83ff3b
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to copy SAM and NTDS.dit for offline password cracking.
risk_objects:
diff --git a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml
index 0330bd6405..ca148e573f 100644
--- a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml
+++ b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml
@@ -1,7 +1,7 @@
name: Credential Dumping via Symlink to Shadow Copy
id: c5eac648-fae0-4263-91a6-773df1f4c903
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create symlink to a shadow copy to grab credentials.
risk_objects:
diff --git a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml
index 438e00bd53..1db4b83119 100644
--- a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml
+++ b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml
@@ -1,7 +1,7 @@
name: Crowdstrike Admin Weak Password Policy
id: bb1481fd-23c0-4195-b6a0-94d746c9637c
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source: []
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Weak Password for Admin User found on $domain$
risk_objects:
diff --git a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml
index cf6efba7c5..d8f22b720a 100644
--- a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml
+++ b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml
@@ -1,7 +1,7 @@
name: Crowdstrike Admin With Duplicate Password
id: b8bccfbf-6ac2-40f2-83b6-e72b7efaa7d4
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source: []
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Duplicate Password for Admin User found on $domain$
risk_objects:
diff --git a/detections/endpoint/crowdstrike_falcon_stream_alerts.yml b/detections/endpoint/crowdstrike_falcon_stream_alerts.yml
index 1eec244916..df8abee07a 100644
--- a/detections/endpoint/crowdstrike_falcon_stream_alerts.yml
+++ b/detections/endpoint/crowdstrike_falcon_stream_alerts.yml
@@ -1,7 +1,7 @@
name: CrowdStrike Falcon Stream Alerts
id: cb6af2b3-29ab-441c-8d8d-679811c8b014
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Bryan Pluta, Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -46,9 +46,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: View other CrowdStrike events for "$user$ on "$dest$"
search: '$annotations.drilldown_search$'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml
index 8483077bc2..95c9fb6316 100644
--- a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml
+++ b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml
@@ -1,7 +1,7 @@
name: Crowdstrike High Identity Risk Severity
id: 0df524ad-6d78-4883-9987-d29418928103
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source: []
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: High Identity Risk Score Severity found on $domain$
risk_objects:
diff --git a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml
index 6f1585c191..b80b9388a9 100644
--- a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml
+++ b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml
@@ -1,7 +1,7 @@
name: Crowdstrike Medium Identity Risk Severity
id: c23b425c-9024-4bd7-b526-c18a4a51d93e
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source: []
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Medium Identity Risk Score Severity found on $domain$
risk_objects:
diff --git a/detections/endpoint/crowdstrike_medium_severity_alert.yml b/detections/endpoint/crowdstrike_medium_severity_alert.yml
index f43510dd64..27a7b46123 100644
--- a/detections/endpoint/crowdstrike_medium_severity_alert.yml
+++ b/detections/endpoint/crowdstrike_medium_severity_alert.yml
@@ -1,7 +1,7 @@
name: Crowdstrike Medium Severity Alert
id: 7e80d92a-6ec3-4eb1-a444-1480acfe2d14
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source: []
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A MEDIUM Severity Crowdstrike Alert found in $src_host$
risk_objects:
diff --git a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml
index 558d05a6ea..8ec9a022fe 100644
--- a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml
+++ b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml
@@ -1,7 +1,7 @@
name: Crowdstrike Multiple LOW Severity Alerts
id: 5c2c02d8-bee7-4f5c-9dea-e3e1012daddb
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source: []
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_host$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_host$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Several LOW severity alerts found in $src_host$
risk_objects:
diff --git a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml
index 58ed8b9f39..b2193be62b 100644
--- a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml
+++ b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml
@@ -1,7 +1,7 @@
name: Crowdstrike Privilege Escalation For Non-Admin User
id: 69e2860c-0e4b-40ae-9dc4-bf9e3bf2a548
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source: []
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Privilege escalation happened in Non-Admin Account in $src_host$
risk_objects:
diff --git a/detections/endpoint/crowdstrike_user_weak_password_policy.yml b/detections/endpoint/crowdstrike_user_weak_password_policy.yml
index 09ef2e889d..66236dedca 100644
--- a/detections/endpoint/crowdstrike_user_weak_password_policy.yml
+++ b/detections/endpoint/crowdstrike_user_weak_password_policy.yml
@@ -1,7 +1,7 @@
name: Crowdstrike User Weak Password Policy
id: b49b6ef4-57cd-4d42-bd7e-64e00f11cc87
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source: []
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User Weak Password found on $domain$
risk_objects:
diff --git a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml
index e262df1474..802554a19b 100644
--- a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml
+++ b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml
@@ -1,7 +1,7 @@
name: Crowdstrike User with Duplicate Password
id: 386dd914-16e5-400b-9bf6-25572cc4415a
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source: []
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User with Duplicate Password found on $domain$
risk_objects:
diff --git a/detections/endpoint/curl_execution_with_percent_encoded_url.yml b/detections/endpoint/curl_execution_with_percent_encoded_url.yml
index 840e02f0ae..0cc56c16f8 100644
--- a/detections/endpoint/curl_execution_with_percent_encoded_url.yml
+++ b/detections/endpoint/curl_execution_with_percent_encoded_url.yml
@@ -1,7 +1,7 @@
name: Curl Execution with Percent Encoded URL
id: 9a8d5516-4c5e-11ef-9d42-acde48001122
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -78,9 +78,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ with URL-encoded parameters $process$.
risk_objects:
diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml
index 9056a1b45b..d5dc30ba07 100644
--- a/detections/endpoint/delete_shadowcopy_with_powershell.yml
+++ b/detections/endpoint/delete_shadowcopy_with_powershell.yml
@@ -1,7 +1,7 @@
name: Delete ShadowCopy With PowerShell
id: 5ee2bcd0-b2ff-11eb-bb34-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An attempt to delete ShadowCopy was performed using PowerShell on $dest$ by $user_id$.
risk_objects:
diff --git a/detections/endpoint/deleting_shadow_copies.yml b/detections/endpoint/deleting_shadow_copies.yml
index f9e192a446..6144ba5051 100644
--- a/detections/endpoint/deleting_shadow_copies.yml
+++ b/detections/endpoint/deleting_shadow_copies.yml
@@ -1,7 +1,7 @@
name: Deleting Shadow Copies
id: b89919ed-ee5f-492c-b139-95dbb162039e
-version: 17
-date: '2026-03-16'
+version: 18
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete shadow copies.
risk_objects:
diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml
index bff3e46b18..7ef41f3b51 100644
--- a/detections/endpoint/detect_azurehound_command_line_arguments.yml
+++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml
@@ -1,7 +1,7 @@
name: Detect AzureHound Command-Line Arguments
id: 26f02e96-c300-11eb-b611-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ using AzureHound to enumerate AzureAD.
risk_objects:
diff --git a/detections/endpoint/detect_azurehound_file_modifications.yml b/detections/endpoint/detect_azurehound_file_modifications.yml
index ff6735cfe5..fe608650e5 100644
--- a/detections/endpoint/detect_azurehound_file_modifications.yml
+++ b/detections/endpoint/detect_azurehound_file_modifications.yml
@@ -1,7 +1,7 @@
name: Detect AzureHound File Modifications
id: 1c34549e-c31b-11eb-996b-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file - $file_name$ was written to disk that is related to AzureHound, a AzureAD enumeration utility, has occurred on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/detect_certify_command_line_arguments.yml b/detections/endpoint/detect_certify_command_line_arguments.yml
index 7b074180f5..f6f91acc97 100644
--- a/detections/endpoint/detect_certify_command_line_arguments.yml
+++ b/detections/endpoint/detect_certify_command_line_arguments.yml
@@ -1,7 +1,7 @@
name: Detect Certify Command Line Arguments
id: e6d2dc61-a8b9-4b03-906c-da0ca75d71b8
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Certify/Certipy arguments detected on $dest$.
risk_objects:
diff --git a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml
index 4f7ac65e7c..fcc72f4a98 100644
--- a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml
+++ b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml
@@ -1,7 +1,7 @@
name: Detect Certify With PowerShell Script Block Logging
id: f533ca6c-9440-4686-80cb-7f294c07812a
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Certify arguments through PowerShell detected on $dest$.
risk_objects:
diff --git a/detections/endpoint/detect_certipy_file_modifications.yml b/detections/endpoint/detect_certipy_file_modifications.yml
index d1f5049454..72a615ca33 100644
--- a/detections/endpoint/detect_certipy_file_modifications.yml
+++ b/detections/endpoint/detect_certipy_file_modifications.yml
@@ -1,7 +1,7 @@
name: Detect Certipy File Modifications
id: 7e3df743-b1d8-4631-8fa8-bd5819688876
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious files $file_name$ related to Certipy detected on $dest$
risk_objects:
diff --git a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml
index c4c799025f..1ae967361b 100644
--- a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml
+++ b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml
@@ -1,7 +1,7 @@
name: Detect Copy of ShadowCopy with Script Block Logging
id: 9251299c-ea5b-11eb-a8de-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell was identified running a script to capture the SAM hive on endpoint $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml
index 8afa296cce..a0e25ce99a 100644
--- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml
+++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml
@@ -1,7 +1,7 @@
name: Detect Credential Dumping through LSASS access
id: 2c365e57-4414-4540-8dc0-73ab10729996
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$TargetImage$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$TargetImage$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$TargetImage$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The $SourceImage$ has attempted access to read $TargetImage$ was identified on endpoint $dest$, this is indicative of credential dumping and should be investigated.
risk_objects:
diff --git a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml
index 2f235a94c0..0f9efbd3ba 100644
--- a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml
+++ b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml
@@ -1,7 +1,7 @@
name: Detect Empire with PowerShell Script Block Logging
id: bc1dc6b8-c954-11eb-bade-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The following behavior was identified and typically related to PowerShell-Empire on $dest$ by $user_id$.
risk_objects:
diff --git a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml
index 6e1108faaf..67757b031c 100644
--- a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml
+++ b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml
@@ -1,7 +1,7 @@
name: Detect Excessive Account Lockouts From Endpoint
id: c026e3dd-7e18-4abb-8f41-929e836efe74
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple accounts have been locked out. Review $dest$ and results related to $user$.
risk_objects:
diff --git a/detections/endpoint/detect_excessive_user_account_lockouts.yml b/detections/endpoint/detect_excessive_user_account_lockouts.yml
index 634dbb7388..35b6fedbd2 100644
--- a/detections/endpoint/detect_excessive_user_account_lockouts.yml
+++ b/detections/endpoint/detect_excessive_user_account_lockouts.yml
@@ -1,7 +1,7 @@
name: Detect Excessive User Account Lockouts
id: 95a7f9a5-6096-437e-a19e-86f42ac609bd
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Excessive user account lockouts for $user$ in a short period of time
risk_objects:
diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml
index fce35cf708..e71c0667e5 100644
--- a/detections/endpoint/detect_exchange_web_shell.yml
+++ b/detections/endpoint/detect_exchange_web_shell.yml
@@ -1,7 +1,7 @@
name: Detect Exchange Web Shell
id: 8c14eeee-2af1-4a4b-bda8-228da0f4862a
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Michael Haag, Shannon Davis, David Dorsey, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file - $file_name$ was written to disk that is related to IIS exploitation previously performed by HAFNIUM. Review further file modifications on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml
index f6d92b937f..3774e15d33 100644
--- a/detections/endpoint/detect_html_help_url_in_command_line.yml
+++ b/detections/endpoint/detect_html_help_url_in_command_line.yml
@@ -1,7 +1,7 @@
name: Detect HTML Help URL in Command Line
id: 8c5835b9-39d9-438b-817c-95f14c69a31e
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload.
risk_objects:
diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
index db154ed4c8..25afa8d020 100644
--- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
+++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml
@@ -1,7 +1,7 @@
name: Detect HTML Help Using InfoTech Storage Handlers
id: 0b2eefa5-5508-450d-b970-3dd2fb761aec
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $process_name$ has been identified using Infotech Storage Handlers to load a specific file within a CHM on $dest$ under user $user$.
risk_objects:
diff --git a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml
index 607f2cf517..9e3a13a8d9 100644
--- a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml
+++ b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml
@@ -1,7 +1,7 @@
name: Detect Mimikatz With PowerShell Script Block Logging
id: 8148c29c-c952-11eb-9255-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The following behavior was identified and typically related to MimiKatz being loaded within the context of PowerShell on $dest$ by $user_id$.
risk_objects:
diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml
index 80c7ca62e8..16d7393151 100644
--- a/detections/endpoint/detect_mshta_inline_hta_execution.yml
+++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml
@@ -1,7 +1,7 @@
name: Detect mshta inline hta execution
id: a0873b32-5b68-11eb-ae93-0242ac130002
-version: 20
-date: '2026-03-10'
+version: 21
+date: '2026-03-31'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: TTP
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense evasion.
risk_objects:
diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml
index a794f54afb..719a088f7c 100644
--- a/detections/endpoint/detect_mshta_url_in_command_line.yml
+++ b/detections/endpoint/detect_mshta_url_in_command_line.yml
@@ -1,7 +1,7 @@
name: Detect MSHTA Url in Command Line
id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to access a remote destination to download an additional payload.
risk_objects:
diff --git a/detections/endpoint/detect_new_local_admin_account.yml b/detections/endpoint/detect_new_local_admin_account.yml
index 28c4238e1a..1ce361b1c5 100644
--- a/detections/endpoint/detect_new_local_admin_account.yml
+++ b/detections/endpoint/detect_new_local_admin_account.yml
@@ -1,7 +1,7 @@
name: Detect New Local Admin account
id: b25f6f62-0712-43c1-b203-083231ffd97d
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A $user$ on $dest$ was added recently. Identify if this was legitimate behavior or not.
risk_objects:
diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
index 078755241c..1d74498122 100644
--- a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
+++ b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
@@ -1,7 +1,7 @@
name: Detect Outlook exe writing a zip file
id: a51bfe1a-94f0-4822-b1e4-16ae10145893
-version: 16
-date: '2026-03-10'
+version: 17
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -90,9 +90,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: ZIP file - [$file_name$] located in [$file_path$] written by outlook.exe on destination host - [$dest$] by user - [$user$]
risk_objects:
diff --git a/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml b/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml
index 951603bf70..57dd9332c2 100644
--- a/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml
+++ b/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml
@@ -1,7 +1,7 @@
name: Detect Password Spray Attack Behavior From Source
id: b6391b15-e913-4c2c-8949-9eecc06efacc
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The source [$src$] attempted to access $user_dc$ distinct users a total of $count$ times between [$firstTime$] and [$lastTime$]. $success$ successful logins detected.
risk_objects:
diff --git a/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml b/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml
index 602c626615..f751847771 100644
--- a/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml
+++ b/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml
@@ -1,7 +1,7 @@
name: Detect Password Spray Attack Behavior On User
id: a7539705-7183-4a12-9b6a-b6eef645a6d7
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A total of $src_dc$ distinct sources attempted to access the account [$user$], $count$ times between [$firstTime$] and [$lastTime$]. $success$ successful logins detected.
risk_objects:
diff --git a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml
index 9a4a13061e..b6d71be0a2 100644
--- a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml
+++ b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml
@@ -1,7 +1,7 @@
name: Detect Path Interception By Creation Of program exe
id: cbef820c-e1ff-407f-887f-0a9240a2d477
-version: 16
-date: '2026-03-10'
+version: 17
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to perform privilege escalation by using unquoted service paths.
risk_objects:
diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml
index 5d1f5221f0..45abd2091c 100644
--- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml
+++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml
@@ -1,7 +1,7 @@
name: Detect PsExec With accepteula Flag
id: 27c3a83d-cada-47c6-9042-67baf19d2574
-version: 17
-date: '2026-03-10'
+version: 18
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running the utility for possibly the first time.
risk_objects:
diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml
index 407ce773c6..a72d872120 100644
--- a/detections/endpoint/detect_rare_executables.yml
+++ b/detections/endpoint/detect_rare_executables.yml
@@ -1,7 +1,7 @@
name: Detect Rare Executables
id: 44fddcb2-8d3b-454c-874e-7c6de5a4f7ac
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -58,9 +58,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A rare process - [$process_name$] has been detected on less than 10 hosts on $dest$.
risk_objects:
diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml
index 2bc0656405..dde5c4d051 100644
--- a/detections/endpoint/detect_rclone_command_line_usage.yml
+++ b/detections/endpoint/detect_rclone_command_line_usage.yml
@@ -1,7 +1,7 @@
name: Detect RClone Command-Line Usage
id: 32e0baea-b3f1-11eb-a2ce-acde48001122
-version: 17
-date: '2026-03-10'
+version: 18
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to connect to a remote cloud service to move files or folders.
risk_objects:
diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml
index ccd69cd870..2a06493341 100644
--- a/detections/endpoint/detect_regasm_spawning_a_process.yml
+++ b/detections/endpoint/detect_regasm_spawning_a_process.yml
@@ -1,7 +1,7 @@
name: Detect Regasm Spawning a Process
id: 72170ec5-f7d2-42f5-aefb-2b8be6aad15f
-version: 15
-date: '2026-03-16'
+version: 16
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior for $parent_process_name$.
risk_objects:
diff --git a/detections/endpoint/detect_regasm_with_network_connection.yml b/detections/endpoint/detect_regasm_with_network_connection.yml
index 01332277bd..212b32fa30 100644
--- a/detections/endpoint/detect_regasm_with_network_connection.yml
+++ b/detections/endpoint/detect_regasm_with_network_connection.yml
@@ -1,7 +1,7 @@
name: Detect Regasm with Network Connection
id: 07921114-6db4-4e2e-ae58-3ea8a52ae93f
-version: 14
-date: '2026-03-16'
+version: 15
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.
risk_objects:
diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml
index e65b95784a..3adfa02e40 100644
--- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml
+++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml
@@ -1,7 +1,7 @@
name: Detect Regasm with no Command Line Arguments
id: c3bc1430-04e7-4178-835f-047d8e6e97df
-version: 14
-date: '2026-03-16'
+version: 15
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/detect_regsvcs_spawning_a_process.yml b/detections/endpoint/detect_regsvcs_spawning_a_process.yml
index 680f60d1b7..d89984bd8f 100644
--- a/detections/endpoint/detect_regsvcs_spawning_a_process.yml
+++ b/detections/endpoint/detect_regsvcs_spawning_a_process.yml
@@ -1,7 +1,7 @@
name: Detect Regsvcs Spawning a Process
id: bc477b57-5c21-4ab6-9c33-668772e7f114
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ typically not normal for this process.
risk_objects:
diff --git a/detections/endpoint/detect_regsvcs_with_network_connection.yml b/detections/endpoint/detect_regsvcs_with_network_connection.yml
index c2cb09672e..63340d47b4 100644
--- a/detections/endpoint/detect_regsvcs_with_network_connection.yml
+++ b/detections/endpoint/detect_regsvcs_with_network_connection.yml
@@ -1,7 +1,7 @@
name: Detect Regsvcs with Network Connection
id: e3e7a1c0-f2b9-445c-8493-f30a63522d1a
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ contacting a remote destination was identified on endpoint $dest$ by user $user$. This behavior is not normal for $process_name$.
risk_objects:
diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml
index 4c68181e96..8e184a5426 100644
--- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml
+++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml
@@ -1,7 +1,7 @@
name: Detect Regsvcs with No Command Line Arguments
id: 6b74d578-a02e-4e94-a0d1-39440d0bf254
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml
index 012ba4c01a..b85d5a7586 100644
--- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml
+++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml
@@ -1,7 +1,7 @@
name: Detect Regsvr32 Application Control Bypass
id: 070e9b80-6252-11eb-ae93-0242ac130002
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml
index 5db24d76b4..ac0b6be0d2 100644
--- a/detections/endpoint/detect_remote_access_software_usage_file.yml
+++ b/detections/endpoint/detect_remote_access_software_usage_file.yml
@@ -1,7 +1,7 @@
name: Detect Remote Access Software Usage File
id: 3bf5541a-6a45-4fdc-b01d-59b899fff961
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -55,9 +55,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate files on $dest$
search: '| from datamodel:Endpoint.Filesystem | search dest=$dest$ file_name=$file_name$'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml
index c4eee92185..4a092af85a 100644
--- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml
+++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml
@@ -1,7 +1,7 @@
name: Detect Remote Access Software Usage FileInfo
id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate processes on $dest$
search: '| from datamodel:Endpoint.Processes| search dest=$dest$ process_name=$process_name$'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml
index aa1f49b034..2dcf54ac4c 100644
--- a/detections/endpoint/detect_remote_access_software_usage_process.yml
+++ b/detections/endpoint/detect_remote_access_software_usage_process.yml
@@ -1,7 +1,7 @@
name: Detect Remote Access Software Usage Process
id: ffd5e001-2e34-48f4-97a2-26dc4bb08178
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Steven Dick, Sebastian Wurl, Splunk Community
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate processes on $dest$
search: '| from datamodel:Endpoint.Processes| search dest=$dest$ process_name=$process_name$'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/detect_remote_access_software_usage_registry.yml b/detections/endpoint/detect_remote_access_software_usage_registry.yml
index 3eb393b408..37d35c16e7 100644
--- a/detections/endpoint/detect_remote_access_software_usage_registry.yml
+++ b/detections/endpoint/detect_remote_access_software_usage_registry.yml
@@ -1,7 +1,7 @@
name: Detect Remote Access Software Usage Registry
id: 33804986-25dd-43cf-bb6b-dc14956c7cbc
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate registry changes on $dest$
search: '| from datamodel:Endpoint.Registry| search dest=$dest$ registry_path=$registry_path$'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/detect_rtlo_in_file_name.yml b/detections/endpoint/detect_rtlo_in_file_name.yml
index 5cd64a7305..d881538e44 100644
--- a/detections/endpoint/detect_rtlo_in_file_name.yml
+++ b/detections/endpoint/detect_rtlo_in_file_name.yml
@@ -1,7 +1,7 @@
name: Detect RTLO In File Name
id: 468b7e11-d362-43b8-b6ec-7a2d3b246678
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -56,9 +56,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious RTLO detected in $file_name$ on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/detect_rtlo_in_process.yml b/detections/endpoint/detect_rtlo_in_process.yml
index 8e69c93713..163a6f0e94 100644
--- a/detections/endpoint/detect_rtlo_in_process.yml
+++ b/detections/endpoint/detect_rtlo_in_process.yml
@@ -1,7 +1,7 @@
name: Detect RTLO In Process
id: 22ac27b4-7189-4a4f-9375-b9017c9620d7
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious RTLO detected in $process_name$ on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml
index 2321f75524..a2a740dbf4 100644
--- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml
+++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml
@@ -1,7 +1,7 @@
name: Detect Rundll32 Inline HTA Execution
id: 91c79f14-5b41-11eb-ae93-0242ac130002
-version: 12
-date: '2026-03-26'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious rundll32.exe inline HTA execution on $dest$
risk_objects:
diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml
index 609a1cac54..6ef74955d1 100644
--- a/detections/endpoint/detect_sharphound_command_line_arguments.yml
+++ b/detections/endpoint/detect_sharphound_command_line_arguments.yml
@@ -1,7 +1,7 @@
name: Detect SharpHound Command-Line Arguments
id: a0bdd2f6-c2ff-11eb-b918-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible SharpHound command-Line arguments identified on $dest$
risk_objects:
diff --git a/detections/endpoint/detect_sharphound_file_modifications.yml b/detections/endpoint/detect_sharphound_file_modifications.yml
index c204764452..7d19739925 100644
--- a/detections/endpoint/detect_sharphound_file_modifications.yml
+++ b/detections/endpoint/detect_sharphound_file_modifications.yml
@@ -1,7 +1,7 @@
name: Detect SharpHound File Modifications
id: 42b4b438-beed-11eb-ba1d-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential SharpHound file modifications identified on $dest$
risk_objects:
diff --git a/detections/endpoint/detect_sharphound_usage.yml b/detections/endpoint/detect_sharphound_usage.yml
index 950df9676b..94eb6ec884 100644
--- a/detections/endpoint/detect_sharphound_usage.yml
+++ b/detections/endpoint/detect_sharphound_usage.yml
@@ -1,7 +1,7 @@
name: Detect SharpHound Usage
id: dd04b29a-beed-11eb-87bc-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential SharpHound binary identified on $dest$
risk_objects:
diff --git a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml
index 6458d516d3..e6d439401f 100644
--- a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml
+++ b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml
@@ -1,7 +1,7 @@
name: Detect Use of cmd exe to Launch Script Interpreters
id: b89919ed-fe5f-492c-b139-95dbb162039e
-version: 14
-date: '2026-03-24'
+version: 15
+date: '2026-03-31'
author: Bhavin Patel, Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -61,9 +61,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: cmd.exe launched a script interpreter [$process_name$] with CommandLine [$process$] on [$dest$]
risk_objects:
diff --git a/detections/endpoint/detect_wmi_event_subscription_persistence.yml b/detections/endpoint/detect_wmi_event_subscription_persistence.yml
index 5500bba89d..679ddd3311 100644
--- a/detections/endpoint/detect_wmi_event_subscription_persistence.yml
+++ b/detections/endpoint/detect_wmi_event_subscription_persistence.yml
@@ -1,7 +1,7 @@
name: Detect WMI Event Subscription Persistence
id: 01d9a0c2-cece-11eb-ab46-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible malicious WMI Subscription created on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml
index ef3c5e1f6f..4ed3571157 100644
--- a/detections/endpoint/disable_amsi_through_registry.yml
+++ b/detections/endpoint/disable_amsi_through_registry.yml
@@ -1,7 +1,7 @@
name: Disable AMSI Through Registry
id: 9c27ec42-d338-11eb-9044-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Disable AMSI Through Registry on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml
index 4d6fb1a173..e8b94c3d7e 100644
--- a/detections/endpoint/disable_defender_antivirus_registry.yml
+++ b/detections/endpoint/disable_defender_antivirus_registry.yml
@@ -1,7 +1,7 @@
name: Disable Defender AntiVirus Registry
id: aa4f695a-3024-11ec-9987-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml
index 19cfe5d857..c1877674d1 100644
--- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml
+++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml
@@ -1,7 +1,7 @@
name: Disable Defender BlockAtFirstSeen Feature
id: 2dd719ac-3021-11ec-97b4-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml
index a136c638e6..e1f79070c3 100644
--- a/detections/endpoint/disable_defender_enhanced_notification.yml
+++ b/detections/endpoint/disable_defender_enhanced_notification.yml
@@ -1,7 +1,7 @@
name: Disable Defender Enhanced Notification
id: dc65678c-301f-11ec-8e30-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml
index 6e4d302639..88c96b2828 100644
--- a/detections/endpoint/disable_defender_mpengine_registry.yml
+++ b/detections/endpoint/disable_defender_mpengine_registry.yml
@@ -1,7 +1,7 @@
name: Disable Defender MpEngine Registry
id: cc391750-3024-11ec-955a-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml
index 9b9ae01acf..3712049d41 100644
--- a/detections/endpoint/disable_defender_spynet_reporting.yml
+++ b/detections/endpoint/disable_defender_spynet_reporting.yml
@@ -1,7 +1,7 @@
name: Disable Defender Spynet Reporting
id: 898debf4-3021-11ec-ba7c-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml
index b63e855e1e..322b4178db 100644
--- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml
+++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml
@@ -1,7 +1,7 @@
name: Disable Defender Submit Samples Consent Feature
id: 73922ff8-3022-11ec-bf5e-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml
index 5e7ff796aa..cb31cc943b 100644
--- a/detections/endpoint/disable_etw_through_registry.yml
+++ b/detections/endpoint/disable_etw_through_registry.yml
@@ -1,7 +1,7 @@
name: Disable ETW Through Registry
id: f0eacfa4-d33f-11eb-8f9d-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Disable ETW Through Registry on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml
index 262ff0d339..50cc424dfc 100644
--- a/detections/endpoint/disable_logs_using_wevtutil.yml
+++ b/detections/endpoint/disable_logs_using_wevtutil.yml
@@ -1,7 +1,7 @@
name: Disable Logs Using WevtUtil
id: 236e7c8e-c9d9-11eb-a824-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: WevtUtil.exe used to disable Event Logging on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml
index c1fd018d3f..ca455c0a0d 100644
--- a/detections/endpoint/disable_registry_tool.yml
+++ b/detections/endpoint/disable_registry_tool.yml
@@ -1,7 +1,7 @@
name: Disable Registry Tool
id: cd2cf33c-9201-11eb-a10a-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Disabled Registry Tools on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml
index 3940006bee..a9ca318f9c 100644
--- a/detections/endpoint/disable_schedule_task.yml
+++ b/detections/endpoint/disable_schedule_task.yml
@@ -1,7 +1,7 @@
name: Disable Schedule Task
id: db596056-3019-11ec-a9ff-acde48001122
-version: 10
-date: '2026-03-26'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: schtask process with commandline $process$ to disable schedule task in $dest$
risk_objects:
diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml
index 2e77b81731..fd876a0ae0 100644
--- a/detections/endpoint/disable_security_logs_using_minint_registry.yml
+++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml
@@ -1,7 +1,7 @@
name: Disable Security Logs Using MiniNt Registry
id: 39ebdc68-25b9-11ec-aec7-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml
index 02d65f29fd..d4b89bbe5b 100644
--- a/detections/endpoint/disable_show_hidden_files.yml
+++ b/detections/endpoint/disable_show_hidden_files.yml
@@ -1,7 +1,7 @@
name: Disable Show Hidden Files
id: 6f3ccfa2-91fe-11eb-8f9b-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Disabled 'Show Hidden Files' on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml
index 88329f29bb..8b6fef6106 100644
--- a/detections/endpoint/disable_uac_remote_restriction.yml
+++ b/detections/endpoint/disable_uac_remote_restriction.yml
@@ -1,7 +1,7 @@
name: Disable UAC Remote Restriction
id: 9928b732-210e-11ec-b65e-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml
index b0ce6ab08b..fa2c1919e2 100644
--- a/detections/endpoint/disable_windows_app_hotkeys.yml
+++ b/detections/endpoint/disable_windows_app_hotkeys.yml
@@ -1,7 +1,7 @@
name: Disable Windows App Hotkeys
id: 1490f224-ad8b-11eb-8c4f-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Disabled 'Windows App Hotkeys' on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml
index 81425cdefd..9d3226f149 100644
--- a/detections/endpoint/disable_windows_behavior_monitoring.yml
+++ b/detections/endpoint/disable_windows_behavior_monitoring.yml
@@ -1,7 +1,7 @@
name: Disable Windows Behavior Monitoring
id: 79439cae-9200-11eb-a4d3-acde48001122
-version: 20
-date: '2026-03-10'
+version: 21
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender real time behavior monitoring disabled on $dest$
risk_objects:
diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml
index b688d12e76..5c4f7273bc 100644
--- a/detections/endpoint/disable_windows_smartscreen_protection.yml
+++ b/detections/endpoint/disable_windows_smartscreen_protection.yml
@@ -1,7 +1,7 @@
name: Disable Windows SmartScreen Protection
id: 664f0fd0-91ff-11eb-a56f-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Windows Smartscreen was disabled on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml
index 5070df1537..38993a04cd 100644
--- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml
+++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml
@@ -1,7 +1,7 @@
name: Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
id: 114c6bfe-9406-11ec-bcce-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$
risk_objects:
diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml
index e1a4698620..efcd46f566 100644
--- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml
+++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml
@@ -1,7 +1,7 @@
name: Disabled Kerberos Pre-Authentication Discovery With PowerView
id: b0b34e2c-90de-11ec-baeb-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Disabled Kerberos Pre-Authentication Discovery With PowerView from $dest$
risk_objects:
diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml
index 2bb829d2f3..ba822c01cc 100644
--- a/detections/endpoint/disabling_cmd_application.yml
+++ b/detections/endpoint/disabling_cmd_application.yml
@@ -1,7 +1,7 @@
name: Disabling CMD Application
id: ff86077c-9212-11eb-a1e6-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Windows command prompt was disabled on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml
index e1cd76b5b7..c2100e69f2 100644
--- a/detections/endpoint/disabling_controlpanel.yml
+++ b/detections/endpoint/disabling_controlpanel.yml
@@ -1,7 +1,7 @@
name: Disabling ControlPanel
id: 6ae0148e-9215-11eb-a94a-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Windows Control Panel was disabled on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml
index 4d909cb4ba..6166803898 100644
--- a/detections/endpoint/disabling_defender_services.yml
+++ b/detections/endpoint/disabling_defender_services.yml
@@ -1,7 +1,7 @@
name: Disabling Defender Services
id: 911eacdc-317f-11ec-ad30-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/disabling_firewall_with_netsh.yml b/detections/endpoint/disabling_firewall_with_netsh.yml
index 7cb46bc891..8a933be069 100644
--- a/detections/endpoint/disabling_firewall_with_netsh.yml
+++ b/detections/endpoint/disabling_firewall_with_netsh.yml
@@ -1,7 +1,7 @@
name: Disabling Firewall with Netsh
id: 6860a62c-9203-11eb-9e05-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Windows Firewall was disabled on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml
index e5fbbba387..d51f475051 100644
--- a/detections/endpoint/disabling_folderoptions_windows_feature.yml
+++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml
@@ -1,7 +1,7 @@
name: Disabling FolderOptions Windows Feature
id: 83776de4-921a-11eb-868a-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Windows Folder Options, to hide files, was disabled on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml
index 76914e5b0f..e197943441 100644
--- a/detections/endpoint/disabling_norun_windows_app.yml
+++ b/detections/endpoint/disabling_norun_windows_app.yml
@@ -1,7 +1,7 @@
name: Disabling NoRun Windows App
id: de81bc46-9213-11eb-adc9-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Windows registry was modified to disable run application in window start menu on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/disabling_remote_user_account_control.yml b/detections/endpoint/disabling_remote_user_account_control.yml
index 7d4e75b158..74de9c8143 100644
--- a/detections/endpoint/disabling_remote_user_account_control.yml
+++ b/detections/endpoint/disabling_remote_user_account_control.yml
@@ -1,7 +1,7 @@
name: Disabling Remote User Account Control
id: bbc644bc-37df-4e1a-9c88-ec9a53e2038c
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: David Dorsey, Patrick Bareiss, Splunk
status: production
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Windows registry keys that control the enforcement of Windows User Account Control (UAC) were modified on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml
index 0c96083b96..bf40dbee62 100644
--- a/detections/endpoint/disabling_systemrestore_in_registry.yml
+++ b/detections/endpoint/disabling_systemrestore_in_registry.yml
@@ -1,7 +1,7 @@
name: Disabling SystemRestore In Registry
id: f4f837e2-91fb-11eb-8bf6-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Windows registry was modified to disable system restore on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml
index 2b81c5603c..ce97d519aa 100644
--- a/detections/endpoint/disabling_task_manager.yml
+++ b/detections/endpoint/disabling_task_manager.yml
@@ -1,7 +1,7 @@
name: Disabling Task Manager
id: dac279bc-9202-11eb-b7fb-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Windows Task Manager was disabled on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml
index 10e97e0720..867ab5763b 100644
--- a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml
+++ b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml
@@ -1,7 +1,7 @@
name: Disabling Windows Local Security Authority Defences via Registry
id: 45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Dean Luxton,Teoderick Contreras Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An attempt to disable Windows LSA defences was detected on $dest$. The reg key $registry_path$ was deleted by $user$.
risk_objects:
diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml
index d0db6d7da3..4b19ff7c6e 100644
--- a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml
+++ b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml
@@ -1,7 +1,7 @@
name: DLLHost with no Command Line Arguments with Network
id: f1c07594-a141-11eb-8407-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Steven Dick, Michael Haag, Splunk
status: production
type: TTP
@@ -79,9 +79,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $src$ by $user$.
risk_objects:
diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml
index 3fa39f0866..ee07ba3616 100644
--- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml
+++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml
@@ -1,7 +1,7 @@
name: DNS Exfiltration Using Nslookup App
id: 2452e632-9e0d-11eb-bacd-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Wouter Jansen
status: production
type: TTP
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing activity related to DNS exfiltration.
risk_objects:
diff --git a/detections/endpoint/domain_account_discovery_with_dsquery.yml b/detections/endpoint/domain_account_discovery_with_dsquery.yml
index 36db4d612b..0caba27440 100644
--- a/detections/endpoint/domain_account_discovery_with_dsquery.yml
+++ b/detections/endpoint/domain_account_discovery_with_dsquery.yml
@@ -1,7 +1,7 @@
name: Domain Account Discovery with Dsquery
id: b1a8ce04-04c2-11ec-bea7-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/domain_account_discovery_with_wmic.yml b/detections/endpoint/domain_account_discovery_with_wmic.yml
index 85c0e76964..eba13ffc24 100644
--- a/detections/endpoint/domain_account_discovery_with_wmic.yml
+++ b/detections/endpoint/domain_account_discovery_with_wmic.yml
@@ -1,7 +1,7 @@
name: Domain Account Discovery with Wmic
id: 383572e0-04c5-11ec-bdcc-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: an instance of process $process_name$ with commandline $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml
index e76a37c59a..ab00fd4002 100644
--- a/detections/endpoint/domain_controller_discovery_with_nltest.yml
+++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml
@@ -1,7 +1,7 @@
name: Domain Controller Discovery with Nltest
id: 41243735-89a7-4c83-bcdd-570aa78f00a1
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Domain controller discovery on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml
index e65ca4c246..83ad99b89e 100644
--- a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml
+++ b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml
@@ -1,7 +1,7 @@
name: Domain Group Discovery with Adsisearcher
id: 089c862f-5f83-49b5-b1c8-7e4ff66560c7
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Domain group discovery enumeration using PowerShell on $dest$ by $user_id$
risk_objects:
diff --git a/detections/endpoint/domain_group_discovery_with_dsquery.yml b/detections/endpoint/domain_group_discovery_with_dsquery.yml
index 01cf1be4db..fc007e8728 100644
--- a/detections/endpoint/domain_group_discovery_with_dsquery.yml
+++ b/detections/endpoint/domain_group_discovery_with_dsquery.yml
@@ -1,7 +1,7 @@
name: Domain Group Discovery With Dsquery
id: f0c9d62f-a232-4edd-b17e-bc409fb133d4
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/download_files_using_telegram.yml b/detections/endpoint/download_files_using_telegram.yml
index c7f155b05a..52c6678071 100644
--- a/detections/endpoint/download_files_using_telegram.yml
+++ b/detections/endpoint/download_files_using_telegram.yml
@@ -1,7 +1,7 @@
name: Download Files Using Telegram
id: 58194e28-ae5e-11eb-8912-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious files were downloaded with the Telegram application on $dest$
risk_objects:
diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml
index 489b29525c..4ce6ab2c88 100644
--- a/detections/endpoint/dsquery_domain_discovery.yml
+++ b/detections/endpoint/dsquery_domain_discovery.yml
@@ -1,7 +1,7 @@
name: DSQuery Domain Discovery
id: cc316032-924a-11eb-91a2-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified performing domain discovery on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml
index 8014537e26..4aa9ae59ab 100644
--- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml
+++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml
@@ -1,7 +1,7 @@
name: Dump LSASS via comsvcs DLL
id: 8943b567-f14d-4ee8-a0bb-2121d4ce3184
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified accessing credentials using comsvcs.dll on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml
index a247c83978..3e3b6c9f14 100644
--- a/detections/endpoint/dump_lsass_via_procdump.yml
+++ b/detections/endpoint/dump_lsass_via_procdump.yml
@@ -1,7 +1,7 @@
name: Dump LSASS via procdump
id: 3742ebfe-64c2-11eb-ae93-0242ac130002
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -70,9 +70,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to dump lsass.exe via the command $process$ on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/elevated_group_discovery_with_wmic.yml b/detections/endpoint/elevated_group_discovery_with_wmic.yml
index 332c3769d6..661e2d6988 100644
--- a/detections/endpoint/elevated_group_discovery_with_wmic.yml
+++ b/detections/endpoint/elevated_group_discovery_with_wmic.yml
@@ -1,7 +1,7 @@
name: Elevated Group Discovery With Wmic
id: 3f6bbf22-093e-4cb4-9641-83f47b8444b6
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Elevated domain group discovery enumeration on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml
index 8a69428a52..a8ad37da47 100644
--- a/detections/endpoint/enable_rdp_in_other_port_number.yml
+++ b/detections/endpoint/enable_rdp_in_other_port_number.yml
@@ -1,7 +1,7 @@
name: Enable RDP In Other Port Number
id: 99495452-b899-11eb-96dc-acde48001122
-version: 16
-date: '2026-03-10'
+version: 17
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: RDP was moved to a non-standard port on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml
index a312a37820..21edcd80c6 100644
--- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml
+++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml
@@ -1,7 +1,7 @@
name: Enable WDigest UseLogonCredential Registry
id: 0c7d8ffe-25b1-11ec-9f39-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: wdigest registry $registry_path$ was modified on $dest$
risk_objects:
diff --git a/detections/endpoint/enumerate_users_local_group_using_telegram.yml b/detections/endpoint/enumerate_users_local_group_using_telegram.yml
index 21141918f5..e83064857c 100644
--- a/detections/endpoint/enumerate_users_local_group_using_telegram.yml
+++ b/detections/endpoint/enumerate_users_local_group_using_telegram.yml
@@ -1,7 +1,7 @@
name: Enumerate Users Local Group Using Telegram
id: fcd74532-ae54-11eb-a5ab-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Telegram application has been identified enumerating local groups on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml
index 0b312a3d27..8656991de9 100644
--- a/detections/endpoint/etw_registry_disabled.yml
+++ b/detections/endpoint/etw_registry_disabled.yml
@@ -1,7 +1,7 @@
name: ETW Registry Disabled
id: 8ed523ac-276b-11ec-ac39-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml
index c69dc04552..839e65786a 100644
--- a/detections/endpoint/eventvwr_uac_bypass.yml
+++ b/detections/endpoint/eventvwr_uac_bypass.yml
@@ -1,7 +1,7 @@
name: Eventvwr UAC Bypass
id: 9cf8fe08-7ad8-11eb-9819-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Steven Dick, Michael Haag, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Registry values were modified to bypass UAC using Event Viewer on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/excessive_attempt_to_disable_services.yml b/detections/endpoint/excessive_attempt_to_disable_services.yml
index 696ce60c34..c44b17db02 100644
--- a/detections/endpoint/excessive_attempt_to_disable_services.yml
+++ b/detections/endpoint/excessive_attempt_to_disable_services.yml
@@ -1,7 +1,7 @@
name: Excessive Attempt To Disable Services
id: 8fa2a0f0-acd9-11eb-8994-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.
risk_objects:
diff --git a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml
index 7400e5c607..130bcc9cc3 100644
--- a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml
+++ b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml
@@ -1,7 +1,7 @@
name: Excessive distinct processes from Windows Temp
id: 23587b6a-c479-11eb-b671-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Hart, Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple processes were executed out of windows\temp within a short amount of time on $dest$.
risk_objects:
diff --git a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml
index 743c02382d..160f703df5 100644
--- a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml
+++ b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml
@@ -1,7 +1,7 @@
name: Excessive File Deletion In WinDefender Folder
id: b5baa09a-7a05-11ec-8da4-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Excessive file deletion events were detected in the Windows Defender folder on $dest$ by $user$. Investigate further to determine if this activity is malicious.
risk_objects:
diff --git a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml
index a255b49591..1571f2d609 100644
--- a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml
+++ b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml
@@ -1,7 +1,7 @@
name: Excessive number of service control start as disabled
id: 77592bec-d5cc-11eb-9e60-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Hart, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.
risk_objects:
diff --git a/detections/endpoint/excessive_number_of_taskhost_processes.yml b/detections/endpoint/excessive_number_of_taskhost_processes.yml
index ecee354fea..d3ed728a09 100644
--- a/detections/endpoint/excessive_number_of_taskhost_processes.yml
+++ b/detections/endpoint/excessive_number_of_taskhost_processes.yml
@@ -1,7 +1,7 @@
name: Excessive number of taskhost processes
id: f443dac2-c7cf-11eb-ab51-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Hart
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An excessive amount of taskhost.exe and taskhostex.exe was executed on $dest$ indicative of suspicious behavior.
risk_objects:
diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml
index edcc2c9199..b31ee9c1d8 100644
--- a/detections/endpoint/excessive_usage_of_cacls_app.yml
+++ b/detections/endpoint/excessive_usage_of_cacls_app.yml
@@ -1,7 +1,7 @@
name: Excessive Usage Of Cacls App
id: 0bdf6092-af17-11eb-939a-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -68,9 +68,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An excessive amount of $process_name$ was executed on $dest$ attempting to modify permissions.
risk_objects:
diff --git a/detections/endpoint/excessive_usage_of_nslookup_app.yml b/detections/endpoint/excessive_usage_of_nslookup_app.yml
index 7dfed7b977..c3be7efc8e 100644
--- a/detections/endpoint/excessive_usage_of_nslookup_app.yml
+++ b/detections/endpoint/excessive_usage_of_nslookup_app.yml
@@ -1,7 +1,7 @@
name: Excessive Usage of NSLOOKUP App
id: 0a69fdaa-a2b8-11eb-b16d-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Stanislav Miskovic, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Excessive usage of nslookup.exe has been detected on $dest$. This detection is triggered as as it violates the dynamic threshold
risk_objects:
diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml
index ff2df61ec3..ceed98a79d 100644
--- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml
+++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml
@@ -1,7 +1,7 @@
name: Excessive Usage Of SC Service Utility
id: cb6b339e-d4c6-11eb-a026-acde48001122
-version: 9
-date: '2026-03-12'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Excessive Usage Of SC Service Utility on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml
index 29d3e30aca..b37c4bfa03 100644
--- a/detections/endpoint/excessive_usage_of_taskkill.yml
+++ b/detections/endpoint/excessive_usage_of_taskkill.yml
@@ -1,7 +1,7 @@
name: Excessive Usage Of Taskkill
id: fe5bca48-accb-11eb-a67c-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Excessive usage of taskkill.exe with process id $process_id$ (more than 10 within 1m) has been detected on $dest$ with a parent process of $parent_process_name$.
risk_objects:
diff --git a/detections/endpoint/exchange_powershell_module_usage.yml b/detections/endpoint/exchange_powershell_module_usage.yml
index 741aa9779d..c2dee3386d 100644
--- a/detections/endpoint/exchange_powershell_module_usage.yml
+++ b/detections/endpoint/exchange_powershell_module_usage.yml
@@ -1,7 +1,7 @@
name: Exchange PowerShell Module Usage
id: 2d10095e-05ae-11ec-8fdf-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious Exchange PowerShell module usaged was identified on $dest$.
risk_objects:
diff --git a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml
index b0901048af..b5382880a9 100644
--- a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml
+++ b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml
@@ -1,7 +1,7 @@
name: Executable File Written in Administrative SMB Share
id: f63c34fe-a435-11eb-935a-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ dropped or created an executable file in known sensitive SMB share. Share name=$ShareName$, Target name=$RelativeTargetName$, and Access mask=$AccessMask$
risk_objects:
diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml
index 18a8b7ccb1..3a4a079869 100644
--- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml
+++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml
@@ -1,7 +1,7 @@
name: Executables Or Script Creation In Suspicious Path
id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 25
-date: '2026-03-16'
+version: 26
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -76,9 +76,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious executable or scripts with file name $file_name$, $file_path$ and process_id $process_id$ executed in suspicious file path in Windows by $user$
risk_objects:
diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml
index c371484ab2..27fea89a60 100644
--- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml
+++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml
@@ -1,7 +1,7 @@
name: Executables Or Script Creation In Temp Path
id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 21
-date: '2026-03-16'
+version: 22
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -66,9 +66,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Executable or script with file name $file_name$ located $file_path$ and process_id $process_id$ was created in temporary folder by $user$
risk_objects:
diff --git a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml
index 172b406ebd..0b1798a684 100644
--- a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml
+++ b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml
@@ -1,7 +1,7 @@
name: Execute Javascript With Jscript COM CLSID
id: dc64d064-d346-11eb-8588-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious process of cscript.exe with a parent process $parent_process_name$ where it tries to execute javascript using jscript.encode CLSID (COM OBJ), detected on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/execution_of_file_with_multiple_extensions.yml b/detections/endpoint/execution_of_file_with_multiple_extensions.yml
index 766d32234b..10e4ec39c5 100644
--- a/detections/endpoint/execution_of_file_with_multiple_extensions.yml
+++ b/detections/endpoint/execution_of_file_with_multiple_extensions.yml
@@ -1,7 +1,7 @@
name: Execution of File with Multiple Extensions
id: b06a555e-dce0-417d-a2eb-28a5d8d66ef7
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Rico Valdez, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process $process$ have double extensions in the file name is executed on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/file_download_or_read_to_pipe_execution.yml b/detections/endpoint/file_download_or_read_to_pipe_execution.yml
index b017f6f905..03e9d9cfc9 100644
--- a/detections/endpoint/file_download_or_read_to_pipe_execution.yml
+++ b/detections/endpoint/file_download_or_read_to_pipe_execution.yml
@@ -1,7 +1,7 @@
name: File Download or Read to Pipe Execution
id: 26f86252-1549-45e1-a212-eb26840e86bc
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, Nasreddine Bencherchali, Splunk, DipsyTipsy
status: production
type: TTP
@@ -98,9 +98,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified on endpoint $dest$ attempting to immediately read or download a file and run it via a shell.
risk_objects:
diff --git a/detections/endpoint/file_with_samsam_extension.yml b/detections/endpoint/file_with_samsam_extension.yml
index d62cc24296..0755352c33 100644
--- a/detections/endpoint/file_with_samsam_extension.yml
+++ b/detections/endpoint/file_with_samsam_extension.yml
@@ -1,7 +1,7 @@
name: File with Samsam Extension
id: 02c6cfc2-ae66-4735-bfc7-6291da834cbf
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Rico Valdez, Splunk
status: production
type: TTP
@@ -50,9 +50,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The $file_name$ with extensions consistent with a SamSam ransomware attack seen on $dest$
risk_objects:
diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml
index d6a45c1871..407d2ddacf 100644
--- a/detections/endpoint/firewall_allowed_program_enable.yml
+++ b/detections/endpoint/firewall_allowed_program_enable.yml
@@ -1,7 +1,7 @@
name: Firewall Allowed Program Enable
id: 9a8f63a8-43ac-11ec-904c-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: firewall allowed program commandline $process$ of $process_name$ on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml
index 00cda0bb2f..d05e6e80b2 100644
--- a/detections/endpoint/fodhelper_uac_bypass.yml
+++ b/detections/endpoint/fodhelper_uac_bypass.yml
@@ -1,7 +1,7 @@
name: FodHelper UAC Bypass
id: 909f8fd8-7ac8-11eb-a1f3-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious registry keys added by process fodhelper.exe with a parent_process of $parent_process_name$ that has been executed on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/fsutil_zeroing_file.yml b/detections/endpoint/fsutil_zeroing_file.yml
index f88d595464..9cb465803e 100644
--- a/detections/endpoint/fsutil_zeroing_file.yml
+++ b/detections/endpoint/fsutil_zeroing_file.yml
@@ -1,7 +1,7 @@
name: Fsutil Zeroing File
id: 4e5e024e-fabb-11eb-8b8f-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible file data deletion on $dest$ using $process$
risk_objects:
diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml
index f47ecd0e97..35888f3807 100644
--- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml
+++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml
@@ -1,7 +1,7 @@
name: Get ADUserResultantPasswordPolicy with Powershell
id: 8b5ef342-065a-11ec-b0fc-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: an instance of process $process_name$ with commandline $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml
index 128f7b344f..1a74826f57 100644
--- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml
+++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: Get ADUserResultantPasswordPolicy with Powershell Script Block
id: 737e1eb0-065a-11ec-921a-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: powershell process having commandline to query domain user password policy detected on host - $dest$.
risk_objects:
diff --git a/detections/endpoint/get_domainpolicy_with_powershell.yml b/detections/endpoint/get_domainpolicy_with_powershell.yml
index 98adccb6cc..1e687f4c1e 100644
--- a/detections/endpoint/get_domainpolicy_with_powershell.yml
+++ b/detections/endpoint/get_domainpolicy_with_powershell.yml
@@ -1,7 +1,7 @@
name: Get DomainPolicy with Powershell
id: b8f9947e-065a-11ec-aafb-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: an instance of process $process_name$ with commandline $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml
index 83f9192f44..bb69b3aa8e 100644
--- a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml
+++ b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: Get DomainPolicy with Powershell Script Block
id: a360d2b2-065a-11ec-b0bf-acde48001122
-version: 9
-date: '2026-03-12'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Powershell process indicative of querying domain policy, spawned by $user_id$ on $dest$
risk_objects:
diff --git a/detections/endpoint/get_domaintrust_with_powershell.yml b/detections/endpoint/get_domaintrust_with_powershell.yml
index 919e09823a..d17b84776d 100644
--- a/detections/endpoint/get_domaintrust_with_powershell.yml
+++ b/detections/endpoint/get_domaintrust_with_powershell.yml
@@ -1,7 +1,7 @@
name: Get-DomainTrust with PowerShell
id: 4fa7f846-054a-11ec-a836-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml
index c8e31f4247..5e11dbf204 100644
--- a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml
+++ b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: Get-DomainTrust with PowerShell Script Block
id: 89275e7e-0548-11ec-bf75-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/get_domainuser_with_powershell.yml b/detections/endpoint/get_domainuser_with_powershell.yml
index 44811f0604..40e80cc1ff 100644
--- a/detections/endpoint/get_domainuser_with_powershell.yml
+++ b/detections/endpoint/get_domainuser_with_powershell.yml
@@ -1,7 +1,7 @@
name: Get DomainUser with PowerShell
id: 9a5a41d6-04e7-11ec-923c-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: an instance of process $process_name$ with commandline $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/get_domainuser_with_powershell_script_block.yml b/detections/endpoint/get_domainuser_with_powershell_script_block.yml
index 35d6447a83..bce0f468ee 100644
--- a/detections/endpoint/get_domainuser_with_powershell_script_block.yml
+++ b/detections/endpoint/get_domainuser_with_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: Get DomainUser with PowerShell Script Block
id: 61994268-04f4-11ec-865c-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Powershell process having commandline "*Get-DomainUser*" for user enumeration on $dest$
risk_objects:
diff --git a/detections/endpoint/get_foresttrust_with_powershell.yml b/detections/endpoint/get_foresttrust_with_powershell.yml
index 9fea984b31..9f2bf50cac 100644
--- a/detections/endpoint/get_foresttrust_with_powershell.yml
+++ b/detections/endpoint/get_foresttrust_with_powershell.yml
@@ -1,7 +1,7 @@
name: Get-ForestTrust with PowerShell
id: 584f4884-0bf1-11ec-a5ec-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml
index 212634505a..f428f0aade 100644
--- a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml
+++ b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: Get-ForestTrust with PowerShell Script Block
id: 70fac80e-0bf1-11ec-9ba0-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/getdomaincomputer_with_powershell.yml b/detections/endpoint/getdomaincomputer_with_powershell.yml
index dc232cf56e..96cc7a8806 100644
--- a/detections/endpoint/getdomaincomputer_with_powershell.yml
+++ b/detections/endpoint/getdomaincomputer_with_powershell.yml
@@ -1,7 +1,7 @@
name: GetDomainComputer with PowerShell
id: ed550c19-712e-43f6-bd19-6f58f61b3a5e
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Remote system discovery enumeration on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml
index b822f7ec4d..11877484c9 100644
--- a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml
+++ b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: GetDomainComputer with PowerShell Script Block
id: f64da023-b988-4775-8d57-38e512beb56e
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Remote system discovery with PowerView on $dest$ by $user_id$
risk_objects:
diff --git a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml
index 5c0f21ab54..541aafd277 100644
--- a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml
+++ b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: GetDomainController with PowerShell Script Block
id: 676b600a-a94d-4951-b346-11329431e6c1
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Remote system discovery with PowerView on $dest$ by $user_id$
risk_objects:
diff --git a/detections/endpoint/getdomaingroup_with_powershell.yml b/detections/endpoint/getdomaingroup_with_powershell.yml
index 63f8950540..d9d06a91a8 100644
--- a/detections/endpoint/getdomaingroup_with_powershell.yml
+++ b/detections/endpoint/getdomaingroup_with_powershell.yml
@@ -1,7 +1,7 @@
name: GetDomainGroup with PowerShell
id: 93c94be3-bead-4a60-860f-77ca3fe59903
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Domain group discovery with PowerView on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml
index 155539cc21..c0c4d4f2ca 100644
--- a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml
+++ b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: GetDomainGroup with PowerShell Script Block
id: 09725404-a44f-4ed3-9efa-8ed5d69e4c53
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Domain group discovery enumeration using PowerView on $dest$ by $user_id$
risk_objects:
diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml
index 424ab2d982..f97dd2e00d 100644
--- a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml
+++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml
@@ -1,7 +1,7 @@
name: GetWmiObject Ds Computer with PowerShell
id: 7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Remote system discovery enumeration using WMI on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml
index 9527894c48..4f643b7d69 100644
--- a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml
+++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: GetWmiObject Ds Computer with PowerShell Script Block
id: 29b99201-723c-4118-847a-db2b3d3fb8ea
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Remote system discovery enumeration on $dest$ by $user_id$
risk_objects:
diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml
index 7b61eaaf12..61d2d206a1 100644
--- a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml
+++ b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml
@@ -1,7 +1,7 @@
name: GetWmiObject Ds Group with PowerShell
id: df275a44-4527-443b-b884-7600e066e3eb
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Domain group discovery enumeration on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml
index fd2b8fa17b..6810843d47 100644
--- a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml
+++ b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: GetWmiObject Ds Group with PowerShell Script Block
id: 67740bd3-1506-469c-b91d-effc322cc6e5
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Domain group discovery enumeration using PowerShell on $dest$ by $user_id$
risk_objects:
diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml
index f95b9a70ab..78ee2a7dcc 100644
--- a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml
+++ b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml
@@ -1,7 +1,7 @@
name: GetWmiObject DS User with PowerShell
id: 22d3b118-04df-11ec-8fa3-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: an instance of process $process_name$ with commandline $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml
index 6eeec1ef2a..6ff6475209 100644
--- a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml
+++ b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: GetWmiObject DS User with PowerShell Script Block
id: fabd364e-04f3-11ec-b34b-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: powershell process having commandline for user enumeration detected on host - $dest$
risk_objects:
diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml
index 09ed2ef372..5537c91509 100644
--- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml
+++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml
@@ -1,7 +1,7 @@
name: GPUpdate with no Command Line Arguments with Network
id: 2c853856-a140-11eb-a5b5-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection on port $dest_port$. This behaviour is seen with cobaltstrike.
risk_objects:
diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml
index 2d8126f5fd..51a3fab354 100644
--- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml
+++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml
@@ -1,7 +1,7 @@
name: Headless Browser Mockbin or Mocky Request
id: 94fc85a1-e55b-4265-95e1-4b66730e05c0
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Headless browser activity accessing mockbin.org or mocky.io detected on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml
index 4235087378..000e15de79 100644
--- a/detections/endpoint/headless_browser_usage.yml
+++ b/detections/endpoint/headless_browser_usage.yml
@@ -1,7 +1,7 @@
name: Headless Browser Usage
id: 869ba261-c272-47d7-affe-5c0aa85c93d6
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Chromium-based browser process $process_name$ was launched by $parent_process_name$ on $dest$ by user $user$ with the command-line $process$.
risk_objects:
diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml
index e628ea155b..7d2a22c006 100644
--- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml
+++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml
@@ -1,7 +1,7 @@
name: Hide User Account From Sign-In Screen
id: 834ba832-ad89-11eb-937d-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious registry modification ($registry_value_name$) which is used go hide a user account on the Windows Login screen detected on $dest$ executed by $user$
risk_objects:
diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml
index 550f6317c1..7c74a3a3c6 100644
--- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml
+++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml
@@ -1,7 +1,7 @@
name: Hiding Files And Directories With Attrib exe
id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Attrib.exe with +h flag to hide files on $dest$ executed by $user$ is detected.
risk_objects:
diff --git a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml
index 278badd71e..4edb7838a4 100644
--- a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml
+++ b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml
@@ -1,7 +1,7 @@
name: High Frequency Copy Of Files In Network Share
id: 40925f12-4709-11ec-bb43-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: High frequency copy of document into a network share from $src_ip$ by $src_user$
risk_objects:
diff --git a/detections/endpoint/high_process_termination_frequency.yml b/detections/endpoint/high_process_termination_frequency.yml
index 439d9002f5..f6cac258ef 100644
--- a/detections/endpoint/high_process_termination_frequency.yml
+++ b/detections/endpoint/high_process_termination_frequency.yml
@@ -1,7 +1,7 @@
name: High Process Termination Frequency
id: 17cd75b2-8666-11eb-9ab4-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: High frequency process termination (more than 15 processes within 3s) detected on host $dest$
risk_objects:
diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml
index e4dfbdd883..2cb3e1b8fc 100644
--- a/detections/endpoint/icacls_deny_command.yml
+++ b/detections/endpoint/icacls_deny_command.yml
@@ -1,7 +1,7 @@
name: Icacls Deny Command
id: cf8d753e-a8fe-11eb-8f58-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -51,9 +51,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process name $process_name$ with deny argument executed by $user$ to change security permission of a specific file or directory on host $dest$
risk_objects:
diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml
index ebad27a53a..f54df684c9 100644
--- a/detections/endpoint/icacls_grant_command.yml
+++ b/detections/endpoint/icacls_grant_command.yml
@@ -1,7 +1,7 @@
name: ICACLS Grant Command
id: b1b1e316-accc-11eb-a9b4-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -51,9 +51,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process name $process_name$ with grant argument executed by $user$ to change security permission of a specific file or directory on host $dest$
risk_objects:
diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml
index b6bd76783b..ce148cae5e 100644
--- a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml
+++ b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml
@@ -1,7 +1,7 @@
name: Impacket Lateral Movement Commandline Parameters
id: 8ce07472-496f-11ec-ab3b-3e22fbd008af
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious command line parameters on $dest$ may represent a lateral movement attack with Impackets tools
risk_objects:
diff --git a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml
index 479ed42be5..ad6c208e77 100644
--- a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml
+++ b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml
@@ -1,7 +1,7 @@
name: Impacket Lateral Movement smbexec CommandLine Parameters
id: bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious command-line parameters on $dest$ may represent lateral movement using smbexec.
risk_objects:
diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml
index 7f763a5650..b23242ac02 100644
--- a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml
+++ b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml
@@ -1,7 +1,7 @@
name: Impacket Lateral Movement WMIExec Commandline Parameters
id: d6e464e4-5c6a-474e-82d2-aed616a3a492
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious command-line parameters on $dest$ may represent lateral movement using wmiexec.
risk_objects:
diff --git a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml
index a90a277518..bc27de537d 100644
--- a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml
+++ b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml
@@ -1,7 +1,7 @@
name: Interactive Session on Remote Endpoint with PowerShell
id: a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An interactive session was opened on a remote endpoint from $dest$
risk_objects:
diff --git a/detections/endpoint/java_writing_jsp_file.yml b/detections/endpoint/java_writing_jsp_file.yml
index b865d5661e..854f097cc6 100644
--- a/detections/endpoint/java_writing_jsp_file.yml
+++ b/detections/endpoint/java_writing_jsp_file.yml
@@ -1,7 +1,7 @@
name: Java Writing JSP File
id: eb65619c-4f8d-4383-a975-d352765d344b
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -48,9 +48,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation.
risk_objects:
diff --git a/detections/endpoint/jscript_execution_using_cscript_app.yml b/detections/endpoint/jscript_execution_using_cscript_app.yml
index 30bf3ae45c..ea43a41e66 100644
--- a/detections/endpoint/jscript_execution_using_cscript_app.yml
+++ b/detections/endpoint/jscript_execution_using_cscript_app.yml
@@ -1,7 +1,7 @@
name: Jscript Execution Using Cscript App
id: 002f1e24-146e-11ec-a470-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process name $process_name$ with commandline $process$ to execute jscript on $dest$
risk_objects:
diff --git a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml
index afda9441f5..94a484e44f 100644
--- a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml
+++ b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml
@@ -1,7 +1,7 @@
name: Kerberoasting spn request with RC4 encryption
id: 5cc67381-44fa-4111-8a37-7a230943f027
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Dean Luxton, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ requested a service ticket for SPN $service_id$ with RC4 encryption
risk_objects:
diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
index c92f66143f..36168d9765 100644
--- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
+++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
@@ -1,7 +1,7 @@
name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl
id: 0cb847ee-9423-11ec-b2df-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Kerberos Pre Authentication was Disabled for $user$
risk_objects:
diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml
index 53c1139230..82ffe6d678 100644
--- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml
+++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml
@@ -1,7 +1,7 @@
name: Kerberos Pre-Authentication Flag Disabled with PowerShell
id: 59b51620-94c9-11ec-b3d5-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Kerberos Pre Authentication was Disabled using PowerShell on $dest$
risk_objects:
diff --git a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml
index 7319d1650f..073f4c53fb 100644
--- a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml
+++ b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml
@@ -1,7 +1,7 @@
name: Kerberos Service Ticket Request Using RC4 Encryption
id: 7d90f334-a482-11ec-908c-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Kerberos Service TTicket request with RC4 encryption was requested from $dest$
risk_objects:
diff --git a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml
index 5d4d0ae8fc..173bd53bd9 100644
--- a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml
+++ b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml
@@ -1,7 +1,7 @@
name: Kerberos TGT Request Using RC4 Encryption
id: 18916468-9c04-11ec-bdc6-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Kerberos TGT request with RC4 encryption was requested for $ServiceName$ from $src_ip$
risk_objects:
diff --git a/detections/endpoint/kerberos_user_enumeration.yml b/detections/endpoint/kerberos_user_enumeration.yml
index d94a322680..9064660bae 100644
--- a/detections/endpoint/kerberos_user_enumeration.yml
+++ b/detections/endpoint/kerberos_user_enumeration.yml
@@ -1,7 +1,7 @@
name: Kerberos User Enumeration
id: d82d4af4-a0bd-11ec-9445-3e22fbd008af
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Kerberos based user enumeration attack $src_ip$
risk_objects:
diff --git a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml
index aeec68ba76..4e02f6669a 100644
--- a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml
+++ b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml
@@ -1,7 +1,7 @@
name: Linux Account Manipulation Of SSH Config and Keys
id: 73a56508-1cf5-4df7-b8d9-5737fbdc27d2
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: SSH Config and keys are deleted on $dest$ by Process GUID - $process_guid$
risk_objects:
diff --git a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml
index 551a38c5f3..01c05dc0cf 100644
--- a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml
+++ b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml
@@ -1,7 +1,7 @@
name: Linux Add Files In Known Crontab Directories
id: 023f3452-5f27-11ec-bf00-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a file $file_name$ is created in $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_apt_privilege_escalation.yml b/detections/endpoint/linux_apt_privilege_escalation.yml
index dcf12f4fe9..17d885cd6f 100644
--- a/detections/endpoint/linux_apt_privilege_escalation.yml
+++ b/detections/endpoint/linux_apt_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux APT Privilege Escalation
id: 4d5a05fa-77d9-4fd0-af9c-05704f9f9a88
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_at_allow_config_file_creation.yml b/detections/endpoint/linux_at_allow_config_file_creation.yml
index 274c4a9e4e..b97f4c7a88 100644
--- a/detections/endpoint/linux_at_allow_config_file_creation.yml
+++ b/detections/endpoint/linux_at_allow_config_file_creation.yml
@@ -1,7 +1,7 @@
name: Linux At Allow Config File Creation
id: 977b3082-5f3d-11ec-b954-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file $file_name$ is created in $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml
index 1d87c98349..49a7a022ff 100644
--- a/detections/endpoint/linux_at_application_execution.yml
+++ b/detections/endpoint/linux_at_application_execution.yml
@@ -1,7 +1,7 @@
name: Linux At Application Execution
id: bf0a378e-5f3c-11ec-a6de-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: At application was executed on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml
index 15b0918f08..fe1242a82b 100644
--- a/detections/endpoint/linux_auditd_add_user_account.yml
+++ b/detections/endpoint/linux_auditd_add_user_account.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Add User Account
id: aae66dc0-74b4-4807-b480-b35f8027abb4
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to add a user account.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml
index 28f22f5ae3..07fe76e133 100644
--- a/detections/endpoint/linux_auditd_add_user_account_type.yml
+++ b/detections/endpoint/linux_auditd_add_user_account_type.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Add User Account Type
id: f8c325ea-506e-4105-8ccf-da1492e90115
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: New [$type$] event on host - [$dest$] to add a user account type.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml b/detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml
index 56612d3075..31af6230e5 100644
--- a/detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml
+++ b/detections/endpoint/linux_auditd_ai_cli_permission_override_activated.yml
@@ -1,7 +1,7 @@
name: Linux Auditd AI CLI Permission Override Activated
id: 737e8baa-d44e-4fa9-8281-24056ed424c0
-version: 1
-date: '2026-03-12'
+version: 2
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to bypass AI safety execution with permission override.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml
index 7417867863..cfbbdc00b3 100644
--- a/detections/endpoint/linux_auditd_at_application_execution.yml
+++ b/detections/endpoint/linux_auditd_at_application_execution.yml
@@ -1,7 +1,7 @@
name: Linux Auditd At Application Execution
id: 9f306e0a-1c36-469e-8892-968ca12470dd
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the "at" application.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_auditd_daemon_abort.yml b/detections/endpoint/linux_auditd_auditd_daemon_abort.yml
index 75f51628e0..087ba17d16 100644
--- a/detections/endpoint/linux_auditd_auditd_daemon_abort.yml
+++ b/detections/endpoint/linux_auditd_auditd_daemon_abort.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Auditd Daemon Abort
id: 76d6573f-c4ab-4fa1-8390-c036416d4add
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Auditd service event - [$type$] event occurred on host - [$dest$].
risk_objects:
diff --git a/detections/endpoint/linux_auditd_auditd_daemon_shutdown.yml b/detections/endpoint/linux_auditd_auditd_daemon_shutdown.yml
index 9a1b55b063..eb43adc149 100644
--- a/detections/endpoint/linux_auditd_auditd_daemon_shutdown.yml
+++ b/detections/endpoint/linux_auditd_auditd_daemon_shutdown.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Auditd Daemon Shutdown
id: 6e2574b3-e24b-4321-ae3c-ba83a75bb714
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Auditd service event - [$type$] event occurred on host - [$dest$].
risk_objects:
diff --git a/detections/endpoint/linux_auditd_auditd_daemon_start.yml b/detections/endpoint/linux_auditd_auditd_daemon_start.yml
index 901cd94d54..b1e58fafcb 100644
--- a/detections/endpoint/linux_auditd_auditd_daemon_start.yml
+++ b/detections/endpoint/linux_auditd_auditd_daemon_start.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Auditd Daemon Start
id: 6b0cb0ff-9a7e-4475-a687-43827fdb31d6
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Auditd service event - [$type$] event occurred on host - [$dest$].
risk_objects:
diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml
index c5fd48c0ad..e6eafc7a27 100644
--- a/detections/endpoint/linux_auditd_auditd_service_stop.yml
+++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Auditd Service Stop
id: 6cb9d0e1-eabe-41de-a11a-5efade354e9d
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A service event - [$type$] event occurred on host - [$dest$].
risk_objects:
diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml
index 59dd8f633d..824b773772 100644
--- a/detections/endpoint/linux_auditd_base64_decode_files.yml
+++ b/detections/endpoint/linux_auditd_base64_decode_files.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Base64 Decode Files
id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to decode a file using base64.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml
index 0b9d8d3d1b..63bf4aba1f 100644
--- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml
+++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Change File Owner To Root
id: 7b87c556-0ca4-47e0-b84c-6cd62a0a3e90
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to change a file owner to root.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml
index df2c41a0f0..eea17569ae 100644
--- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml
+++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Clipboard Data Copy
id: 9ddfe470-c4d0-4e60-8668-7337bd699edd
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to copy data from the clipboard.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml
index 80f9b38ef2..d230349dd1 100644
--- a/detections/endpoint/linux_auditd_data_destruction_command.yml
+++ b/detections/endpoint/linux_auditd_data_destruction_command.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Data Destruction Command
id: 4da5ce1a-f71b-4e71-bb73-c0a3c73f3c3c
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to destroy data.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml
index a97a93e278..fb2ccf7352 100644
--- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml
+++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Data Transfer Size Limits Via Split
id: 4669561d-3bbd-44e3-857c-0e3c6ef2120c
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to split a file.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml
index c81e26d4a6..577c614d6e 100644
--- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml
+++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Data Transfer Size Limits Via Split Syscall
id: c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A SYSCALL - [$comm$] event was executed on host - [$dest$] that limits the size of data transfer.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml
index 9cf4b45410..ae1f0966e4 100644
--- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml
+++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Database File And Directory Discovery
id: f616c4f3-bde9-41cf-856c-019b65f668bb
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to discover database files and directories.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml
index 57def3a51f..13fdf313f5 100644
--- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml
+++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Dd File Overwrite
id: d1b74420-4cea-4752-a123-9b40dfcca49a
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$].
risk_objects:
diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml
index 797a8f60c5..9eb2029606 100644
--- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml
+++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Disable Or Modify System Firewall
id: 07052556-d4b5-4bae-89aa-cbdc1bb11250
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A service event - [$type$] to disable or modify system firewall occurred on host - [$dest$] .
risk_objects:
diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml
index 213d6f51b9..0be41be3c8 100644
--- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml
+++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Doas Conf File Creation
id: 61059783-574b-40d2-ac2f-69b898afd6b4
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -73,9 +73,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A $reconstructed_path$ file was created on host - [$dest$]
risk_objects:
diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml
index 3c610561b1..a6e154cc71 100644
--- a/detections/endpoint/linux_auditd_doas_tool_execution.yml
+++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Doas Tool Execution
id: 91b8ca78-f205-4826-a3ef-cd8d6b24e97b
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to execute the "doas" tool.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml
index 2dfb6d3a4c..6562ff4c47 100644
--- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml
+++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Edit Cron Table Parameter
id: f4bb7321-7e64-4d1e-b1aa-21f8b019a91f
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to edit the cron table.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml
index 0812becc6e..ed6920a028 100644
--- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml
+++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml
@@ -1,7 +1,7 @@
name: Linux Auditd File And Directory Discovery
id: 0bbfb79c-a755-49a5-a38a-1128d0a452f1
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to discover files and directories.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml
index 67ae04ca00..1b1863d19c 100644
--- a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml
+++ b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml
@@ -1,7 +1,7 @@
name: Linux Auditd File Permission Modification Via Chmod
id: 5f1d2ea7-eec0-4790-8b24-6875312ad492
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: "Teoderick Contreras, Splunk, Ivar Nygård"
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A $proctitle$ event occurred on host $dest$ to modify file permissions using the "chmod" command.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml
index 93662b2e43..a8f7f7c808 100644
--- a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml
+++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml
@@ -1,7 +1,7 @@
name: Linux Auditd File Permissions Modification Via Chattr
id: f2d1110d-b01c-4a58-9975-90a9edeb083a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to modify file permissions using the "chattr" command.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml
index 456872bcd9..ada032979d 100644
--- a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml
+++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Find Credentials From Password Managers
id: 784241aa-85a5-4782-a503-d071bd3446f9
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to find credentials stored in password managers.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml
index fd9754a960..0638b0858d 100644
--- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml
+++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Find Credentials From Password Stores
id: 4de73044-9a1d-4a51-a1c2-85267d8dcab3
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to find credentials stored in password managers.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml
index bbba4b589b..c9675b70ad 100644
--- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml
+++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Find Ssh Private Keys
id: e2d2bd10-dcd1-4b2f-8a76-0198eab32ba5
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to find SSH private keys.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml
index 74d8ca8e97..abed9e91f8 100644
--- a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml
+++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Hardware Addition Swapoff
id: 5728bb16-1a0b-4b66-bce2-0074ac839770
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to disable the swapping of paging devices on a Linux system.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml
index a579e32758..18b4817303 100644
--- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml
+++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Hidden Files And Directories Creation
id: 555cc358-bf16-4e05-9b3a-0f89c73b7261
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$].
risk_objects:
diff --git a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml
index 69ea25beea..74e64075ae 100644
--- a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml
+++ b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Insert Kernel Module Using Insmod Utility
id: bc0ca53f-dea6-4906-9b12-09c396fdf1d3
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to insert a Linux kernel module using the insmod utility.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml
index 20919849b9..e8114e09ba 100644
--- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml
+++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Install Kernel Module Using Modprobe Utility
id: 95165985-ace5-4d42-9c42-93a89a5af901
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to install a Linux kernel module using the modprobe utility.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml
index 82f224b074..7dec809b3a 100644
--- a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml
+++ b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Kernel Module Enumeration
id: d1b088de-c47a-4572-9339-bdcc26493b32
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to list kernel modules.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml
index 8ac53069bf..45e4e954d0 100644
--- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml
+++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Kernel Module Using Rmmod Utility
id: 31810b7a-0abe-42be-a210-0dec8106afee
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to remove a Linux kernel module using the rmmod utility.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml
index f4531dd662..e860bf85fd 100644
--- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml
+++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Nopasswd Entry In Sudoers File
id: 651df959-ad17-4b73-a323-90cb96d5fa1b
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to add NOPASSWD entry in sudoers file.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml
index 03cfe97964..a04aef6db4 100644
--- a/detections/endpoint/linux_auditd_osquery_service_stop.yml
+++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Osquery Service Stop
id: 0c320fea-6e87-4b99-a884-74d09d4b655d
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A service event - [$type$] event occurred on host - [$dest$] to stop the osquery service.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml
index 7fd5538c07..1545af1203 100644
--- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml
+++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Possible Access Or Modification Of Sshd Config File
id: acb3ea33-70f7-47aa-b335-643b3aebcb2f
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -73,9 +73,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $reconstructed_path$ has been accessed with type $nametype$ on host - [$dest$]
risk_objects:
diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml
index 71769f8317..3a013b51f7 100644
--- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml
+++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Possible Access To Credential Files
id: 0419cb7a-57ea-467b-974f-77c303dfe2a3
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to access or dump the contents of /etc/passwd and /etc/shadow files.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml
index 7886797400..010d3adae2 100644
--- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml
+++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Possible Access To Sudoers File
id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -69,9 +69,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $reconstructed_path$ has been accessed for potential modification or deletion on host - [$dest$]
risk_objects:
diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml
index 9b6c4dfda4..bdfa181b5f 100644
--- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml
+++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Preload Hijack Library Calls
id: 35c50572-a70b-452f-afa9-bebdf3c3ce36
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to hijack or hook library functions using the LD_PRELOAD environment variable.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml
index c5877dbc71..afe1b641b9 100644
--- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml
+++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Preload Hijack Via Preload File
id: c1b7abca-55cb-4a39-bdfb-e28c1c12745f
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -67,9 +67,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$nametype$] event has occurred on host - [$dest$] to modify the preload file.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml
index e396770828..df09242a93 100644
--- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml
+++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Private Keys and Certificate Enumeration
id: 892eb674-3344-4143-8e52-4775b1daf3f1
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to find private keys.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml
index 3a457b9d8c..2c38976ce0 100644
--- a/detections/endpoint/linux_auditd_service_restarted.yml
+++ b/detections/endpoint/linux_auditd_service_restarted.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Service Restarted
id: 8eb3e858-18d3-44a4-a514-52cfa39f154a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to restart or re-enable a service.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml
index 8854b2da3a..06065bda90 100644
--- a/detections/endpoint/linux_auditd_service_started.yml
+++ b/detections/endpoint/linux_auditd_service_started.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Service Started
id: b5eed06d-5c97-4092-a3a1-fa4b7e77c71a
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to start or enable a service.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml
index ae161def91..ced4a331d2 100644
--- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml
+++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Setuid Using Chmod Utility
id: 8230c407-1b47-4d95-ac2e-718bd6381386
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to set the SUID or SGID bit on files using the chmod utility.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml
index 6773572d01..c859bf4a06 100644
--- a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml
+++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Setuid Using Setcap Utility
id: 1474459a-302b-4255-8add-d82f96d14cd9
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to set the SUID or SGID bit on files using the setcap utility.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml
index 70df5a052e..e4ad64588d 100644
--- a/detections/endpoint/linux_auditd_shred_overwrite_command.yml
+++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Shred Overwrite Command
id: ce2bde4d-a1d4-4452-8c87-98440e5adfb3
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to overwrite files using the shred utility.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_stop_services.yml b/detections/endpoint/linux_auditd_stop_services.yml
index 94fcbe2c1f..e5d05aca95 100644
--- a/detections/endpoint/linux_auditd_stop_services.yml
+++ b/detections/endpoint/linux_auditd_stop_services.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Stop Services
id: 43bc9281-753b-4743-b4b7-60af84f085f3
-version: 7
-date: '2026-02-25'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Hunting
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Industroyer2
diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml
index 348c198398..24052b0d2f 100644
--- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml
+++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Sudo Or Su Execution
id: 817a5c89-5b92-4818-a22d-aa35e1361afe
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$proctitle$] event occurred on host - [$dest$] to execute the sudo or su command.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml
index 7112d17769..8db8f45916 100644
--- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml
+++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Sysmon Service Stop
id: 20901256-633a-40de-8753-7b88811a460f
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A service event - [$type$] event occurred on host - [$dest$] to stop or disable the sysmon service.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml
index 2c9dfe6675..3d62fb33b0 100644
--- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml
+++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml
@@ -1,7 +1,7 @@
name: Linux Auditd System Network Configuration Discovery
id: 5db16825-81bd-4923-a8d6-d6a13a59832a
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover system network configuration.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml
index 41b4408c51..24e4ef1bd6 100644
--- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml
+++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Unix Shell Configuration Modification
id: 66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04
-version: 9
-date: '2026-03-12'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -69,9 +69,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$nametype$] event occurred on host - [$dest$] to modify the unix shell configuration file.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml
index 717e619e2a..5c9b487d4c 100644
--- a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml
+++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Unload Module Via Modprobe
id: 90964d6a-4b5f-409a-85bd-95e261e03fe9
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to unload a kernel module via the modprobe command.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml
index 22bb933223..9ecbd6dbca 100644
--- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml
+++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Virtual Disk File And Directory Discovery
id: eec78cef-d4c8-4b35-8f5b-6922102a4a41
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$execve_command$] event occurred on host - [$dest$] to discover virtual disk files and directories.
risk_objects:
diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml
index e3ce06cf4d..07ae187967 100644
--- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml
+++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml
@@ -1,7 +1,7 @@
name: Linux Auditd Whoami User Discovery
id: d1ff2e22-310d-446a-80b3-faedaa7b3b52
-version: 7
-date: '2026-03-12'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A SYSCALL - [$comm$] event was executed on host - [$dest$] to discover virtual disk files and directories.
risk_objects:
diff --git a/detections/endpoint/linux_awk_privilege_escalation.yml b/detections/endpoint/linux_awk_privilege_escalation.yml
index 906f39599b..8ad6ec6bf2 100644
--- a/detections/endpoint/linux_awk_privilege_escalation.yml
+++ b/detections/endpoint/linux_awk_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux AWK Privilege Escalation
id: 4510cae0-96a2-4840-9919-91d262db210a
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_busybox_privilege_escalation.yml b/detections/endpoint/linux_busybox_privilege_escalation.yml
index 45f7f45397..69ba7bbe5b 100644
--- a/detections/endpoint/linux_busybox_privilege_escalation.yml
+++ b/detections/endpoint/linux_busybox_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Busybox Privilege Escalation
id: 387c4e78-f4a4-413d-ad44-e9f7bc4642c9
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_c89_privilege_escalation.yml b/detections/endpoint/linux_c89_privilege_escalation.yml
index 852551b016..443b000aaf 100644
--- a/detections/endpoint/linux_c89_privilege_escalation.yml
+++ b/detections/endpoint/linux_c89_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux c89 Privilege Escalation
id: 54c95f4d-3e5d-44be-9521-ea19ba62f7a8
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_c99_privilege_escalation.yml b/detections/endpoint/linux_c99_privilege_escalation.yml
index 0d372def25..a6a30bef67 100644
--- a/detections/endpoint/linux_c99_privilege_escalation.yml
+++ b/detections/endpoint/linux_c99_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux c99 Privilege Escalation
id: e1c6dec5-2249-442d-a1f9-99a4bd228183
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_change_file_owner_to_root.yml b/detections/endpoint/linux_change_file_owner_to_root.yml
index 21d1a6f0d2..c887772b41 100644
--- a/detections/endpoint/linux_change_file_owner_to_root.yml
+++ b/detections/endpoint/linux_change_file_owner_to_root.yml
@@ -1,7 +1,7 @@
name: Linux Change File Owner To Root
id: c1400ea2-6257-11ec-ad49-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A commandline $process$ that may change ownership to root on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_clipboard_data_copy.yml b/detections/endpoint/linux_clipboard_data_copy.yml
index 53157367ad..2a88c50e64 100644
--- a/detections/endpoint/linux_clipboard_data_copy.yml
+++ b/detections/endpoint/linux_clipboard_data_copy.yml
@@ -1,7 +1,7 @@
name: Linux Clipboard Data Copy
id: 7173b2ad-6146-418f-85ae-c3479e4515fc
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified on endpoint $dest$ by user $user$ adding or removing content from the clipboard.
risk_objects:
diff --git a/detections/endpoint/linux_composer_privilege_escalation.yml b/detections/endpoint/linux_composer_privilege_escalation.yml
index dab7f4afb7..be052b8c40 100644
--- a/detections/endpoint/linux_composer_privilege_escalation.yml
+++ b/detections/endpoint/linux_composer_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Composer Privilege Escalation
id: a3bddf71-6ba3-42ab-a6b2-396929b16d92
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_cpulimit_privilege_escalation.yml b/detections/endpoint/linux_cpulimit_privilege_escalation.yml
index b9e9601a0e..a49399035f 100644
--- a/detections/endpoint/linux_cpulimit_privilege_escalation.yml
+++ b/detections/endpoint/linux_cpulimit_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Cpulimit Privilege Escalation
id: d4e40b7e-aad3-4a7d-aac8-550ea5222be5
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_csvtool_privilege_escalation.yml b/detections/endpoint/linux_csvtool_privilege_escalation.yml
index 3f4f564c46..6e72109a62 100644
--- a/detections/endpoint/linux_csvtool_privilege_escalation.yml
+++ b/detections/endpoint/linux_csvtool_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Csvtool Privilege Escalation
id: f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml
index 4d9cb56c2b..15bf378079 100644
--- a/detections/endpoint/linux_curl_upload_file.yml
+++ b/detections/endpoint/linux_curl_upload_file.yml
@@ -1,7 +1,7 @@
name: Linux Curl Upload File
id: c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to upload important files to a remote destination.
risk_objects:
diff --git a/detections/endpoint/linux_data_destruction_command.yml b/detections/endpoint/linux_data_destruction_command.yml
index 9130cb231b..95dddd6d48 100644
--- a/detections/endpoint/linux_data_destruction_command.yml
+++ b/detections/endpoint/linux_data_destruction_command.yml
@@ -1,7 +1,7 @@
name: Linux Data Destruction Command
id: b11d3979-b2f7-411b-bb1a-bd00e642173b
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a $process_name$ execute rm command with --no-preserve-root parmeter that can wipe root files on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_dd_file_overwrite.yml b/detections/endpoint/linux_dd_file_overwrite.yml
index afac7aef91..e971da52fe 100644
--- a/detections/endpoint/linux_dd_file_overwrite.yml
+++ b/detections/endpoint/linux_dd_file_overwrite.yml
@@ -1,7 +1,7 @@
name: Linux DD File Overwrite
id: 9b6aae5e-8d85-11ec-b2ae-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A commandline $process$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml
index 87df8827a5..540361738f 100644
--- a/detections/endpoint/linux_decode_base64_to_shell.yml
+++ b/detections/endpoint/linux_decode_base64_to_shell.yml
@@ -1,7 +1,7 @@
name: Linux Decode Base64 to Shell
id: 637b603e-1799-40fd-bf87-47ecbd551b66
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64 and passing it to a shell.
risk_objects:
diff --git a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml
index 1249caebd7..08a957baac 100644
--- a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml
+++ b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml
@@ -1,7 +1,7 @@
name: Linux Deleting Critical Directory Using RM Command
id: 33f89303-cc6f-49ad-921d-2eaea38a6f7a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A deletion in known critical list of folder using rm command $process$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_deletion_of_cron_jobs.yml b/detections/endpoint/linux_deletion_of_cron_jobs.yml
index 9cb8b225a7..322567caf6 100644
--- a/detections/endpoint/linux_deletion_of_cron_jobs.yml
+++ b/detections/endpoint/linux_deletion_of_cron_jobs.yml
@@ -1,7 +1,7 @@
name: Linux Deletion Of Cron Jobs
id: 3b132a71-9335-4f33-9932-00bb4f6ac7e8
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Linux cron jobs are deleted on host $dest$ by process GUID- $process_guid$
risk_objects:
diff --git a/detections/endpoint/linux_deletion_of_init_daemon_script.yml b/detections/endpoint/linux_deletion_of_init_daemon_script.yml
index 58aef51557..808a2d67dd 100644
--- a/detections/endpoint/linux_deletion_of_init_daemon_script.yml
+++ b/detections/endpoint/linux_deletion_of_init_daemon_script.yml
@@ -1,7 +1,7 @@
name: Linux Deletion Of Init Daemon Script
id: 729aab57-d26f-4156-b97f-ab8dda8f44b1
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Init daemon script deleted on host $dest$ by process GUID- $process_guid$
risk_objects:
diff --git a/detections/endpoint/linux_deletion_of_services.yml b/detections/endpoint/linux_deletion_of_services.yml
index d36da9a7bc..a7bd7939fe 100644
--- a/detections/endpoint/linux_deletion_of_services.yml
+++ b/detections/endpoint/linux_deletion_of_services.yml
@@ -1,7 +1,7 @@
name: Linux Deletion Of Services
id: b509bbd3-0331-4aaa-8e4a-d2affe100af6
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A services file $file_name$ deteted on host $dest$ by process GUID - $process_guid$
risk_objects:
diff --git a/detections/endpoint/linux_deletion_of_ssl_certificate.yml b/detections/endpoint/linux_deletion_of_ssl_certificate.yml
index 705801a169..a8ec537bc5 100644
--- a/detections/endpoint/linux_deletion_of_ssl_certificate.yml
+++ b/detections/endpoint/linux_deletion_of_ssl_certificate.yml
@@ -1,7 +1,7 @@
name: Linux Deletion of SSL Certificate
id: 839ab790-a60a-4f81-bfb3-02567063f615
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: SSL certificate deleted on host $dest$ by process GUID- $process_guid$
risk_objects:
diff --git a/detections/endpoint/linux_disable_services.yml b/detections/endpoint/linux_disable_services.yml
index 9e47807bff..4de1495ac5 100644
--- a/detections/endpoint/linux_disable_services.yml
+++ b/detections/endpoint/linux_disable_services.yml
@@ -1,7 +1,7 @@
name: Linux Disable Services
id: f2e08a38-6689-4df4-ad8c-b51c16262316
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable services on endpoint $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/linux_doas_conf_file_creation.yml b/detections/endpoint/linux_doas_conf_file_creation.yml
index 4c7e5b1796..7f85e729b0 100644
--- a/detections/endpoint/linux_doas_conf_file_creation.yml
+++ b/detections/endpoint/linux_doas_conf_file_creation.yml
@@ -1,7 +1,7 @@
name: Linux Doas Conf File Creation
id: f6343e86-6e09-11ec-9376-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file $file_name$ is created in $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_doas_tool_execution.yml b/detections/endpoint/linux_doas_tool_execution.yml
index cb757dd49e..547cdf9305 100644
--- a/detections/endpoint/linux_doas_tool_execution.yml
+++ b/detections/endpoint/linux_doas_tool_execution.yml
@@ -1,7 +1,7 @@
name: Linux Doas Tool Execution
id: d5a62490-6e09-11ec-884e-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A doas $process_name$ with commandline $process$ was executed on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_docker_root_directory_mount.yml b/detections/endpoint/linux_docker_root_directory_mount.yml
index 9522113437..51231e844a 100644
--- a/detections/endpoint/linux_docker_root_directory_mount.yml
+++ b/detections/endpoint/linux_docker_root_directory_mount.yml
@@ -1,7 +1,7 @@
name: Linux Docker Root Directory Mount
id: aa049566-f76a-43b9-908c-3c27e079fd43
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk, Emil Elsetrønning
status: production
type: TTP
@@ -46,9 +46,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ spawned by $user$ on endpoint $dest$, tried to mount the root directory via the command $process$
risk_objects:
diff --git a/detections/endpoint/linux_docker_shell_execution.yml b/detections/endpoint/linux_docker_shell_execution.yml
index fd3f2fecb0..6116e9a232 100644
--- a/detections/endpoint/linux_docker_shell_execution.yml
+++ b/detections/endpoint/linux_docker_shell_execution.yml
@@ -1,7 +1,7 @@
name: Linux Docker Shell Execution
id: 03b2b286-fa86-4ec9-b1a1-ec19d314bdf7
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk, Emil Elsetrønning
status: production
type: Anomaly
@@ -66,9 +66,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ on endpoint $dest$ spawned a shell in a docker container via the commandline $process$
risk_objects:
diff --git a/detections/endpoint/linux_emacs_privilege_escalation.yml b/detections/endpoint/linux_emacs_privilege_escalation.yml
index da3a613c90..dc93c27944 100644
--- a/detections/endpoint/linux_emacs_privilege_escalation.yml
+++ b/detections/endpoint/linux_emacs_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Emacs Privilege Escalation
id: 92033cab-1871-483d-a03b-a7ce98665cfc
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml
index 7298012486..38a0cfc943 100644
--- a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml
+++ b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml
@@ -1,7 +1,7 @@
name: Linux File Created In Kernel Driver Directory
id: b85bbeec-6326-11ec-9311-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file $file_name$ is created in $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml
index 2d739277f4..406a8a3aa1 100644
--- a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml
+++ b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml
@@ -1,7 +1,7 @@
name: Linux File Creation In Init Boot Directory
id: 97d9cfb2-61ad-11ec-bb2d-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file $file_name$ is created in $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_file_creation_in_profile_directory.yml b/detections/endpoint/linux_file_creation_in_profile_directory.yml
index 5bc8aec87b..ad087dfe3d 100644
--- a/detections/endpoint/linux_file_creation_in_profile_directory.yml
+++ b/detections/endpoint/linux_file_creation_in_profile_directory.yml
@@ -1,7 +1,7 @@
name: Linux File Creation In Profile Directory
id: 46ba0082-61af-11ec-9826-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file $file_name$ is created in $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_find_privilege_escalation.yml b/detections/endpoint/linux_find_privilege_escalation.yml
index 51c86a6a3c..aa6bd449a3 100644
--- a/detections/endpoint/linux_find_privilege_escalation.yml
+++ b/detections/endpoint/linux_find_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Find Privilege Escalation
id: 2ff4e0c2-8256-4143-9c07-1e39c7231111
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_gdb_privilege_escalation.yml b/detections/endpoint/linux_gdb_privilege_escalation.yml
index fc2e573a4c..197848c295 100644
--- a/detections/endpoint/linux_gdb_privilege_escalation.yml
+++ b/detections/endpoint/linux_gdb_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux GDB Privilege Escalation
id: 310b7da2-ab52-437f-b1bf-0bd458674308
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_gdrive_binary_activity.yml b/detections/endpoint/linux_gdrive_binary_activity.yml
index ab71f55504..783e776624 100644
--- a/detections/endpoint/linux_gdrive_binary_activity.yml
+++ b/detections/endpoint/linux_gdrive_binary_activity.yml
@@ -1,7 +1,7 @@
name: Linux Gdrive Binary Activity
id: a42f8029-5472-4c33-8943-bb17bb07466a
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified attempting to interact with Google Drive on endpoint $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/linux_gem_privilege_escalation.yml b/detections/endpoint/linux_gem_privilege_escalation.yml
index ea9ed6188a..babb979abf 100644
--- a/detections/endpoint/linux_gem_privilege_escalation.yml
+++ b/detections/endpoint/linux_gem_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Gem Privilege Escalation
id: 0115482a-5dcb-4bb0-bcca-5d095d224236
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml
index 3d32c120a0..d0fd796871 100644
--- a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml
+++ b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux GNU Awk Privilege Escalation
id: 0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_hardware_addition_swapoff.yml b/detections/endpoint/linux_hardware_addition_swapoff.yml
index 5502c3072b..56dbfe3b6d 100644
--- a/detections/endpoint/linux_hardware_addition_swapoff.yml
+++ b/detections/endpoint/linux_hardware_addition_swapoff.yml
@@ -1,7 +1,7 @@
name: Linux Hardware Addition SwapOff
id: c1eea697-99ed-44c2-9b70-d8935464c499
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a $process_name$ swap off paging device on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml
index fbca267c1b..7b61d63d70 100644
--- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml
+++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml
@@ -1,7 +1,7 @@
name: Linux High Frequency Of File Deletion In Boot Folder
id: e27fbc5d-0445-4c4a-bc39-87f060d5c602
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple files detection in /boot/ folder on $dest$ by process GUID - $process_guid$
risk_objects:
diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml
index 69dfed37dc..4b98968987 100644
--- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml
+++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml
@@ -1,7 +1,7 @@
name: Linux High Frequency Of File Deletion In Etc Folder
id: 9d867448-2aff-4d07-876c-89409a752ff8
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple files delted in /etc/ folder on $dest$ by process GUID - $process_guid$
risk_objects:
diff --git a/detections/endpoint/linux_indicator_removal_clear_cache.yml b/detections/endpoint/linux_indicator_removal_clear_cache.yml
index 27bfe22208..081e56866d 100644
--- a/detections/endpoint/linux_indicator_removal_clear_cache.yml
+++ b/detections/endpoint/linux_indicator_removal_clear_cache.yml
@@ -1,7 +1,7 @@
name: Linux Indicator Removal Clear Cache
id: e0940505-0b73-4719-84e6-cb94c44a5245
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a $process_name$ clear cache using kernel drop cache system request in $dest$
risk_objects:
diff --git a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml
index 685d48cd80..df85db5f5d 100644
--- a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml
+++ b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml
@@ -1,7 +1,7 @@
name: Linux Indicator Removal Service File Deletion
id: 6c077f81-2a83-4537-afbc-0e62e3215d55
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a $process_name$ has a commandline $process$ to delete service configuration file on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml
index ca31851822..2b76496980 100644
--- a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml
+++ b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml
@@ -1,7 +1,7 @@
name: Linux Ingress Tool Transfer with Curl
id: 8c1de57d-abc1-4b41-a727-a7a8fc5e0857
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified on endpoint $dest$ by user $user$ to download a remote file. Review activity for further details.
risk_objects:
diff --git a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml
index add32ad6da..311cb6382f 100644
--- a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml
+++ b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml
@@ -1,7 +1,7 @@
name: Linux Insert Kernel Module Using Insmod Utility
id: 18b5a1a0-6326-11ec-943a-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A commandline $process$ that may install kernel module on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml
index e67134ad8d..3f4dfc42b3 100644
--- a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml
+++ b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml
@@ -1,7 +1,7 @@
name: Linux Install Kernel Module Using Modprobe Utility
id: 387b278a-6326-11ec-aa2c-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A commandline $process$ that may install kernel module on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml
index 4ef8a725e7..7f23ed7d58 100644
--- a/detections/endpoint/linux_iptables_firewall_modification.yml
+++ b/detections/endpoint/linux_iptables_firewall_modification.yml
@@ -1,7 +1,7 @@
name: Linux Iptables Firewall Modification
id: 309d59dc-1e1b-49b2-9800-7cf18d12f7b7
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -51,9 +51,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process name - $process_name$ that may modify iptables firewall on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_kernel_module_enumeration.yml b/detections/endpoint/linux_kernel_module_enumeration.yml
index 8c279da91d..62655177fe 100644
--- a/detections/endpoint/linux_kernel_module_enumeration.yml
+++ b/detections/endpoint/linux_kernel_module_enumeration.yml
@@ -1,7 +1,7 @@
name: Linux Kernel Module Enumeration
id: 6df99886-0e04-4c11-8b88-325747419278
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ enumeration kernel modules.
risk_objects:
diff --git a/detections/endpoint/linux_magic_sysrq_key_abuse.yml b/detections/endpoint/linux_magic_sysrq_key_abuse.yml
index 7e63c70718..c7f49a0d43 100644
--- a/detections/endpoint/linux_magic_sysrq_key_abuse.yml
+++ b/detections/endpoint/linux_magic_sysrq_key_abuse.yml
@@ -1,7 +1,7 @@
name: Linux Magic SysRq Key Abuse
id: 22c03600-f84a-47fa-abaa-ffbe3e72c782
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Milad Cheraghi
status: production
type: TTP
@@ -67,9 +67,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Abuse of the Linux Magic System Request key detected on host - [$dest$]
risk_objects:
diff --git a/detections/endpoint/linux_make_privilege_escalation.yml b/detections/endpoint/linux_make_privilege_escalation.yml
index 766d54df22..b1fa2b0805 100644
--- a/detections/endpoint/linux_make_privilege_escalation.yml
+++ b/detections/endpoint/linux_make_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Make Privilege Escalation
id: 80b22836-5091-4944-80ee-f733ac443f4f
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_medusa_rootkit.yml b/detections/endpoint/linux_medusa_rootkit.yml
index c653985814..f05405df8f 100644
--- a/detections/endpoint/linux_medusa_rootkit.yml
+++ b/detections/endpoint/linux_medusa_rootkit.yml
@@ -1,7 +1,7 @@
name: Linux Medusa Rootkit
id: 7add8520-71d5-43aa-b262-ee082b1f0238
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Medusa rootkit files were identified on endpoint $dest$.
risk_objects:
diff --git a/detections/endpoint/linux_mysql_privilege_escalation.yml b/detections/endpoint/linux_mysql_privilege_escalation.yml
index f97dc55abb..c516291d24 100644
--- a/detections/endpoint/linux_mysql_privilege_escalation.yml
+++ b/detections/endpoint/linux_mysql_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux MySQL Privilege Escalation
id: c0d810f4-230c-44ea-b703-989da02ff145
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml
index 287538f4bc..df9eb56a6a 100644
--- a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml
+++ b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml
@@ -1,7 +1,7 @@
name: Linux Ngrok Reverse Proxy Usage
id: bc84d574-708c-467d-b78a-4c1e20171f97
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/linux_node_privilege_escalation.yml b/detections/endpoint/linux_node_privilege_escalation.yml
index 039da481d9..c614111c54 100644
--- a/detections/endpoint/linux_node_privilege_escalation.yml
+++ b/detections/endpoint/linux_node_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Node Privilege Escalation
id: 2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml
index 2200180f81..e97bb709fe 100644
--- a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml
+++ b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml
@@ -1,7 +1,7 @@
name: Linux NOPASSWD Entry In Sudoers File
id: ab1e0d52-624a-11ec-8e0b-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a commandline $process$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml
index 523c471e56..7f2f90f7e3 100644
--- a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml
+++ b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml
@@ -1,7 +1,7 @@
name: Linux Obfuscated Files or Information Base64 Decode
id: 303b38b2-c03f-44e2-8f41-4594606fcfc7
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ decoding base64.
risk_objects:
diff --git a/detections/endpoint/linux_octave_privilege_escalation.yml b/detections/endpoint/linux_octave_privilege_escalation.yml
index cf23644556..2dcbeb70e9 100644
--- a/detections/endpoint/linux_octave_privilege_escalation.yml
+++ b/detections/endpoint/linux_octave_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Octave Privilege Escalation
id: 78f7487d-42ce-4f7f-8685-2159b25fb477
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_openvpn_privilege_escalation.yml b/detections/endpoint/linux_openvpn_privilege_escalation.yml
index 8d6ebb4143..7bd664cc6c 100644
--- a/detections/endpoint/linux_openvpn_privilege_escalation.yml
+++ b/detections/endpoint/linux_openvpn_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux OpenVPN Privilege Escalation
id: d25feebe-fa1c-4754-8a1e-afb03bedc0f2
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml
index f3d788d115..b1271f0a23 100644
--- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml
+++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml
@@ -1,7 +1,7 @@
name: Linux Persistence and Privilege Escalation Risk Behavior
id: ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1
-version: 9
-date: '2026-02-25'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Correlation
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Linux Privilege Escalation
diff --git a/detections/endpoint/linux_php_privilege_escalation.yml b/detections/endpoint/linux_php_privilege_escalation.yml
index ee615bae69..d6aa49a86e 100644
--- a/detections/endpoint/linux_php_privilege_escalation.yml
+++ b/detections/endpoint/linux_php_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux PHP Privilege Escalation
id: 4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_pkexec_privilege_escalation.yml b/detections/endpoint/linux_pkexec_privilege_escalation.yml
index 7ce095ddc7..58e5b6a662 100644
--- a/detections/endpoint/linux_pkexec_privilege_escalation.yml
+++ b/detections/endpoint/linux_pkexec_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux pkexec Privilege Escalation
id: 03e22c1c-8086-11ec-ac2e-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ related to a local privilege escalation in polkit pkexec.
risk_objects:
diff --git a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml
index 997b2102d9..903799c032 100644
--- a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml
+++ b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml
@@ -1,7 +1,7 @@
name: Linux Possible Access Or Modification Of sshd Config File
id: 7a85eb24-72da-11ec-ac76-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a commandline $process$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_possible_access_to_credential_files.yml b/detections/endpoint/linux_possible_access_to_credential_files.yml
index b215ab1cfe..d1934ff7eb 100644
--- a/detections/endpoint/linux_possible_access_to_credential_files.yml
+++ b/detections/endpoint/linux_possible_access_to_credential_files.yml
@@ -1,7 +1,7 @@
name: Linux Possible Access To Credential Files
id: 16107e0e-71fc-11ec-b862-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A commandline $process$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml
index b2788f4e2b..65ffdc0ab1 100644
--- a/detections/endpoint/linux_possible_access_to_sudoers_file.yml
+++ b/detections/endpoint/linux_possible_access_to_sudoers_file.yml
@@ -1,7 +1,7 @@
name: Linux Possible Access To Sudoers File
id: 4479539c-71fc-11ec-b2e2-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A commandline $process$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml
index 1abeb9f00c..7f2daeffa9 100644
--- a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml
+++ b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml
@@ -1,7 +1,7 @@
name: Linux Possible Append Command To At Allow Config File
id: 7bc20606-5f40-11ec-a586-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A commandline $process$ that may modify at allow config file on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml
index b3100c198a..1720f22d96 100644
--- a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml
+++ b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml
@@ -1,7 +1,7 @@
name: Linux Possible Append Command To Profile Config File
id: 9c94732a-61af-11ec-91e3-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a commandline $process$ that may modify profile files on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_possible_ssh_key_file_creation.yml b/detections/endpoint/linux_possible_ssh_key_file_creation.yml
index a09e18ee3e..adab8bf7fc 100644
--- a/detections/endpoint/linux_possible_ssh_key_file_creation.yml
+++ b/detections/endpoint/linux_possible_ssh_key_file_creation.yml
@@ -1,7 +1,7 @@
name: Linux Possible Ssh Key File Creation
id: c04ef40c-72da-11ec-8eac-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file $file_name$ is created in $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_preload_hijack_library_calls.yml b/detections/endpoint/linux_preload_hijack_library_calls.yml
index dfa14efccf..f68c3d36f0 100644
--- a/detections/endpoint/linux_preload_hijack_library_calls.yml
+++ b/detections/endpoint/linux_preload_hijack_library_calls.yml
@@ -1,7 +1,7 @@
name: Linux Preload Hijack Library Calls
id: cbe2ca30-631e-11ec-8670-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A commandline $process$ that may hijack library function on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_proxy_socks_curl.yml b/detections/endpoint/linux_proxy_socks_curl.yml
index cf7e51978e..9190fe6804 100644
--- a/detections/endpoint/linux_proxy_socks_curl.yml
+++ b/detections/endpoint/linux_proxy_socks_curl.yml
@@ -1,7 +1,7 @@
name: Linux Proxy Socks Curl
id: bd596c22-ad1e-44fc-b242-817253ce8b08
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk, 0xC0FFEEEE, Github Community
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified on endpoint $dest$ by user $user$ utilizing a proxy. Review activity for further details.
risk_objects:
diff --git a/detections/endpoint/linux_puppet_privilege_escalation.yml b/detections/endpoint/linux_puppet_privilege_escalation.yml
index 1d190f11d4..b94237aa46 100644
--- a/detections/endpoint/linux_puppet_privilege_escalation.yml
+++ b/detections/endpoint/linux_puppet_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Puppet Privilege Escalation
id: 1d19037f-466e-4d56-8d87-36fafd9aa3ce
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_rpm_privilege_escalation.yml b/detections/endpoint/linux_rpm_privilege_escalation.yml
index 06279291dd..1e7579d46a 100644
--- a/detections/endpoint/linux_rpm_privilege_escalation.yml
+++ b/detections/endpoint/linux_rpm_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux RPM Privilege Escalation
id: f8e58a23-cecd-495f-9c65-6c76b4cb9774
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_ruby_privilege_escalation.yml b/detections/endpoint/linux_ruby_privilege_escalation.yml
index 2e49356b53..011052c6bf 100644
--- a/detections/endpoint/linux_ruby_privilege_escalation.yml
+++ b/detections/endpoint/linux_ruby_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Ruby Privilege Escalation
id: 097b28b5-7004-4d40-a715-7e390501788b
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml
index a37164f585..62ae9bc8b9 100644
--- a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml
+++ b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml
@@ -1,7 +1,7 @@
name: Linux Service File Created In Systemd Directory
id: c7495048-61b6-11ec-9a37-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A service file named as $file_path$ is created in systemd folder on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml
index 273d4de9ba..e7c1a3f4fd 100644
--- a/detections/endpoint/linux_service_restarted.yml
+++ b/detections/endpoint/linux_service_restarted.yml
@@ -1,7 +1,7 @@
name: Linux Service Restarted
id: 084275ba-61b8-11ec-8d64-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A commandline $process$ that may create or start a service on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_service_started_or_enabled.yml b/detections/endpoint/linux_service_started_or_enabled.yml
index b52ab4e332..f70ac06d51 100644
--- a/detections/endpoint/linux_service_started_or_enabled.yml
+++ b/detections/endpoint/linux_service_started_or_enabled.yml
@@ -1,7 +1,7 @@
name: Linux Service Started Or Enabled
id: e0428212-61b7-11ec-88a3-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a commandline $process$ that may create or start a service on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_setuid_using_chmod_utility.yml b/detections/endpoint/linux_setuid_using_chmod_utility.yml
index 2855169751..3a32c1d277 100644
--- a/detections/endpoint/linux_setuid_using_chmod_utility.yml
+++ b/detections/endpoint/linux_setuid_using_chmod_utility.yml
@@ -1,7 +1,7 @@
name: Linux Setuid Using Chmod Utility
id: bf0304b6-6250-11ec-9d7c-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a commandline $process$ that may set suid or sgid on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_setuid_using_setcap_utility.yml b/detections/endpoint/linux_setuid_using_setcap_utility.yml
index b1f7a43ac2..7e79bf9e3a 100644
--- a/detections/endpoint/linux_setuid_using_setcap_utility.yml
+++ b/detections/endpoint/linux_setuid_using_setcap_utility.yml
@@ -1,7 +1,7 @@
name: Linux Setuid Using Setcap Utility
id: 9d96022e-6250-11ec-9a19-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A commandline $process$ that may set suid or sgid on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_shred_overwrite_command.yml b/detections/endpoint/linux_shred_overwrite_command.yml
index b759c79a9d..4b4e1ff3c3 100644
--- a/detections/endpoint/linux_shred_overwrite_command.yml
+++ b/detections/endpoint/linux_shred_overwrite_command.yml
@@ -1,7 +1,7 @@
name: Linux Shred Overwrite Command
id: c1952cf1-643c-4965-82de-11c067cbae76
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A possible shred overwrite command $process$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_sqlite3_privilege_escalation.yml b/detections/endpoint/linux_sqlite3_privilege_escalation.yml
index 8147ea85e6..24294075ba 100644
--- a/detections/endpoint/linux_sqlite3_privilege_escalation.yml
+++ b/detections/endpoint/linux_sqlite3_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Linux Sqlite3 Privilege Escalation
id: ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/linux_ssh_authorized_keys_modification.yml b/detections/endpoint/linux_ssh_authorized_keys_modification.yml
index b9342318e7..c6d71875c8 100644
--- a/detections/endpoint/linux_ssh_authorized_keys_modification.yml
+++ b/detections/endpoint/linux_ssh_authorized_keys_modification.yml
@@ -1,7 +1,7 @@
name: Linux SSH Authorized Keys Modification
id: f5ab595e-28e5-4327-8077-5008ba97c850
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ modifying SSH Authorized Keys.
risk_objects:
diff --git a/detections/endpoint/linux_ssh_remote_services_script_execute.yml b/detections/endpoint/linux_ssh_remote_services_script_execute.yml
index 57093ad610..70611a38a4 100644
--- a/detections/endpoint/linux_ssh_remote_services_script_execute.yml
+++ b/detections/endpoint/linux_ssh_remote_services_script_execute.yml
@@ -1,7 +1,7 @@
name: Linux SSH Remote Services Script Execute
id: aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally and download a file.
risk_objects:
diff --git a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml
index 13e83b9f43..e0c2f8e445 100644
--- a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml
+++ b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml
@@ -1,7 +1,7 @@
name: Linux Stdout Redirection To Dev Null File
id: de62b809-a04d-46b5-9a15-8298d330f0c8
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a commandline $process$ that redirect stdout to dev/null on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_stop_services.yml b/detections/endpoint/linux_stop_services.yml
index cdea967daa..85e07db81f 100644
--- a/detections/endpoint/linux_stop_services.yml
+++ b/detections/endpoint/linux_stop_services.yml
@@ -1,7 +1,7 @@
name: Linux Stop Services
id: d05204a5-9f1c-4946-a7f3-4fa58d76d5fd
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to stop services on endpoint $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/linux_sudoers_tmp_file_creation.yml b/detections/endpoint/linux_sudoers_tmp_file_creation.yml
index a88f98c637..08b692ac9a 100644
--- a/detections/endpoint/linux_sudoers_tmp_file_creation.yml
+++ b/detections/endpoint/linux_sudoers_tmp_file_creation.yml
@@ -1,7 +1,7 @@
name: Linux Sudoers Tmp File Creation
id: be254a5c-63e7-11ec-89da-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file $file_name$ is created in $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_suspicious_react_or_next_js_child_process.yml b/detections/endpoint/linux_suspicious_react_or_next_js_child_process.yml
index fa2128a3c6..b81b166479 100644
--- a/detections/endpoint/linux_suspicious_react_or_next_js_child_process.yml
+++ b/detections/endpoint/linux_suspicious_react_or_next_js_child_process.yml
@@ -1,7 +1,7 @@
name: Linux Suspicious React or Next.js Child Process
id: cda04e9c-1950-43ab-87d6-e333a3d7f107
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -122,9 +122,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Node-based server process ($parent_process_name$) on Linux spawned the child process $process_name$ with command-line $process$ on host $dest$ by user $user$, which may indicate remote code execution via React Server Components (CVE-2025-55182 / React2Shell) or abuse of a similar Node.js RCE vector.
risk_objects:
diff --git a/detections/endpoint/linux_system_network_discovery.yml b/detections/endpoint/linux_system_network_discovery.yml
index 17e7f18d37..f9bf632de6 100644
--- a/detections/endpoint/linux_system_network_discovery.yml
+++ b/detections/endpoint/linux_system_network_discovery.yml
@@ -1,7 +1,7 @@
name: Linux System Network Discovery
id: 535cb214-8b47-11ec-a2c7-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Network discovery process $process$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_system_reboot_via_system_request_key.yml b/detections/endpoint/linux_system_reboot_via_system_request_key.yml
index 0fcd11ea62..f794f8f071 100644
--- a/detections/endpoint/linux_system_reboot_via_system_request_key.yml
+++ b/detections/endpoint/linux_system_reboot_via_system_request_key.yml
@@ -1,7 +1,7 @@
name: Linux System Reboot Via System Request Key
id: e1912b58-ed9c-422c-bbb0-2dbc70398345
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a $process_name$ execute sysrq command $process$ to reboot $dest$
risk_objects:
diff --git a/detections/endpoint/linux_telnet_authentication_bypass.yml b/detections/endpoint/linux_telnet_authentication_bypass.yml
index 7030e23a84..90dc887e64 100644
--- a/detections/endpoint/linux_telnet_authentication_bypass.yml
+++ b/detections/endpoint/linux_telnet_authentication_bypass.yml
@@ -1,7 +1,7 @@
name: Linux Telnet Authentication Bypass
id: 6e0913d4-5461-487c-9dce-6d22ef2c0f03
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ with CommandLine $process$ was identified on endpoint $dest$ by user $user$ related to an authentication bypass in telnetd.
risk_objects:
diff --git a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml
index 6636b99351..c4dcb64ea1 100644
--- a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml
+++ b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml
@@ -1,7 +1,7 @@
name: Linux Unix Shell Enable All SysRq Functions
id: e7a96937-3b58-4962-8dce-538e4763cf15
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a $process_name$ execute sysrq command $process$ to enable all function of system request on $dest$
risk_objects:
diff --git a/detections/endpoint/linux_visudo_utility_execution.yml b/detections/endpoint/linux_visudo_utility_execution.yml
index 12ac6e49a7..c72cc1afa5 100644
--- a/detections/endpoint/linux_visudo_utility_execution.yml
+++ b/detections/endpoint/linux_visudo_utility_execution.yml
@@ -1,7 +1,7 @@
name: Linux Visudo Utility Execution
id: 08c41040-624c-11ec-a71f-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A commandline $process$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/living_off_the_land_detection.yml b/detections/endpoint/living_off_the_land_detection.yml
index a06c2ff9d3..a0f0d20488 100644
--- a/detections/endpoint/living_off_the_land_detection.yml
+++ b/detections/endpoint/living_off_the_land_detection.yml
@@ -1,7 +1,7 @@
name: Living Off The Land Detection
id: 1be30d80-3a39-4df9-9102-64a467b24abc
-version: 10
-date: '2026-02-25'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Correlation
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Living Off The Land
diff --git a/detections/endpoint/loading_of_dynwrapx_module.yml b/detections/endpoint/loading_of_dynwrapx_module.yml
index 055d6146e3..e7bd636348 100644
--- a/detections/endpoint/loading_of_dynwrapx_module.yml
+++ b/detections/endpoint/loading_of_dynwrapx_module.yml
@@ -1,7 +1,7 @@
name: Loading Of Dynwrapx Module
id: eac5e8ba-4857-11ec-9371-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: dynwrapx.dll loaded by process $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml
index 84c489c32f..49b6aa4fad 100644
--- a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml
+++ b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml
@@ -1,7 +1,7 @@
name: Log4Shell CVE-2021-44228 Exploitation
id: 9be30d80-3a39-4df9-9102-64a467b24eac
-version: 9
-date: '2026-02-25'
+version: 10
+date: '2026-03-31'
author: Jose Hernandez, Splunk
status: production
type: Correlation
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Log4Shell CVE-2021-44228
diff --git a/detections/endpoint/logon_script_event_trigger_execution.yml b/detections/endpoint/logon_script_event_trigger_execution.yml
index ce48c5e605..9c986c17c3 100644
--- a/detections/endpoint/logon_script_event_trigger_execution.yml
+++ b/detections/endpoint/logon_script_event_trigger_execution.yml
@@ -1,7 +1,7 @@
name: Logon Script Event Trigger Execution
id: 4c38c264-1f74-11ec-b5fa-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Registry path $registry_path$ was modified, added, or deleted on $dest$.
risk_objects:
diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml
index b7820ced6d..618845dc9f 100644
--- a/detections/endpoint/lolbas_with_network_traffic.yml
+++ b/detections/endpoint/lolbas_with_network_traffic.yml
@@ -1,7 +1,7 @@
name: LOLBAS With Network Traffic
id: 2820f032-19eb-497e-8642-25b04a880359
-version: 16
-date: '2026-03-10'
+version: 17
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -104,9 +104,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$.
risk_objects:
diff --git a/detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml b/detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml
index 95a2d93601..d426c0786d 100644
--- a/detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml
+++ b/detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml
@@ -1,7 +1,7 @@
name: MacOS AMOS Stealer - Virtual Machine Check Activity
id: 4e41ad21-9761-426d-8aa1-083712ff9f30
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk, Alex Karkins
status: production
type: Anomaly
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: AMOS Stealer activity on host $dest$ by user $user$
risk_objects:
diff --git a/detections/endpoint/macos_lolbin.yml b/detections/endpoint/macos_lolbin.yml
index 0226b077c3..8544ab1f77 100644
--- a/detections/endpoint/macos_lolbin.yml
+++ b/detections/endpoint/macos_lolbin.yml
@@ -1,7 +1,7 @@
name: MacOS LOLbin
id: 58d270fb-5b39-418e-a855-4b8ac046805e
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiplle LOLbin are executed on host $dest$ by user $user$
risk_objects:
diff --git a/detections/endpoint/macos_plutil.yml b/detections/endpoint/macos_plutil.yml
index bd8ed7ba39..dfac5697e7 100644
--- a/detections/endpoint/macos_plutil.yml
+++ b/detections/endpoint/macos_plutil.yml
@@ -1,7 +1,7 @@
name: MacOS plutil
id: c11f2b57-92c1-4cd2-b46c-064eafb833ac
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: plutil are executed on $dest$ from $user$
risk_objects:
diff --git a/detections/endpoint/mailsniper_invoke_functions.yml b/detections/endpoint/mailsniper_invoke_functions.yml
index bf224a4375..4070978d31 100644
--- a/detections/endpoint/mailsniper_invoke_functions.yml
+++ b/detections/endpoint/mailsniper_invoke_functions.yml
@@ -1,7 +1,7 @@
name: Mailsniper Invoke functions
id: a36972c8-b894-11eb-9f78-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential mailsniper.ps1 functions executed on dest $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/malicious_inprocserver32_modification.yml b/detections/endpoint/malicious_inprocserver32_modification.yml
index 68ac517d8d..4dda66e664 100644
--- a/detections/endpoint/malicious_inprocserver32_modification.yml
+++ b/detections/endpoint/malicious_inprocserver32_modification.yml
@@ -1,7 +1,7 @@
name: Malicious InProcServer32 Modification
id: 127c8d08-25ff-11ec-9223-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process identified on endpoint $dest$ modifying the registry with a known malicious clsid under InProcServer32.
risk_objects:
diff --git a/detections/endpoint/malicious_powershell_executed_as_a_service.yml b/detections/endpoint/malicious_powershell_executed_as_a_service.yml
index 1f2293b547..f5c171e754 100644
--- a/detections/endpoint/malicious_powershell_executed_as_a_service.yml
+++ b/detections/endpoint/malicious_powershell_executed_as_a_service.yml
@@ -1,7 +1,7 @@
name: Malicious Powershell Executed As A Service
id: 8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Ryan Becwar
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Identifies the abuse the Windows SC.exe to execute malicious powerShell as a service $ImagePath$ by $user$ on $dest$
risk_objects:
diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
index bd5f1e6458..7c95e3a035 100644
--- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
+++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
@@ -1,7 +1,7 @@
name: Malicious PowerShell Process - Execution Policy Bypass
id: 9be56c82-b1cc-4318-87eb-d138afaaca39
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-31'
author: Rico Valdez, Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell local execution policy bypass attempt on $dest$
risk_objects:
diff --git a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml
index 9ecbff49fa..820a8e0d43 100644
--- a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml
+++ b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml
@@ -1,7 +1,7 @@
name: Malicious PowerShell Process With Obfuscation Techniques
id: cde75cf6-3c7a-4dd6-af01-27cdb4511fd4
-version: 16
-date: '2026-03-10'
+version: 17
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Powershell.exe running with potential obfuscated arguments on $dest$
risk_objects:
diff --git a/detections/endpoint/microsoft_defender_atp_alerts.yml b/detections/endpoint/microsoft_defender_atp_alerts.yml
index 6be82f2f90..ae87fae080 100644
--- a/detections/endpoint/microsoft_defender_atp_alerts.yml
+++ b/detections/endpoint/microsoft_defender_atp_alerts.yml
@@ -1,7 +1,7 @@
name: Microsoft Defender ATP Alerts
id: 38f034ed-1598-46c8-95e8-14edf05fdf5d
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Bryan Pluta, Bhavin Patel, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $severity$ alert for $src$ - $signature$
risk_objects:
diff --git a/detections/endpoint/microsoft_defender_incident_alerts.yml b/detections/endpoint/microsoft_defender_incident_alerts.yml
index 573821e37f..9c2553b261 100644
--- a/detections/endpoint/microsoft_defender_incident_alerts.yml
+++ b/detections/endpoint/microsoft_defender_incident_alerts.yml
@@ -1,7 +1,7 @@
name: Microsoft Defender Incident Alerts
id: 13435b55-afd8-46d4-9045-7d5457f430a5
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Bryan Pluta, Bhavin Patel, Splunk, lyonheart14, Github Community
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $severity$ alert for $dest$ - $signature$
risk_objects:
diff --git a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml
index 3045d2ff3c..e26e397995 100644
--- a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml
+++ b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml
@@ -1,7 +1,7 @@
name: Mimikatz PassTheTicket CommandLine Parameters
id: 13bbd574-83ac-11ec-99d4-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Mimikatz command line parameters for pass the ticket attacks were used on $dest$
risk_objects:
diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml
index e6b2f47fcc..c27b4a3252 100644
--- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml
+++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml
@@ -1,7 +1,7 @@
name: Mmc LOLBAS Execution Process Spawn
id: f6601940-4c74-11ec-b9b7-3e22fbd008af
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -45,9 +45,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Mmc.exe spawned a LOLBAS process on $dest$.
risk_objects:
diff --git a/detections/endpoint/modification_of_wallpaper.yml b/detections/endpoint/modification_of_wallpaper.yml
index ff0b5c36b4..65bb1d629d 100644
--- a/detections/endpoint/modification_of_wallpaper.yml
+++ b/detections/endpoint/modification_of_wallpaper.yml
@@ -1,7 +1,7 @@
name: Modification Of Wallpaper
id: accb0712-c381-11eb-8e5b-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Wallpaper modification on $dest$
risk_objects:
diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml
index 3aeb92554a..d94d4d88af 100644
--- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml
+++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml
@@ -1,7 +1,7 @@
name: Modify ACL permission To Files Or Folder
id: 7e8458cc-acca-11eb-9e3f-acde48001122
-version: 12
-date: '2026-03-24'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -48,9 +48,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious ACL permission modification on $dest$
risk_objects:
diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml
index d3b2a8b871..a9bee0d8d5 100644
--- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml
+++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml
@@ -1,7 +1,7 @@
name: Monitor Registry Keys for Print Monitors
id: f5f6af30-7ba7-4295-bfe9-07de87c01bbc
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel
status: production
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: New print monitor added on $dest$
risk_objects:
diff --git a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml
index 6b925b8204..5ec0b0fbf4 100644
--- a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml
+++ b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml
@@ -1,7 +1,7 @@
name: MS Scripting Process Loading Ldap Module
id: 0b0c40dc-14a6-11ec-b267-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $process_name$ loading ldap modules $ImageLoaded$ on $dest$
risk_objects:
diff --git a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml
index 4a5fb609d9..452e0c9c22 100644
--- a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml
+++ b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml
@@ -1,7 +1,7 @@
name: MS Scripting Process Loading WMI Module
id: 2eba3d36-14a6-11ec-a682-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $process_name$ loading wmi modules $ImageLoaded$ on $dest$
risk_objects:
diff --git a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml
index 8979e651e7..3b40584aa3 100644
--- a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml
+++ b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml
@@ -1,7 +1,7 @@
name: MSBuild Suspicious Spawned By Script Process
id: 213b3148-24ea-11ec-93a2-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Msbuild.exe process spawned by $parent_process_name$ on $dest$ executed by $user$
risk_objects:
diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
index 5f353e5473..9425ae6243 100644
--- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
+++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml
@@ -1,7 +1,7 @@
name: Mshta spawning Rundll32 OR Regsvr32 Process
id: 4aa5d062-e893-11eb-9eb2-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a mshta parent process $parent_process_name$ spawn child process $process_name$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/msmpeng_application_dll_side_loading.yml b/detections/endpoint/msmpeng_application_dll_side_loading.yml
index 6cab69aeba..405ca84386 100644
--- a/detections/endpoint/msmpeng_application_dll_side_loading.yml
+++ b/detections/endpoint/msmpeng_application_dll_side_loading.yml
@@ -1,7 +1,7 @@
name: Msmpeng Application DLL Side Loading
id: 8bb3f280-dd9b-11eb-84d5-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Sanjay Govind
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious creation of msmpeng.exe or mpsvc.dll in non default windows defender folder on host - $dest$
risk_objects:
diff --git a/detections/endpoint/net_profiler_uac_bypass.yml b/detections/endpoint/net_profiler_uac_bypass.yml
index c7adc6bf75..dcc7af705e 100644
--- a/detections/endpoint/net_profiler_uac_bypass.yml
+++ b/detections/endpoint/net_profiler_uac_bypass.yml
@@ -1,7 +1,7 @@
name: NET Profiler UAC bypass
id: 0252ca80-e30d-11eb-8aa3-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious modification of registry $registry_path$ with possible payload path $registry_path$ and key $registry_key_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/nishang_powershelltcponeline.yml b/detections/endpoint/nishang_powershelltcponeline.yml
index 7c75e9bbd1..4d831b9f73 100644
--- a/detections/endpoint/nishang_powershelltcponeline.yml
+++ b/detections/endpoint/nishang_powershelltcponeline.yml
@@ -1,7 +1,7 @@
name: Nishang PowershellTCPOneLine
id: 1a382c6c-7c2e-11eb-ac69-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible Nishang Invoke-PowerShellTCPOneLine behavior on $dest$
risk_objects:
diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml
index c132fb088a..c096b5d8c5 100644
--- a/detections/endpoint/nltest_domain_trust_discovery.yml
+++ b/detections/endpoint/nltest_domain_trust_discovery.yml
@@ -1,7 +1,7 @@
name: NLTest Domain Trust Discovery
id: c3e05466-5f22-11eb-ae93-0242ac130002
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -45,9 +45,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Domain trust discovery execution on $dest$
risk_objects:
diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml
index 8d2539f3ff..50c375e20b 100644
--- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml
+++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml
@@ -1,7 +1,7 @@
name: Non Chrome Process Accessing Chrome Default Dir
id: 81263de4-160a-11ec-944f-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a non chrome browser process $ProcessName$ accessing $ObjectName$
risk_objects:
diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml
index bb36b1fa27..304aad6f43 100644
--- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml
+++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml
@@ -1,7 +1,7 @@
name: Non Firefox Process Access Firefox Profile Dir
id: e6fc13b0-1609-11ec-b533-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a non firefox browser process $ProcessName$ accessing $ObjectName$
risk_objects:
diff --git a/detections/endpoint/notepad_with_no_command_line_arguments.yml b/detections/endpoint/notepad_with_no_command_line_arguments.yml
index 45ce70f040..101b4012e6 100644
--- a/detections/endpoint/notepad_with_no_command_line_arguments.yml
+++ b/detections/endpoint/notepad_with_no_command_line_arguments.yml
@@ -1,7 +1,7 @@
name: Notepad with no Command Line Arguments
id: 5adbc5f1-9a2f-41c1-a810-f37e015f8179
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
type: TTP
status: production
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ with no command line arguments.
risk_objects:
diff --git a/detections/endpoint/ntdsutil_export_ntds.yml b/detections/endpoint/ntdsutil_export_ntds.yml
index 1e27915805..d04bad3391 100644
--- a/detections/endpoint/ntdsutil_export_ntds.yml
+++ b/detections/endpoint/ntdsutil_export_ntds.yml
@@ -1,7 +1,7 @@
name: Ntdsutil Export NTDS
id: da63bc76-61ae-11eb-ae93-0242ac130002
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Patrick Bareiss, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Active Directory NTDS export on $dest$
risk_objects:
diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml
index 278c4be82f..039a74e01c 100644
--- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml
+++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml
@@ -1,7 +1,7 @@
name: Outbound Network Connection from Java Using Default Ports
id: d2c14d28-5c47-11ec-9892-acde48001122
-version: 11
-date: '2026-03-18'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Lou Stella, Splunk
status: production
type: TTP
@@ -69,9 +69,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Java performed outbound connections to default ports of LDAP or RMI on $dest$
risk_objects:
diff --git a/detections/endpoint/overwriting_accessibility_binaries.yml b/detections/endpoint/overwriting_accessibility_binaries.yml
index c036196a64..ce6fb8d2ca 100644
--- a/detections/endpoint/overwriting_accessibility_binaries.yml
+++ b/detections/endpoint/overwriting_accessibility_binaries.yml
@@ -1,7 +1,7 @@
name: Overwriting Accessibility Binaries
id: 13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious file modification or replace in $file_path$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/permission_modification_using_takeown_app.yml b/detections/endpoint/permission_modification_using_takeown_app.yml
index 31c4bb0576..e2b3ca0d1e 100644
--- a/detections/endpoint/permission_modification_using_takeown_app.yml
+++ b/detections/endpoint/permission_modification_using_takeown_app.yml
@@ -1,7 +1,7 @@
name: Permission Modification using Takeown App
id: fa7ca5c6-c9d8-11eb-bce9-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious of execution of $process_name$ with process id $process_id$ and commandline $process$ to modify permission of directory or files in host $dest$
risk_objects:
diff --git a/detections/endpoint/petitpotam_network_share_access_request.yml b/detections/endpoint/petitpotam_network_share_access_request.yml
index 89d6109021..00174e5075 100644
--- a/detections/endpoint/petitpotam_network_share_access_request.yml
+++ b/detections/endpoint/petitpotam_network_share_access_request.yml
@@ -1,7 +1,7 @@
name: PetitPotam Network Share Access Request
id: 95b8061a-0a67-11ec-85ec-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A remote host is enumerating a $dest$ to identify permissions. This is a precursor event to CVE-2021-36942, PetitPotam.
risk_objects:
diff --git a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
index 05d18d3c51..2777972c86 100644
--- a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
+++ b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
@@ -1,7 +1,7 @@
name: PetitPotam Suspicious Kerberos TGT Request
id: e3ef244e-0a67-11ec-abf2-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Kerberos TGT was requested in a non-standard manner against $dest$, potentially related to CVE-2021-36942, PetitPotam.
risk_objects:
diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml
index 0d5f6fb0f7..aed431a56c 100644
--- a/detections/endpoint/ping_sleep_batch_command.yml
+++ b/detections/endpoint/ping_sleep_batch_command.yml
@@ -1,7 +1,7 @@
name: Ping Sleep Batch Command
id: ce058d6c-79f2-11ec-b476-acde48001122
-version: 14
-date: '2026-03-26'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -70,9 +70,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: suspicious $process$ commandline run on $dest$
risk_objects:
diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml
index 077eee2eb5..29f199da1e 100644
--- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml
+++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml
@@ -1,7 +1,7 @@
name: Possible Lateral Movement PowerShell Spawn
id: cb909b3e-512b-11ec-aa31-3e22fbd008af
-version: 14
-date: '2026-03-26'
+version: 15
+date: '2026-03-31'
author: Mauricio Velazco, Michael Haag, Splunk
status: production
type: TTP
@@ -81,9 +81,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell process was spawned as a child process of typically abused processes on $dest$
risk_objects:
diff --git a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml
index 4f070c61c1..d401293013 100644
--- a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml
+++ b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml
@@ -1,7 +1,7 @@
name: Potential System Network Configuration Discovery Activity
id: 3f0b95e3-3195-46ac-bea3-84fb59e7fac5
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -59,9 +59,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning multiple $process_name$ was identified on endpoint $dest$ by user $user$ typically not a normal behavior of the process.
risk_objects:
diff --git a/detections/endpoint/potential_telegram_api_request_via_commandline.yml b/detections/endpoint/potential_telegram_api_request_via_commandline.yml
index 58fd878db4..07c7a0059a 100644
--- a/detections/endpoint/potential_telegram_api_request_via_commandline.yml
+++ b/detections/endpoint/potential_telegram_api_request_via_commandline.yml
@@ -1,7 +1,7 @@
name: Potential Telegram API Request Via CommandLine
id: d6b0d627-d0bf-46b1-936f-c48284767d21
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk, Zaki Zarkasih Al Mustafa
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process $process_name$ with command line $process$ in $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml
index 4818fe71a0..ce4454a222 100644
--- a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml
+++ b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml
@@ -1,7 +1,7 @@
name: Powershell COM Hijacking InprocServer32 Modification
id: ea61e291-af05-4716-932a-67faddb6ae6f
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell script has been identified with InProcServer32 within the script code on $dest$.
risk_objects:
diff --git a/detections/endpoint/powershell_creating_thread_mutex.yml b/detections/endpoint/powershell_creating_thread_mutex.yml
index 106a88088e..a45f00468e 100644
--- a/detections/endpoint/powershell_creating_thread_mutex.yml
+++ b/detections/endpoint/powershell_creating_thread_mutex.yml
@@ -1,7 +1,7 @@
name: Powershell Creating Thread Mutex
id: 637557ec-ca08-11eb-bd0a-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell script contains Thread Mutex on host $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml
index 097f6b6d86..99377927c5 100644
--- a/detections/endpoint/powershell_disable_security_monitoring.yml
+++ b/detections/endpoint/powershell_disable_security_monitoring.yml
@@ -1,7 +1,7 @@
name: Powershell Disable Security Monitoring
id: c148a894-dd93-11eb-bf2a-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -97,9 +97,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender Real-time Behavior Monitoring disabled on $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_domain_enumeration.yml b/detections/endpoint/powershell_domain_enumeration.yml
index 32d28691f6..4ee5fd5dd5 100644
--- a/detections/endpoint/powershell_domain_enumeration.yml
+++ b/detections/endpoint/powershell_domain_enumeration.yml
@@ -1,7 +1,7 @@
name: PowerShell Domain Enumeration
id: e1866ce2-ca22-11eb-8e44-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_enable_powershell_remoting.yml b/detections/endpoint/powershell_enable_powershell_remoting.yml
index 26dc31e288..d83ece03b2 100644
--- a/detections/endpoint/powershell_enable_powershell_remoting.yml
+++ b/detections/endpoint/powershell_enable_powershell_remoting.yml
@@ -1,7 +1,7 @@
name: PowerShell Enable PowerShell Remoting
id: 40e3b299-19a5-4460-96e9-e1467f714f8e
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
type: Anomaly
status: production
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell was identified running a Invoke-PSremoting on $dest$.
risk_objects:
diff --git a/detections/endpoint/powershell_enable_smb1protocol_feature.yml b/detections/endpoint/powershell_enable_smb1protocol_feature.yml
index fa01ea265c..b1c81d1741 100644
--- a/detections/endpoint/powershell_enable_smb1protocol_feature.yml
+++ b/detections/endpoint/powershell_enable_smb1protocol_feature.yml
@@ -1,7 +1,7 @@
name: Powershell Enable SMB1Protocol Feature
id: afed80b2-d34b-11eb-a952-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Powershell Enable SMB1Protocol Feature on $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_execute_com_object.yml b/detections/endpoint/powershell_execute_com_object.yml
index 5bd84d11ef..64924d8a71 100644
--- a/detections/endpoint/powershell_execute_com_object.yml
+++ b/detections/endpoint/powershell_execute_com_object.yml
@@ -1,7 +1,7 @@
name: Powershell Execute COM Object
id: 65711630-f9bf-11eb-8d72-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell script contains COM CLSID command on host $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml
index c8e7607ca9..6a860cbba9 100644
--- a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml
+++ b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml
@@ -1,7 +1,7 @@
name: Powershell Fileless Process Injection via GetProcAddress
id: a26d9db4-c883-11eb-9d75-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell script contains GetProcAddress API on host $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml
index f149652fee..e2cd59fb76 100644
--- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml
+++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml
@@ -1,7 +1,7 @@
name: Powershell Fileless Script Contains Base64 Encoded Content
id: 8acbc04c-c882-11eb-b060-acde48001122
-version: 17
-date: '2026-03-10'
+version: 18
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell script contains base64 command on host $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml
index 2fcd424bf9..72f0a6fa93 100644
--- a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml
+++ b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml
@@ -1,7 +1,7 @@
name: PowerShell Invoke CIMMethod CIMSession
id: 651ee958-a433-471c-b264-39725b788b83
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
type: Anomaly
status: production
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell was identified running a Invoke-CIMMethod Invoke-CIMSession on $dest$.
risk_objects:
diff --git a/detections/endpoint/powershell_invoke_wmiexec_usage.yml b/detections/endpoint/powershell_invoke_wmiexec_usage.yml
index f38022d747..e81e8d9f06 100644
--- a/detections/endpoint/powershell_invoke_wmiexec_usage.yml
+++ b/detections/endpoint/powershell_invoke_wmiexec_usage.yml
@@ -1,7 +1,7 @@
name: PowerShell Invoke WmiExec Usage
id: 0734bd21-2769-4972-a5f1-78bb1e011224
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
type: TTP
status: production
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell was identified running a Invoke-WmiExec on $dest$.
risk_objects:
diff --git a/detections/endpoint/powershell_load_module_in_meterpreter.yml b/detections/endpoint/powershell_load_module_in_meterpreter.yml
index a8001eb320..eaa08f901a 100644
--- a/detections/endpoint/powershell_load_module_in_meterpreter.yml
+++ b/detections/endpoint/powershell_load_module_in_meterpreter.yml
@@ -1,7 +1,7 @@
name: Powershell Load Module in Meterpreter
id: d5905da5-d050-48db-9259-018d8f034fcf
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell was identified running a script utilized by Meterpreter from MetaSploit on endpoint $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml
index 03bb609189..b9a9cbcae7 100644
--- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml
+++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml
@@ -1,7 +1,7 @@
name: PowerShell Loading DotNET into Memory via Reflection
id: 85bc3f30-ca28-11eb-bd21-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Michael Haag, Teoderick Contreras Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell script contains reflective class assembly command in $ScriptBlockText$ to load .net code in memory in host $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml
index eab377ac4d..d6a6a5aa4d 100644
--- a/detections/endpoint/powershell_processing_stream_of_data.yml
+++ b/detections/endpoint/powershell_processing_stream_of_data.yml
@@ -1,7 +1,7 @@
name: Powershell Processing Stream Of Data
id: 0d718b52-c9f1-11eb-bc61-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell script contains stream command in $ScriptBlockText$ commonly for processing compressed or to decompressed binary file with EventCode $EventID$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_remote_services_add_trustedhost.yml b/detections/endpoint/powershell_remote_services_add_trustedhost.yml
index b849491f02..81481d083a 100644
--- a/detections/endpoint/powershell_remote_services_add_trustedhost.yml
+++ b/detections/endpoint/powershell_remote_services_add_trustedhost.yml
@@ -1,7 +1,7 @@
name: Powershell Remote Services Add TrustedHost
id: bef21d24-297e-45e3-9b9a-c6ac45450474
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a powershell script adding a remote trustedhost on $dest$ .
risk_objects:
diff --git a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml
index 8f057f74b6..f29f91b9da 100644
--- a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml
+++ b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml
@@ -1,7 +1,7 @@
name: Powershell Remote Thread To Known Windows Process
id: ec102cb2-a0f5-11eb-9b38-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell process $process_name$ that tries to create a remote thread on target process $TargetImage$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_remove_windows_defender_directory.yml b/detections/endpoint/powershell_remove_windows_defender_directory.yml
index 09174a98a5..ec3d31143a 100644
--- a/detections/endpoint/powershell_remove_windows_defender_directory.yml
+++ b/detections/endpoint/powershell_remove_windows_defender_directory.yml
@@ -1,7 +1,7 @@
name: Powershell Remove Windows Defender Directory
id: adf47620-79fa-11ec-b248-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: suspicious powershell script $ScriptBlockText$ was executed on the $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_script_block_with_url_chain.yml b/detections/endpoint/powershell_script_block_with_url_chain.yml
index 0413852aa0..3e1875bee1 100644
--- a/detections/endpoint/powershell_script_block_with_url_chain.yml
+++ b/detections/endpoint/powershell_script_block_with_url_chain.yml
@@ -1,7 +1,7 @@
name: PowerShell Script Block With URL Chain
id: 4a3f2a7d-6402-4e64-a76a-869588ec3b57
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell script used by $user_id$ on host $dest$ contains URLs in an array, this is commonly used for malware.
risk_objects:
diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml
index c6872a3aa3..c244a4ae33 100644
--- a/detections/endpoint/powershell_start_bitstransfer.yml
+++ b/detections/endpoint/powershell_start_bitstransfer.yml
@@ -1,7 +1,7 @@
name: PowerShell Start-BitsTransfer
id: 39e2605a-90d8-11eb-899e-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious process $process_name$ with commandline $process$ that are related to bittransfer functionality in host $dest$
risk_objects:
diff --git a/detections/endpoint/powershell_start_or_stop_service.yml b/detections/endpoint/powershell_start_or_stop_service.yml
index 91138468d3..f990f1a41d 100644
--- a/detections/endpoint/powershell_start_or_stop_service.yml
+++ b/detections/endpoint/powershell_start_or_stop_service.yml
@@ -1,7 +1,7 @@
name: PowerShell Start or Stop Service
id: 04207f8a-e08d-4ee6-be26-1e0c4488b04a
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
type: Anomaly
status: production
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell was identified attempting to start or stop a service on $dest$.
risk_objects:
diff --git a/detections/endpoint/powershell_using_memory_as_backing_store.yml b/detections/endpoint/powershell_using_memory_as_backing_store.yml
index 88ee1bef11..e317480886 100644
--- a/detections/endpoint/powershell_using_memory_as_backing_store.yml
+++ b/detections/endpoint/powershell_using_memory_as_backing_store.yml
@@ -1,7 +1,7 @@
name: Powershell Using memory As Backing Store
id: c396a0c4-c9f2-11eb-b4f5-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell script contains memorystream command on host $dest$.
risk_objects:
diff --git a/detections/endpoint/powershell_webrequest_using_memory_stream.yml b/detections/endpoint/powershell_webrequest_using_memory_stream.yml
index 6b12414df8..681f7a263c 100644
--- a/detections/endpoint/powershell_webrequest_using_memory_stream.yml
+++ b/detections/endpoint/powershell_webrequest_using_memory_stream.yml
@@ -1,7 +1,7 @@
name: PowerShell WebRequest Using Memory Stream
id: 103affa6-924a-4b53-aff4-1d5075342aab
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user_id$.
risk_objects:
diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml
index d1b77d5915..f6efb6ff0c 100644
--- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml
+++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml
@@ -1,7 +1,7 @@
name: Powershell Windows Defender Exclusion Commands
id: 907ac95c-4dd9-11ec-ba2c-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Exclusion command $ScriptBlockText$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml
index a0d6fc49b7..f413959fdc 100644
--- a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml
+++ b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml
@@ -1,7 +1,7 @@
name: Prevent Automatic Repair Mode using Bcdedit
id: 7742aa92-c9d9-11eb-bbfc-acde48001122
-version: 10
-date: '2026-03-16'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious process $process_name$ with process id $process_id$ contains commandline $process$ to ignore all bcdedit execution failure in host $dest$
risk_objects:
diff --git a/detections/endpoint/print_processor_registry_autostart.yml b/detections/endpoint/print_processor_registry_autostart.yml
index 85d3a574dc..30865bd83c 100644
--- a/detections/endpoint/print_processor_registry_autostart.yml
+++ b/detections/endpoint/print_processor_registry_autostart.yml
@@ -1,7 +1,7 @@
name: Print Processor Registry Autostart
id: 1f5b68aa-2037-11ec-898e-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/print_spooler_adding_a_printer_driver.yml b/detections/endpoint/print_spooler_adding_a_printer_driver.yml
index 8c17ea89b2..ad9235fe22 100644
--- a/detections/endpoint/print_spooler_adding_a_printer_driver.yml
+++ b/detections/endpoint/print_spooler_adding_a_printer_driver.yml
@@ -1,7 +1,7 @@
name: Print Spooler Adding A Printer Driver
id: 313681a2-da8e-11eb-adad-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$ComputerName$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious print driver was loaded on endpoint $ComputerName$.
risk_objects:
diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml
index 3731aac28d..419f18a367 100644
--- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml
+++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml
@@ -1,7 +1,7 @@
name: Print Spooler Failed to Load a Plug-in
id: 1adc9548-da7c-11eb-8f13-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Michael Haag, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$ComputerName$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ComputerName$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious printer spooler errors have occurred on endpoint $ComputerName$ with EventCode $EventCode$.
risk_objects:
diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
index 9624d83ad6..6e60422183 100644
--- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
+++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
@@ -1,7 +1,7 @@
name: Process Creating LNK file in Suspicious Location
id: 5d814af1-1041-47b5-a9ac-d754e82e9a26
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Jose Hernandez, Michael Haag, Splunk
status: production
type: Anomaly
@@ -68,9 +68,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A shortcut file [$file_name$] was created in $file_path$ on the host $dest$
risk_objects:
diff --git a/detections/endpoint/process_deleting_its_process_file_path.yml b/detections/endpoint/process_deleting_its_process_file_path.yml
index f382af5ef1..1926c86d7b 100644
--- a/detections/endpoint/process_deleting_its_process_file_path.yml
+++ b/detections/endpoint/process_deleting_its_process_file_path.yml
@@ -1,7 +1,7 @@
name: Process Deleting Its Process File Path
id: f7eda4bc-871c-11eb-b110-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process $process_name$ tries to delete its process path in commandline $process$ as part of defense evasion in host $dest$ by user $user$
risk_objects:
diff --git a/detections/endpoint/process_execution_via_wmi.yml b/detections/endpoint/process_execution_via_wmi.yml
index 41ff0bebd1..a42def9907 100644
--- a/detections/endpoint/process_execution_via_wmi.yml
+++ b/detections/endpoint/process_execution_via_wmi.yml
@@ -1,7 +1,7 @@
name: Process Execution via WMI
id: 24869767-8579-485d-9a4f-d9ddfd8f0cac
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Rico Valdez, Michael Haag, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A remote instance execution of wmic.exe by WmiPrvSE.exe detected on host - $dest$
risk_objects:
diff --git a/detections/endpoint/process_kill_base_on_file_path.yml b/detections/endpoint/process_kill_base_on_file_path.yml
index 010f438dc0..313ea72465 100644
--- a/detections/endpoint/process_kill_base_on_file_path.yml
+++ b/detections/endpoint/process_kill_base_on_file_path.yml
@@ -1,7 +1,7 @@
name: Process Kill Base On File Path
id: 5ffaa42c-acdb-11eb-9ad3-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process $process_name$ attempt to kill process by its file path using commandline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml
index 36425826c8..87c405e73b 100644
--- a/detections/endpoint/ransomware_notes_bulk_creation.yml
+++ b/detections/endpoint/ransomware_notes_bulk_creation.yml
@@ -1,7 +1,7 @@
name: Ransomware Notes bulk creation
id: eff7919a-8330-11eb-83f8-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A high frequency file creation of $file_name$ in different file path in host $dest$
risk_objects:
diff --git a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml
index 06e396970d..0ed55bb8e4 100644
--- a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml
+++ b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml
@@ -1,7 +1,7 @@
name: Recon AVProduct Through Pwh or WMI
id: 28077620-c9f6-11eb-8785-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell script contains AV recon command on host $dest$
risk_objects:
diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml
index 6e3ae8b76a..4e47193e95 100644
--- a/detections/endpoint/recon_using_wmi_class.yml
+++ b/detections/endpoint/recon_using_wmi_class.yml
@@ -1,7 +1,7 @@
name: Recon Using WMI Class
id: 018c1972-ca07-11eb-9473-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell script contains host recon commands detected on host $dest$
risk_objects:
diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
index 9ca977becb..0f43aca721 100644
--- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
+++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml
@@ -1,7 +1,7 @@
name: Recursive Delete of Directory In Batch CMD
id: ba570b3a-d356-11eb-8358-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Recursive Delete of Directory In Batch CMD by $user$ on $dest$
risk_objects:
diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml
index ddefa3e24e..d7ea24c37b 100644
--- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml
+++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml
@@ -1,7 +1,7 @@
name: Reg exe Manipulating Windows Services Registry Keys
id: 8470d755-0c13-45b3-bd63-387a373c10cf
-version: 15
-date: '2026-03-24'
+version: 16
+date: '2026-03-31'
author: Rico Valdez, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A reg.exe process $process_name$ with commandline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml
index cb7d0d018d..6e4feee76a 100644
--- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml
+++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml
@@ -1,7 +1,7 @@
name: Registry Keys for Creating SHIM Databases
id: f5f6af30-7aa7-4295-bfe9-07fe87c01bbb
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Patrick Bareiss, Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel
status: production
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry activity in $registry_path$ related to shim modication in host $dest$
risk_objects:
diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml
index 5750fcfa32..930a8b2f83 100644
--- a/detections/endpoint/registry_keys_used_for_persistence.yml
+++ b/detections/endpoint/registry_keys_used_for_persistence.yml
@@ -1,7 +1,7 @@
name: Registry Keys Used For Persistence
id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b
-version: 30
-date: '2026-03-26'
+version: 31
+date: '2026-03-31'
author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk
status: production
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry activity in $registry_path$ related to persistence in host $dest$
risk_objects:
diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml
index c06d7ff4b9..f5079f6602 100644
--- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml
+++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Registry Keys Used For Privilege Escalation
id: c9f4b923-f8af-4155-b697-1354f5bcbc5e
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: David Dorsey, Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry activity in $registry_path$ related to privilege escalation in host $dest$
risk_objects:
diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml
index b25201d8e5..82f86fff2e 100644
--- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml
+++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml
@@ -1,7 +1,7 @@
name: Regsvr32 Silent and Install Param Dll Loading
id: f421c250-24e7-11ec-bc43-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent and dllinstall parameter.
risk_objects:
diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml
index a995c6af6b..86caf9a302 100644
--- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml
+++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml
@@ -1,7 +1,7 @@
name: Regsvr32 with Known Silent Switch Cmdline
id: c9ef7dc4-eeaf-11eb-b2b6-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a DLL using the silent parameter.
risk_objects:
diff --git a/detections/endpoint/remcos_client_registry_install_entry.yml b/detections/endpoint/remcos_client_registry_install_entry.yml
index d7d64e6f7f..6d9bf3e132 100644
--- a/detections/endpoint/remcos_client_registry_install_entry.yml
+++ b/detections/endpoint/remcos_client_registry_install_entry.yml
@@ -1,7 +1,7 @@
name: Remcos client registry install entry
id: f2a1615a-1d63-11ec-97d2-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry entry $registry_path$ with registry keyname $registry_key_name$ related to Remcos RAT in host $dest$
risk_objects:
diff --git a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml
index 13fff3f768..7631300585 100644
--- a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml
+++ b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml
@@ -1,7 +1,7 @@
name: Remcos RAT File Creation in Remcos Folder
id: 25ae862a-1ac3-11ec-94a1-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Sanjay Govind
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: file $file_name$ created in $file_path$ of $dest$
risk_objects:
diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml
index fcaf78441a..f66cb60b0f 100644
--- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml
+++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via DCOM and PowerShell
id: d4f42098-4680-11ec-ad07-3e22fbd008af
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process was started on a remote endpoint from $dest$ by abusing DCOM using PowerShell.exe
risk_objects:
diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml
index daefa67c8c..a7b52401f1 100644
--- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml
+++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via DCOM and PowerShell Script Block
id: fa1c3040-4680-11ec-a618-3e22fbd008af
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process was started on a remote endpoint from $dest$ by abusing WMI using PowerShell.exe
risk_objects:
diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml
index bdb22962ae..9a53ea2943 100644
--- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml
+++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via WinRM and PowerShell
id: ba24cda8-4716-11ec-8009-3e22fbd008af
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process was started on a remote endpoint from $dest$ by abusing WinRM using PowerShell.exe
risk_objects:
diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml
index af01b6bd93..e1cdcefcf7 100644
--- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml
+++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via WinRM and PowerShell Script Block
id: 7d4c618e-4716-11ec-951c-3e22fbd008af
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process was started on a remote endpoint from $dest$ by abusing WinRM using PowerShell.exe
risk_objects:
diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml
index 8b75ef5303..4ecfe1323c 100644
--- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml
+++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via WinRM and Winrs
id: 0dd296a2-4338-11ec-ba02-3e22fbd008af
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process was started on a remote endpoint from $dest$
risk_objects:
diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml
index f1ec3bd455..843092504a 100644
--- a/detections/endpoint/remote_process_instantiation_via_wmi.yml
+++ b/detections/endpoint/remote_process_instantiation_via_wmi.yml
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via WMI
id: d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da
-version: 17
-date: '2026-03-16'
+version: 18
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A wmic.exe process $process$ contain process spawn commandline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml
index 40e2adb82a..7f726b788a 100644
--- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml
+++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via WMI and PowerShell
id: 112638b4-4634-11ec-b9ab-3e22fbd008af
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process was started on a remote endpoint from $dest$ by abusing WMI using PowerShell.exe
risk_objects:
diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml
index 7963762d19..06c1dbd7ba 100644
--- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml
+++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml
@@ -1,7 +1,7 @@
name: Remote Process Instantiation via WMI and PowerShell Script Block
id: 2a048c14-4634-11ec-a618-3e22fbd008af
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process was started on a remote endpoint from $dest$ by abusing WMI using PowerShell.exe
risk_objects:
diff --git a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml
index d8326a7978..d1a741b224 100644
--- a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml
+++ b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml
@@ -1,7 +1,7 @@
name: Remote System Discovery with Adsisearcher
id: 70803451-0047-4e12-9d63-77fa7eb8649c
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Remote system discovery enumeration with adsisearcher on $dest$ by $user_id$
risk_objects:
diff --git a/detections/endpoint/remote_system_discovery_with_dsquery.yml b/detections/endpoint/remote_system_discovery_with_dsquery.yml
index b49c69b72a..b6a14a8f33 100644
--- a/detections/endpoint/remote_system_discovery_with_dsquery.yml
+++ b/detections/endpoint/remote_system_discovery_with_dsquery.yml
@@ -1,7 +1,7 @@
name: Remote System Discovery with Dsquery
id: 9fb562f4-42f8-4139-8e11-a82edf7ed718
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/remote_system_discovery_with_wmic.yml b/detections/endpoint/remote_system_discovery_with_wmic.yml
index 469332bd0c..42286c99c2 100644
--- a/detections/endpoint/remote_system_discovery_with_wmic.yml
+++ b/detections/endpoint/remote_system_discovery_with_wmic.yml
@@ -1,7 +1,7 @@
name: Remote System Discovery with Wmic
id: d82eced3-b1dc-42ab-859e-a2fc98827359
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Remote system discovery enumeration on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/remote_wmi_command_attempt.yml b/detections/endpoint/remote_wmi_command_attempt.yml
index f9ef6d4655..162e235474 100644
--- a/detections/endpoint/remote_wmi_command_attempt.yml
+++ b/detections/endpoint/remote_wmi_command_attempt.yml
@@ -1,7 +1,7 @@
name: Remote WMI Command Attempt
id: 272df6de-61f1-4784-877c-1fbc3e2d0838
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Rico Valdez, Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A wmic.exe process $process$ contain node commandline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/resize_shadowstorage_volume.yml b/detections/endpoint/resize_shadowstorage_volume.yml
index 1ae0bb69d5..f4f7819b76 100644
--- a/detections/endpoint/resize_shadowstorage_volume.yml
+++ b/detections/endpoint/resize_shadowstorage_volume.yml
@@ -1,7 +1,7 @@
name: Resize ShadowStorage volume
id: bc760ca6-8336-11eb-bcbb-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras
status: production
type: TTP
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process $parent_process_name$ attempted to resize shadow copy with commandline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/revil_common_exec_parameter.yml b/detections/endpoint/revil_common_exec_parameter.yml
index 9a0a84218e..5639c49f9f 100644
--- a/detections/endpoint/revil_common_exec_parameter.yml
+++ b/detections/endpoint/revil_common_exec_parameter.yml
@@ -1,7 +1,7 @@
name: Revil Common Exec Parameter
id: 85facebe-c382-11eb-9c3e-acde48001122
-version: 10
-date: '2026-03-24'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process $process_name$ with commandline $process$ related to revil ransomware in host $dest$
risk_objects:
diff --git a/detections/endpoint/revil_registry_entry.yml b/detections/endpoint/revil_registry_entry.yml
index 9127fbf8cb..c4e60ef3ab 100644
--- a/detections/endpoint/revil_registry_entry.yml
+++ b/detections/endpoint/revil_registry_entry.yml
@@ -1,7 +1,7 @@
name: Revil Registry Entry
id: e3d3f57a-c381-11eb-9e35-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry entry $registry_path$ with registry value $registry_value_name$ and $registry_value_name$ related to revil ransomware in host $dest$
risk_objects:
diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml
index 6888763dba..1b9d89f768 100644
--- a/detections/endpoint/rubeus_command_line_parameters.yml
+++ b/detections/endpoint/rubeus_command_line_parameters.yml
@@ -1,7 +1,7 @@
name: Rubeus Command Line Parameters
id: cca37478-8377-11ec-b59a-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Rubeus command line parameters were used on $dest$
risk_objects:
diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml
index e372071ab6..ec1ff30022 100644
--- a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml
+++ b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml
@@ -1,7 +1,7 @@
name: Rubeus Kerberos Ticket Exports Through Winlogon Access
id: 5ed8c50a-8869-11ec-876f-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Winlogon.exe was accessed by $SourceImage$ on $dest$
risk_objects:
diff --git a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml
index 2067e045a9..9126f244c9 100644
--- a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml
+++ b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml
@@ -1,7 +1,7 @@
name: Rundll32 Control RunDLL World Writable Directory
id: 1adffe86-10c3-11ec-8ce6-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to load a suspicious file from disk.
risk_objects:
diff --git a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml
index e776272d97..5f89df893b 100644
--- a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml
+++ b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml
@@ -1,7 +1,7 @@
name: Rundll32 Create Remote Thread To A Process
id: 2dbeee3a-f067-11eb-96c0-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: rundl32 process $SourceImage$ create a remote thread to process $TargetImage$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/rundll32_createremotethread_in_browser.yml b/detections/endpoint/rundll32_createremotethread_in_browser.yml
index b0d3ed0ba5..33c9f04e4c 100644
--- a/detections/endpoint/rundll32_createremotethread_in_browser.yml
+++ b/detections/endpoint/rundll32_createremotethread_in_browser.yml
@@ -1,7 +1,7 @@
name: Rundll32 CreateRemoteThread In Browser
id: f8a22586-ee2d-11eb-a193-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: rundl32 process $SourceImage$ create a remote thread to browser process $TargetImage$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml
index efa2ca5078..d8f6ca9b07 100644
--- a/detections/endpoint/rundll32_lockworkstation.yml
+++ b/detections/endpoint/rundll32_lockworkstation.yml
@@ -1,7 +1,7 @@
name: Rundll32 LockWorkStation
id: fa90f372-f91d-11eb-816c-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process $process_name$ with cmdline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml
index f88a887276..b7653a692c 100644
--- a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml
+++ b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml
@@ -1,7 +1,7 @@
name: Rundll32 Process Creating Exe Dll Files
id: 6338266a-ee2a-11eb-bf68-acde48001122
-version: 12
-date: '2026-03-26'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: rundll32 process drops a file $file_name$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/rundll32_shimcache_flush.yml b/detections/endpoint/rundll32_shimcache_flush.yml
index 615733e633..1e61511940 100644
--- a/detections/endpoint/rundll32_shimcache_flush.yml
+++ b/detections/endpoint/rundll32_shimcache_flush.yml
@@ -1,7 +1,7 @@
name: Rundll32 Shimcache Flush
id: a913718a-25b6-11ec-96d3-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: rundll32 process execute $process$ to clear shim cache on $dest$
risk_objects:
diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml
index 1d3405959e..a43b6081ce 100644
--- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml
+++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml
@@ -1,7 +1,7 @@
name: Rundll32 with no Command Line Arguments with Network
id: 35307032-a12d-11eb-835f-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Steven Dick, Michael Haag, Splunk
status: production
type: TTP
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A rundll32 process $process_name$ with no commandline argument like this process commandline $process$ in host $src$
risk_objects:
diff --git a/detections/endpoint/rundll_loading_dll_by_ordinal.yml b/detections/endpoint/rundll_loading_dll_by_ordinal.yml
index 72f64d58ea..b8d30f3148 100644
--- a/detections/endpoint/rundll_loading_dll_by_ordinal.yml
+++ b/detections/endpoint/rundll_loading_dll_by_ordinal.yml
@@ -1,7 +1,7 @@
name: RunDLL Loading DLL By Ordinal
id: 6c135f8d-5e60-454e-80b7-c56eed739833
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Michael Haag, David Dorsey, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A rundll32 process $process_name$ with ordinal parameter like this process commandline $process$ on host $dest$.
risk_objects:
diff --git a/detections/endpoint/ryuk_test_files_detected.yml b/detections/endpoint/ryuk_test_files_detected.yml
index 44a85b7ecc..ebdfe6e832 100644
--- a/detections/endpoint/ryuk_test_files_detected.yml
+++ b/detections/endpoint/ryuk_test_files_detected.yml
@@ -1,7 +1,7 @@
name: Ryuk Test Files Detected
id: 57d44d70-28d9-4ed1-acf5-1c80ae2bbce3
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Rod Soto, Jose Hernandez, Splunk
status: production
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A creation of ryuk test file $file_path$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml
index c7f9517159..abf5fb1117 100644
--- a/detections/endpoint/ryuk_wake_on_lan_command.yml
+++ b/detections/endpoint/ryuk_wake_on_lan_command.yml
@@ -1,7 +1,7 @@
name: Ryuk Wake on LAN Command
id: 538d0152-7aaa-11eb-beaa-acde48001122
-version: 12
-date: '2026-03-24'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -49,9 +49,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process $process_name$ with wake on LAN commandline $process$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/samsam_test_file_write.yml b/detections/endpoint/samsam_test_file_write.yml
index fd3da8377f..146e650b6c 100644
--- a/detections/endpoint/samsam_test_file_write.yml
+++ b/detections/endpoint/samsam_test_file_write.yml
@@ -1,7 +1,7 @@
name: Samsam Test File Write
id: 493a879d-519d-428f-8f57-a06a0fdc107e
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Rico Valdez, Splunk
status: production
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A samsam ransomware test file creation in $file_path$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml
index f05e3feef0..d12a624bd7 100644
--- a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml
+++ b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml
@@ -1,7 +1,7 @@
name: SchCache Change By App Connect And Create ADSI Object
id: 991eb510-0fc6-11ec-82d3-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process $process_name$ created a file $file_name$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/schedule_task_with_http_command_arguments.yml b/detections/endpoint/schedule_task_with_http_command_arguments.yml
index 4bb23c762c..39e0bc047b 100644
--- a/detections/endpoint/schedule_task_with_http_command_arguments.yml
+++ b/detections/endpoint/schedule_task_with_http_command_arguments.yml
@@ -1,7 +1,7 @@
name: Schedule Task with HTTP Command Arguments
id: 523c2684-a101-11eb-916b-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A scheduled task process commandline arguments $Arguments$ with http string in it on host $dest$
risk_objects:
diff --git a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml
index 526151cab6..e79f13b8d9 100644
--- a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml
+++ b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml
@@ -1,7 +1,7 @@
name: Schedule Task with Rundll32 Command Trigger
id: 75b00fd8-a0ff-11eb-8b31-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A scheduled task process commandline rundll32 arguments $Arguments$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml
index af8dfd3932..8e0d0db887 100644
--- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml
+++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml
@@ -1,7 +1,7 @@
name: Scheduled Task Creation on Remote Endpoint using At
id: 4be54858-432f-11ec-8209-3e22fbd008af
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Windows Scheduled Task was created on a remote endpoint from $dest$
risk_objects:
diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
index b62bb660a9..74a03448d8 100644
--- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
+++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
@@ -1,7 +1,7 @@
name: Scheduled Task Deleted Or Created via CMD
id: d5af132c-7c17-439c-9d31-13d55340f36c
-version: 26
-date: '2026-03-26'
+version: 27
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -65,9 +65,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A parent process [$parent_process_name$] with commandline [$parent_process$] spawned a schedule task process [$process_name$] with create or delete commandline [$process$] on host [$dest$]
risk_objects:
diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml
index 808c7050bd..33a9fc803a 100644
--- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml
+++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml
@@ -1,7 +1,7 @@
name: Scheduled Task Initiation on Remote Endpoint
id: 95cf4608-4302-11ec-8194-3e22fbd008af
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk, Badoodish, Github Community
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Windows Scheduled Task was ran on a remote endpoint from $dest$
risk_objects:
diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml
index bf230ab4c5..f836021eb4 100644
--- a/detections/endpoint/schtasks_run_task_on_demand.yml
+++ b/detections/endpoint/schtasks_run_task_on_demand.yml
@@ -1,7 +1,7 @@
name: Schtasks Run Task On Demand
id: bb37061e-af1f-11eb-a159-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A "on demand" execution of schedule task process $process_name$ using commandline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml
index c61fa3e502..451dce40e7 100644
--- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml
+++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml
@@ -1,7 +1,7 @@
name: Schtasks scheduling job on remote system
id: 1297fb80-f42a-4b4a-9c8a-88c066237cf6
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-31'
author: David Dorsey, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A scheduled task process $process_name$ with remote job command-line $process$ on host $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml
index 6c2c4decdf..00737311b3 100644
--- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml
+++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml
@@ -1,7 +1,7 @@
name: Schtasks used for forcing a reboot
id: 1297fb80-f42a-4b4a-9c8a-88c066437cf6
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A schedule task process $process_name$ with force reboot commandline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/screensaver_event_trigger_execution.yml b/detections/endpoint/screensaver_event_trigger_execution.yml
index 225a6c03d1..b981aa21f8 100644
--- a/detections/endpoint/screensaver_event_trigger_execution.yml
+++ b/detections/endpoint/screensaver_event_trigger_execution.yml
@@ -1,7 +1,7 @@
name: Screensaver Event Trigger Execution
id: 58cea3ec-1f6d-11ec-8560-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Registry path $registry_path$ was modified, added, or deleted on $dest$.
risk_objects:
diff --git a/detections/endpoint/script_execution_via_wmi.yml b/detections/endpoint/script_execution_via_wmi.yml
index b3a38e5c7a..e4974ca43c 100644
--- a/detections/endpoint/script_execution_via_wmi.yml
+++ b/detections/endpoint/script_execution_via_wmi.yml
@@ -1,7 +1,7 @@
name: Script Execution via WMI
id: aa73f80d-d728-4077-b226-81ea0c8be589
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Rico Valdez, Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A wmic.exe process $process_name$ that execute script in host $dest$
risk_objects:
diff --git a/detections/endpoint/sdclt_uac_bypass.yml b/detections/endpoint/sdclt_uac_bypass.yml
index 705ec5d5c9..c0a46a2cde 100644
--- a/detections/endpoint/sdclt_uac_bypass.yml
+++ b/detections/endpoint/sdclt_uac_bypass.yml
@@ -1,7 +1,7 @@
name: Sdclt UAC Bypass
id: d71efbf6-da63-11eb-8c6e-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/sdelete_application_execution.yml b/detections/endpoint/sdelete_application_execution.yml
index ccf5a89297..6af3ff06ad 100644
--- a/detections/endpoint/sdelete_application_execution.yml
+++ b/detections/endpoint/sdelete_application_execution.yml
@@ -1,7 +1,7 @@
name: Sdelete Application Execution
id: 31702fc0-2682-11ec-85c3-acde48001122
-version: 12
-date: '2026-03-16'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: sdelete process $process_name$ executed on $dest$
risk_objects:
diff --git a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml
index 9bf5032736..634d7a462a 100644
--- a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml
+++ b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml
@@ -1,7 +1,7 @@
name: SearchProtocolHost with no Command Line with Network
id: b690df8c-a145-11eb-a38b-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -54,9 +54,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A searchprotocolhost.exe process $process_name$ with no commandline on host $dest$
risk_objects:
diff --git a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml
index 2124ba4b60..5841b0025a 100644
--- a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml
+++ b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml
@@ -1,7 +1,7 @@
name: SecretDumps Offline NTDS Dumping Tool
id: 5672819c-be09-11eb-bbfb-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A secretdump process $process_name$ with secretdump commandline $process$ to dump credentials on host $dest$
risk_objects:
diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml
index eacd5c7851..e3ae6d155d 100644
--- a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml
+++ b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml
@@ -1,7 +1,7 @@
name: ServicePrincipalNames Discovery with PowerShell
id: 13243068-2d38-11ec-8908-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of attempting to identify service principle detected on $dest$ names.
risk_objects:
diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml
index 300b689f04..7663ebc7f1 100644
--- a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml
+++ b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml
@@ -1,7 +1,7 @@
name: ServicePrincipalNames Discovery with SetSPN
id: ae8b3efc-2d2e-11ec-8b57-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -52,9 +52,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to identify service principal names.
risk_objects:
diff --git a/detections/endpoint/services_escalate_exe.yml b/detections/endpoint/services_escalate_exe.yml
index 7d2a727373..56e36b2f3d 100644
--- a/detections/endpoint/services_escalate_exe.yml
+++ b/detections/endpoint/services_escalate_exe.yml
@@ -1,7 +1,7 @@
name: Services Escalate Exe
id: c448488c-b7ec-11eb-8253-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A service process $parent_process_name$ with process path $process_path$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/services_lolbas_execution_process_spawn.yml b/detections/endpoint/services_lolbas_execution_process_spawn.yml
index d0eb223e3a..b3688d5862 100644
--- a/detections/endpoint/services_lolbas_execution_process_spawn.yml
+++ b/detections/endpoint/services_lolbas_execution_process_spawn.yml
@@ -1,7 +1,7 @@
name: Services LOLBAS Execution Process Spawn
id: ba9e1954-4c04-11ec-8b74-3e22fbd008af
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: "Services.exe spawned LOLBAS: $process_name$ located in $process_path$ on $dest$"
risk_objects:
diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml
index 48ea136a91..987352d2ee 100644
--- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml
+++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml
@@ -1,7 +1,7 @@
name: Set Default PowerShell Execution Policy To Unrestricted or Bypass
id: c2590137-0b08-4985-9ec5-6ae23d92f63d
-version: 20
-date: '2026-03-10'
+version: 21
+date: '2026-03-31'
author: Steven Dick, Patrick Bareiss, Splunk
status: production
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification in $registry_path$ with reg key $registry_key_name$ and reg value $registry_value_name$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/shai_hulud_2_exfiltration_artifact_files.yml b/detections/endpoint/shai_hulud_2_exfiltration_artifact_files.yml
index 054ca4c138..4ffed7bd47 100644
--- a/detections/endpoint/shai_hulud_2_exfiltration_artifact_files.yml
+++ b/detections/endpoint/shai_hulud_2_exfiltration_artifact_files.yml
@@ -1,7 +1,7 @@
name: Shai-Hulud 2 Exfiltration Artifact Files
id: 9e7d3c0f-4a5b-6c8d-1e2f-3a4b5c6d7e8f
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -54,9 +54,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Shai-Hulud 2.0 exfiltration artifact $file_name$ created on $dest$
risk_objects:
diff --git a/detections/endpoint/shai_hulud_workflow_file_creation_or_modification.yml b/detections/endpoint/shai_hulud_workflow_file_creation_or_modification.yml
index 45d12f3d91..cca86da07b 100644
--- a/detections/endpoint/shai_hulud_workflow_file_creation_or_modification.yml
+++ b/detections/endpoint/shai_hulud_workflow_file_creation_or_modification.yml
@@ -1,7 +1,7 @@
name: Shai-Hulud Workflow File Creation or Modification
id: 6b4a0a7f-10d1-4d72-9c4c-5c6a3d9f9d6a
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -69,9 +69,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Shai-Hulud malicious workflow file detected on endpoint $dest$ at $file_path$. Immediate investigation required.
risk_objects:
diff --git a/detections/endpoint/shim_database_file_creation.yml b/detections/endpoint/shim_database_file_creation.yml
index 2192366f39..97d9c75ec9 100644
--- a/detections/endpoint/shim_database_file_creation.yml
+++ b/detections/endpoint/shim_database_file_creation.yml
@@ -1,7 +1,7 @@
name: Shim Database File Creation
id: 6e4c4588-ba2f-42fa-97e6-9f6f548eaa33
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: TTP
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process that possibly write shim database in $file_path$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml
index 3b96c9a883..d141c30133 100644
--- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml
+++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml
@@ -1,7 +1,7 @@
name: Shim Database Installation With Suspicious Parameters
id: 404620de-46d8-48b6-90cc-8a8d7b0876a3
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process $process_name$ that possibly creates a shim db silently in host $dest$
risk_objects:
diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml
index ffcb522d04..0bb32977c3 100644
--- a/detections/endpoint/short_lived_scheduled_task.yml
+++ b/detections/endpoint/short_lived_scheduled_task.yml
@@ -1,7 +1,7 @@
name: Short Lived Scheduled Task
id: 6fa31414-546e-11ec-adfa-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A windows scheduled task was created and deleted in 30 seconds on $dest$
risk_objects:
diff --git a/detections/endpoint/short_lived_windows_accounts.yml b/detections/endpoint/short_lived_windows_accounts.yml
index 22fab487bb..8af87b61e2 100644
--- a/detections/endpoint/short_lived_windows_accounts.yml
+++ b/detections/endpoint/short_lived_windows_accounts.yml
@@ -1,7 +1,7 @@
name: Short Lived Windows Accounts
id: b25f6f62-0782-43c1-b403-083231ffd97d
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: David Dorsey, Bhavin Patel, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user account $user$ is created and deleted within a short time period on host $dest$ by user $src_user$
risk_objects:
diff --git a/detections/endpoint/silentcleanup_uac_bypass.yml b/detections/endpoint/silentcleanup_uac_bypass.yml
index c7c61dd5ca..bd10ea4546 100644
--- a/detections/endpoint/silentcleanup_uac_bypass.yml
+++ b/detections/endpoint/silentcleanup_uac_bypass.yml
@@ -1,7 +1,7 @@
name: SilentCleanup UAC Bypass
id: 56d7cfcc-da63-11eb-92d4-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/single_letter_process_on_endpoint.yml b/detections/endpoint/single_letter_process_on_endpoint.yml
index 7db274815f..cdc7953ade 100644
--- a/detections/endpoint/single_letter_process_on_endpoint.yml
+++ b/detections/endpoint/single_letter_process_on_endpoint.yml
@@ -1,7 +1,7 @@
name: Single Letter Process On Endpoint
id: a4214f0b-e01c-41bc-8cc4-d2b71e3056b4
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: TTP
@@ -92,9 +92,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious process $process_name$ with single letter on host $dest$
risk_objects:
diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml
index ffaeb9a08a..d403c4b717 100644
--- a/detections/endpoint/slui_runas_elevated.yml
+++ b/detections/endpoint/slui_runas_elevated.yml
@@ -1,7 +1,7 @@
name: SLUI RunAs Elevated
id: 8d124810-b3e4-11eb-96c7-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A slui process $process_name$ with elevated commandline $process$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml
index 300384c32c..6129c6df50 100644
--- a/detections/endpoint/slui_spawning_a_process.yml
+++ b/detections/endpoint/slui_spawning_a_process.yml
@@ -1,7 +1,7 @@
name: SLUI Spawning a Process
id: 879c4330-b3e0-11eb-b1b1-acde48001122
-version: 11
-date: '2026-03-24'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A slui process $parent_process_name$ spawning child process $process_name$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/spoolsv_spawning_rundll32.yml b/detections/endpoint/spoolsv_spawning_rundll32.yml
index 33c0e753da..811c40edf2 100644
--- a/detections/endpoint/spoolsv_spawning_rundll32.yml
+++ b/detections/endpoint/spoolsv_spawning_rundll32.yml
@@ -1,7 +1,7 @@
name: Spoolsv Spawning Rundll32
id: 15d905f6-da6b-11eb-ab82-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $parent_process_name$ has spawned $process_name$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.
risk_objects:
diff --git a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml
index ce33e361d8..61ffc2436d 100644
--- a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml
+++ b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml
@@ -1,7 +1,7 @@
name: Spoolsv Suspicious Loaded Modules
id: a5e451f8-da81-11eb-b245-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $Image$ with process id $process_id$ has loaded a driver from $ImageLoaded$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.
risk_objects:
diff --git a/detections/endpoint/spoolsv_suspicious_process_access.yml b/detections/endpoint/spoolsv_suspicious_process_access.yml
index 55490787fb..2460a6ee5c 100644
--- a/detections/endpoint/spoolsv_suspicious_process_access.yml
+++ b/detections/endpoint/spoolsv_suspicious_process_access.yml
@@ -1,7 +1,7 @@
name: Spoolsv Suspicious Process Access
id: 799b606e-da81-11eb-93f8-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $SourceImage$ was GrantedAccess open access to $TargetImage$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.
risk_objects:
diff --git a/detections/endpoint/spoolsv_writing_a_dll.yml b/detections/endpoint/spoolsv_writing_a_dll.yml
index f5bb3a61e5..255531ddca 100644
--- a/detections/endpoint/spoolsv_writing_a_dll.yml
+++ b/detections/endpoint/spoolsv_writing_a_dll.yml
@@ -1,7 +1,7 @@
name: Spoolsv Writing a DLL
id: d5bf5cf2-da71-11eb-92c2-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Mauricio Velazco, Michael Haag, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $process_name$ has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.
risk_objects:
diff --git a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml
index 9660d2dc48..b69af45c4e 100644
--- a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml
+++ b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml
@@ -1,7 +1,7 @@
name: Spoolsv Writing a DLL - Sysmon
id: 347fd388-da87-11eb-836d-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process has been identified writing dll's to $file_path$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.
risk_objects:
diff --git a/detections/endpoint/sqlite_module_in_temp_folder.yml b/detections/endpoint/sqlite_module_in_temp_folder.yml
index 1d7fcc0f09..374bb740bd 100644
--- a/detections/endpoint/sqlite_module_in_temp_folder.yml
+++ b/detections/endpoint/sqlite_module_in_temp_folder.yml
@@ -1,7 +1,7 @@
name: Sqlite Module In Temp Folder
id: 0f216a38-f45f-11eb-b09c-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process creates a file $file_name$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml
index fe886b74e6..ed775c15dd 100644
--- a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml
+++ b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml
@@ -1,7 +1,7 @@
name: Steal or Forge Authentication Certificates Behavior Identified
id: 87ac670e-bbfd-44ca-b566-44e9f835518d
-version: 7
-date: '2026-02-25'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Correlation
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Windows Certificate Services
diff --git a/detections/endpoint/suspicious_computer_account_name_change.yml b/detections/endpoint/suspicious_computer_account_name_change.yml
index 93d172ba15..73e5eb7a69 100644
--- a/detections/endpoint/suspicious_computer_account_name_change.yml
+++ b/detections/endpoint/suspicious_computer_account_name_change.yml
@@ -1,7 +1,7 @@
name: Suspicious Computer Account Name Change
id: 35a61ed8-61c4-11ec-bc1e-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -25,9 +25,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$OldTargetUserName$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$OldTargetUserName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$OldTargetUserName$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A computer account $OldTargetUserName$ was renamed with a suspicious computer name on $dest$
risk_objects:
diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml
index ff6cd9c2a7..ccd254deee 100644
--- a/detections/endpoint/suspicious_copy_on_system32.yml
+++ b/detections/endpoint/suspicious_copy_on_system32.yml
@@ -1,7 +1,7 @@
name: Suspicious Copy on System32
id: ce633e56-25b2-11ec-9e76-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -72,9 +72,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Execution of copy exe to copy file from $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml
index 9495ce5d1c..783ed66ffe 100644
--- a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml
+++ b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml
@@ -1,7 +1,7 @@
name: Suspicious DLLHost no Command Line Arguments
id: ff61e98c-0337-4593-a78f-72a676c56f26
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious dllhost.exe process with no command line arguments executed on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml
index 1e9b9414c2..75a27b0e48 100644
--- a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml
+++ b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml
@@ -1,7 +1,7 @@
name: Suspicious GPUpdate no Command Line Arguments
id: f308490a-473a-40ef-ae64-dd7a6eba284a
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious gpupdate.exe process with no command line arguments executed on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml
index fe2606a02f..e77ecbedae 100644
--- a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml
+++ b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml
@@ -1,7 +1,7 @@
name: Suspicious IcedID Rundll32 Cmdline
id: bed761f8-ee29-11eb-8bf3-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: rundll32 process $process_name$ with commandline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
index 5d3865e026..4923b109a0 100644
--- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
+++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml
@@ -1,7 +1,7 @@
name: Suspicious Image Creation In Appdata Folder
id: f6f904c4-1ac0-11ec-806b-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process $process_name$ creating image file $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml
index b0def2da1a..d2b491a82d 100644
--- a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml
+++ b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml
@@ -1,7 +1,7 @@
name: Suspicious Kerberos Service Ticket Request
id: 8b1297bc-6204-11ec-b7c4-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/suspicious_linux_discovery_commands.yml b/detections/endpoint/suspicious_linux_discovery_commands.yml
index 2b21d25597..e1eada50fc 100644
--- a/detections/endpoint/suspicious_linux_discovery_commands.yml
+++ b/detections/endpoint/suspicious_linux_discovery_commands.yml
@@ -1,7 +1,7 @@
name: Suspicious Linux Discovery Commands
id: 0edd5112-56c9-11ec-b990-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious Linux Discovery Commands detected on $dest$
risk_objects:
diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml
index 0063473008..0d0869b81e 100644
--- a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml
+++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml
@@ -1,7 +1,7 @@
name: Suspicious microsoft workflow compiler usage
id: 9bbc62e8-55d8-11eb-ae93-0242ac130002
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious microsoft.workflow.compiler.exe process ran on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/suspicious_msbuild_path.yml b/detections/endpoint/suspicious_msbuild_path.yml
index 36ca478e85..d30910b535 100644
--- a/detections/endpoint/suspicious_msbuild_path.yml
+++ b/detections/endpoint/suspicious_msbuild_path.yml
@@ -1,7 +1,7 @@
name: Suspicious msbuild path
id: f5198224-551c-11eb-ae93-0242ac130002
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Msbuild.exe ran from an uncommon path on $dest$ execyted by $user$
risk_objects:
diff --git a/detections/endpoint/suspicious_msbuild_spawn.yml b/detections/endpoint/suspicious_msbuild_spawn.yml
index ae1d33d051..e6f8921881 100644
--- a/detections/endpoint/suspicious_msbuild_spawn.yml
+++ b/detections/endpoint/suspicious_msbuild_spawn.yml
@@ -1,7 +1,7 @@
name: Suspicious MSBuild Spawn
id: a115fba6-5514-11eb-ae93-0242ac130002
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious msbuild.exe process executed on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml
index d510613aad..e95a4a5bc4 100644
--- a/detections/endpoint/suspicious_mshta_child_process.yml
+++ b/detections/endpoint/suspicious_mshta_child_process.yml
@@ -1,7 +1,7 @@
name: Suspicious mshta child process
id: 60023bb6-5500-11eb-ae93-0242ac130002
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Teoderick Contreras Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious mshta child process $process_name$ detected on host $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/suspicious_mshta_spawn.yml b/detections/endpoint/suspicious_mshta_spawn.yml
index 421a464577..b94d680be0 100644
--- a/detections/endpoint/suspicious_mshta_spawn.yml
+++ b/detections/endpoint/suspicious_mshta_spawn.yml
@@ -1,7 +1,7 @@
name: Suspicious mshta spawn
id: 4d33a488-5b5f-11eb-ae93-0242ac130002
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: mshta.exe spawned by wmiprvse.exe on $dest$
risk_objects:
diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml
index 247c8c4925..61fefc1a68 100644
--- a/detections/endpoint/suspicious_process_executed_from_container_file.yml
+++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml
@@ -1,7 +1,7 @@
name: Suspicious Process Executed From Container File
id: d8120352-3b62-411c-8cb6-7b47584dd5e8
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious process $process_name$ was launched from $file_name$ on $dest$.
risk_objects:
diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml
index ddc9f4421e..040ef86883 100644
--- a/detections/endpoint/suspicious_reg_exe_process.yml
+++ b/detections/endpoint/suspicious_reg_exe_process.yml
@@ -1,7 +1,7 @@
name: Suspicious Reg exe Process
id: a6b3ab4e-dd77-4213-95fa-fc94701995e0
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: Anomaly
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a registry entry.
risk_objects:
diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml
index 4005e9ab32..6ee2834fe4 100644
--- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml
+++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml
@@ -1,7 +1,7 @@
name: Suspicious Regsvr32 Register Suspicious Path
id: 62732736-6250-11eb-ae93-0242ac130002
-version: 16
-date: '2026-03-10'
+version: 17
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -25,9 +25,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to evade detection by using a non-standard file extension.
risk_objects:
diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml
index 03dafd66d4..c1b02128e3 100644
--- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml
+++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml
@@ -1,7 +1,7 @@
name: Suspicious Rundll32 dllregisterserver
id: 8c00a385-9b86-4ac0-8932-c9ec3713b159
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a DLL. code
risk_objects:
diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml
index ab6b7d1362..0951676b75 100644
--- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml
+++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml
@@ -1,7 +1,7 @@
name: Suspicious Rundll32 no Command Line Arguments
id: e451bd16-e4c5-4109-8eb1-c4c6ecf048b4
-version: 13
-date: '2026-03-25'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -52,9 +52,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious rundll32.exe process with no command line arguments executed on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/suspicious_rundll32_plugininit.yml b/detections/endpoint/suspicious_rundll32_plugininit.yml
index 1f386760a8..594d56da85 100644
--- a/detections/endpoint/suspicious_rundll32_plugininit.yml
+++ b/detections/endpoint/suspicious_rundll32_plugininit.yml
@@ -1,7 +1,7 @@
name: Suspicious Rundll32 PluginInit
id: 92d51712-ee29-11eb-b1ae-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: rundll32 process $process_name$ with commandline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml
index 14f37c0c95..6077ed6024 100644
--- a/detections/endpoint/suspicious_rundll32_startw.yml
+++ b/detections/endpoint/suspicious_rundll32_startw.yml
@@ -1,7 +1,7 @@
name: Suspicious Rundll32 StartW
id: 9319dda5-73f2-4d43-a85a-67ce961bddb7
-version: 13
-date: '2026-03-24'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: rundll32.exe running with suspicious StartW parameters on $dest$
risk_objects:
diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
index 4cb67360a7..ac5f3a0b5a 100644
--- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
+++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
@@ -1,7 +1,7 @@
name: Suspicious Scheduled Task from Public Directory
id: 7feb7972-7ac3-11eb-bac8-acde48001122
-version: 19
-date: '2026-03-10'
+version: 20
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious scheduled task registered on $dest$ from Public Directory
risk_objects:
diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml
index 9dc4116257..eaedf72370 100644
--- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml
+++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml
@@ -1,7 +1,7 @@
name: Suspicious SearchProtocolHost no Command Line Arguments
id: f52d2db8-31f9-4aa7-a176-25779effe55c
-version: 13
-date: '2026-03-25'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -54,9 +54,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious searchprotocolhost.exe process with no command line arguments executed on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml
index 84bcd65257..ae0eb9050d 100644
--- a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml
+++ b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml
@@ -1,7 +1,7 @@
name: Suspicious WAV file in Appdata Folder
id: 5be109e6-1ac5-11ec-b421-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process $process_name$ creating image file $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml
index fd0f460d7f..3cdbf32c59 100644
--- a/detections/endpoint/suspicious_wevtutil_usage.yml
+++ b/detections/endpoint/suspicious_wevtutil_usage.yml
@@ -1,7 +1,7 @@
name: Suspicious wevtutil Usage
id: 2827c0fd-e1be-4868-ae25-59d28e0f9d4f
-version: 17
-date: '2026-03-10'
+version: 18
+date: '2026-03-31'
author: David Dorsey, Michael Haag, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Wevtutil.exe being used to clear Event Logs on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml
index 86eb9c525b..b3db67e0d0 100644
--- a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml
+++ b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml
@@ -1,7 +1,7 @@
name: Suspicious writes to windows Recycle Bin
id: b5541828-8ffd-4070-9d95-b3da4de924cb
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Rico Valdez, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious writes to windows Recycle Bin process $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml
index 738c1f927a..b747b5d53d 100644
--- a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml
+++ b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml
@@ -1,7 +1,7 @@
name: Svchost LOLBAS Execution Process Spawn
id: 09e5c72a-4c0d-11ec-aa29-3e22fbd008af
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Svchost.exe spawned a LOLBAS process on $dest$
risk_objects:
diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml
index fbcf5eb688..0118d1209f 100644
--- a/detections/endpoint/system_information_discovery_detection.yml
+++ b/detections/endpoint/system_information_discovery_detection.yml
@@ -1,7 +1,7 @@
name: System Information Discovery Detection
id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Patrick Bareiss, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential system information discovery behavior on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml
index 9e9c19c378..b3db022c76 100644
--- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml
+++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml
@@ -1,7 +1,7 @@
name: System Processes Run From Unexpected Locations
id: a34aae96-ccf8-4aef-952c-3ea21444444d
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: David Dorsey, Michael Haag, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -48,9 +48,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A System process $process_name$ is running from $process_path$ on $dest$, potentially non-standard.
risk_objects:
diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml
index 5d82c74d4c..e7ddd3c12b 100644
--- a/detections/endpoint/time_provider_persistence_registry.yml
+++ b/detections/endpoint/time_provider_persistence_registry.yml
@@ -1,7 +1,7 @@
name: Time Provider Persistence Registry
id: 5ba382c4-2105-11ec-8d8f-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified/added/deleted registry entry $registry_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/trickbot_named_pipe.yml b/detections/endpoint/trickbot_named_pipe.yml
index c113c2fe86..d5e12425f0 100644
--- a/detections/endpoint/trickbot_named_pipe.yml
+++ b/detections/endpoint/trickbot_named_pipe.yml
@@ -1,7 +1,7 @@
name: Trickbot Named Pipe
id: 1804b0a4-a682-11eb-8f68-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible Trickbot namedpipe created on $dest$ by $process_name$
risk_objects:
diff --git a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml
index a83786cd3e..d5e933d27f 100644
--- a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml
+++ b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml
@@ -1,7 +1,7 @@
name: UAC Bypass MMC Load Unsigned Dll
id: 7f04349c-e30d-11eb-bc7f-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious unsigned $ImageLoaded$ loaded by $Image$ on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/uac_bypass_with_colorui_com_object.yml b/detections/endpoint/uac_bypass_with_colorui_com_object.yml
index e6b2e3fc59..66aca25e9f 100644
--- a/detections/endpoint/uac_bypass_with_colorui_com_object.yml
+++ b/detections/endpoint/uac_bypass_with_colorui_com_object.yml
@@ -1,7 +1,7 @@
name: UAC Bypass With Colorui COM Object
id: 2bcccd20-fc2b-11eb-8d22-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$.
risk_objects:
diff --git a/detections/endpoint/uninstall_app_using_msiexec.yml b/detections/endpoint/uninstall_app_using_msiexec.yml
index 296baea46a..b6ff47ddd7 100644
--- a/detections/endpoint/uninstall_app_using_msiexec.yml
+++ b/detections/endpoint/uninstall_app_using_msiexec.yml
@@ -1,7 +1,7 @@
name: Uninstall App Using MsiExec
id: 1fca2b28-f922-11eb-b2dd-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process $process_name$ with a cmdline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml
index 2e3487b918..41e889d08e 100644
--- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml
+++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml
@@ -1,7 +1,7 @@
name: Unknown Process Using The Kerberos Protocol
id: c91a0852-9fbb-11ec-af44-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -46,9 +46,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Unknown process $process_name$ using the kerberos protocol detected on host $dest$
risk_objects:
diff --git a/detections/endpoint/unload_sysmon_filter_driver.yml b/detections/endpoint/unload_sysmon_filter_driver.yml
index 4c351273e1..62aef5cbd9 100644
--- a/detections/endpoint/unload_sysmon_filter_driver.yml
+++ b/detections/endpoint/unload_sysmon_filter_driver.yml
@@ -1,7 +1,7 @@
name: Unload Sysmon Filter Driver
id: e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible Sysmon filter driver unloading on $dest$
risk_objects:
diff --git a/detections/endpoint/unloading_amsi_via_reflection.yml b/detections/endpoint/unloading_amsi_via_reflection.yml
index 1b3e0ec934..19497ccbaa 100644
--- a/detections/endpoint/unloading_amsi_via_reflection.yml
+++ b/detections/endpoint/unloading_amsi_via_reflection.yml
@@ -1,7 +1,7 @@
name: Unloading AMSI via Reflection
id: a21e3484-c94d-11eb-b55b-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible AMSI Unloading via Reflection using PowerShell on $dest$
risk_objects:
diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml
index 971c5234ae..5c6942cf7f 100644
--- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml
+++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml
@@ -1,7 +1,7 @@
name: Unusual Number of Kerberos Service Tickets Requested
id: eb3e6702-8936-11ec-98fe-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Mauricio Velazco, Dean Luxton, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ requested a service ticket for $unique_services$ services indicating a potential kerberoasting attack
risk_objects:
diff --git a/detections/endpoint/usn_journal_deletion.yml b/detections/endpoint/usn_journal_deletion.yml
index f12279f8f1..494dfe7ba0 100644
--- a/detections/endpoint/usn_journal_deletion.yml
+++ b/detections/endpoint/usn_journal_deletion.yml
@@ -1,7 +1,7 @@
name: USN Journal Deletion
id: b6e0ff70-b122-4227-9368-4cf322ab43c3
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: TTP
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible USN journal deletion on $dest$ via $process$
risk_objects:
diff --git a/detections/endpoint/vbscript_execution_using_wscript_app.yml b/detections/endpoint/vbscript_execution_using_wscript_app.yml
index 0a6c5b4cff..0dc7a00e77 100644
--- a/detections/endpoint/vbscript_execution_using_wscript_app.yml
+++ b/detections/endpoint/vbscript_execution_using_wscript_app.yml
@@ -1,7 +1,7 @@
name: Vbscript Execution Using Wscript App
id: 35159940-228f-11ec-8a49-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process name $process_name$ with commandline $process$ to execute vbsscript
risk_objects:
diff --git a/detections/endpoint/wbadmin_delete_system_backups.yml b/detections/endpoint/wbadmin_delete_system_backups.yml
index 0313175674..4d97184d09 100644
--- a/detections/endpoint/wbadmin_delete_system_backups.yml
+++ b/detections/endpoint/wbadmin_delete_system_backups.yml
@@ -1,7 +1,7 @@
name: WBAdmin Delete System Backups
id: cd5aed7e-5cea-11eb-ae93-0242ac130002
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: System backups deletion on $dest$
risk_objects:
diff --git a/detections/endpoint/wbemprox_com_object_execution.yml b/detections/endpoint/wbemprox_com_object_execution.yml
index 6acc3780b9..d568f071d4 100644
--- a/detections/endpoint/wbemprox_com_object_execution.yml
+++ b/detections/endpoint/wbemprox_com_object_execution.yml
@@ -1,7 +1,7 @@
name: Wbemprox COM Object Execution
id: 9d911ce0-c3be-11eb-b177-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious COM Object Execution on $dest$
risk_objects:
diff --git a/detections/endpoint/web_or_application_server_spawning_a_shell.yml b/detections/endpoint/web_or_application_server_spawning_a_shell.yml
index 7b1896a891..6db63654a7 100644
--- a/detections/endpoint/web_or_application_server_spawning_a_shell.yml
+++ b/detections/endpoint/web_or_application_server_spawning_a_shell.yml
@@ -1,7 +1,7 @@
name: Web or Application Server Spawning a Shell
id: 8fdb41ad-091c-4d7a-af1d-9123fe94b539
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -65,9 +65,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation.
risk_objects:
diff --git a/detections/endpoint/wermgr_process_create_executable_file.yml b/detections/endpoint/wermgr_process_create_executable_file.yml
index 24096fd61b..3afdd78b26 100644
--- a/detections/endpoint/wermgr_process_create_executable_file.yml
+++ b/detections/endpoint/wermgr_process_create_executable_file.yml
@@ -1,7 +1,7 @@
name: Wermgr Process Create Executable File
id: ab3bcce0-a105-11eb-973c-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Wermgr.exe writing executable files on $dest$
risk_objects:
diff --git a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml
index 1b80ad064f..0770e611ff 100644
--- a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml
+++ b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml
@@ -1,7 +1,7 @@
name: Wermgr Process Spawned CMD Or Powershell Process
id: e8fc95bc-a107-11eb-a978-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Wermgr.exe spawning suspicious processes on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml
index 7b181bce6d..2d5956edc7 100644
--- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml
+++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml
@@ -1,7 +1,7 @@
name: Windows Access Token Manipulation SeDebugPrivilege
id: 6ece9ed0-5f92-4315-889d-48560472b188
-version: 20
-date: '2026-03-26'
+version: 21
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process $ProcessName$ adjust its privileges with SeDebugPrivilege on $Computer$.
risk_objects:
diff --git a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml
index 0c45876726..d360940b36 100644
--- a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml
+++ b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml
@@ -1,7 +1,7 @@
name: Windows Access Token Winlogon Duplicate Handle In Uncommon Path
id: b8f7ed6b-0556-4c84-bffd-839c262b0278
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml
index 6e71f43651..a928e4b8af 100644
--- a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml
+++ b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml
@@ -1,7 +1,7 @@
name: Windows Account Access Removal via Logoff Exec
id: 223572ab-8768-4e20-9b39-c38707af80dc
-version: 7
-date: '2026-03-26'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 1
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process having child process [$process_name$] used to logoff user on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml
index 04dc554333..0a5d33f75a 100644
--- a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml
+++ b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml
@@ -1,7 +1,7 @@
name: Windows Account Discovery for Sam Account Name
id: 69934363-e1dd-4c49-8651-9d7663dd4d2f
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Account Discovery for Sam Account Name on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml
index fc963e2e7c..ca21cb3e69 100644
--- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml
+++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml
@@ -1,7 +1,7 @@
name: Windows AD Abnormal Object Access Activity
id: 71b289db-5f2c-4c43-8256-8bf26ae7324a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$.
risk_objects:
diff --git a/detections/endpoint/windows_ad_add_self_to_group.yml b/detections/endpoint/windows_ad_add_self_to_group.yml
index 357c30ba09..50adfce08e 100644
--- a/detections/endpoint/windows_ad_add_self_to_group.yml
+++ b/detections/endpoint/windows_ad_add_self_to_group.yml
@@ -1,7 +1,7 @@
name: Windows AD add Self to Group
id: 065f2701-b7ea-42f5-9ec4-fbc2261165f9
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ added themselves to AD Group $Group_Name$
risk_objects:
diff --git a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml
index 0e3a0cfac0..b028f06cde 100644
--- a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml
+++ b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml
@@ -1,7 +1,7 @@
name: Windows AD AdminSDHolder ACL Modified
id: 00d877c3-7b7b-443d-9562-6b231e2abab9
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Dean Luxton, Splunk
type: TTP
status: production
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The AdminSDHolder domain object $ObjectDN$ has been modified by $src_user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml
index d1f2914524..20d481e207 100644
--- a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml
+++ b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml
@@ -1,7 +1,7 @@
name: Windows AD Cross Domain SID History Addition
id: 41bbb371-28ba-439c-bb5c-d9930c28365d
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Dean Luxton
type: TTP
status: production
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Active Directory SID History Attribute was added to $user$ by $src_user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml b/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml
index 04f19a5a37..8fd8481eb6 100644
--- a/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml
+++ b/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml
@@ -1,7 +1,7 @@
name: Windows AD Dangerous Deny ACL Modification
id: 8e897153-2ebd-4cb2-85d3-09ad57db2fb7
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ has added ACL rights to deny $user$ $aceControlAccessRights$ $aceAccessRights$ to $ObjectDN$
risk_objects:
diff --git a/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml b/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml
index cdba5c5070..e081374c76 100644
--- a/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml
+++ b/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml
@@ -1,7 +1,7 @@
name: Windows AD Dangerous Group ACL Modification
id: 59b0fc85-7a0d-4585-97ec-06a382801990
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ $aceAccessRights$ to group $ObjectDN$
risk_objects:
diff --git a/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml b/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml
index b0a6774084..56ac692bf9 100644
--- a/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml
+++ b/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml
@@ -1,7 +1,7 @@
name: Windows AD Dangerous User ACL Modification
id: ec5b6790-595a-4fb8-ad43-56e5b55a9617
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ has added ACL rights to grant $user$ $aceControlAccessRights$ $aceAccessRights$ to user $ObjectDN$
risk_objects:
diff --git a/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml b/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml
index 37f2d1c274..b1464128f2 100644
--- a/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml
+++ b/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml
@@ -1,7 +1,7 @@
name: Windows AD DCShadow Privileges ACL Addition
id: ae915743-1aa8-4a94-975c-8062ebc8b723
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -47,9 +47,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: ACL modification Event Initiated by $src_user$ applying $user$ the minimum required extended rights to perform a DCShadow attack.
risk_objects:
diff --git a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml
index a7d0490e8b..03227e0960 100644
--- a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml
+++ b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml
@@ -1,7 +1,7 @@
name: Windows AD Domain Controller Audit Policy Disabled
id: fc3ccef1-60a4-4239-bd66-b279511b4d14
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Dean Luxton
type: TTP
status: production
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: GPO $SubCategory$ of $Category$ was disabled on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_ad_domain_controller_promotion.yml b/detections/endpoint/windows_ad_domain_controller_promotion.yml
index 9a168a92de..ec980d6007 100644
--- a/detections/endpoint/windows_ad_domain_controller_promotion.yml
+++ b/detections/endpoint/windows_ad_domain_controller_promotion.yml
@@ -1,7 +1,7 @@
name: Windows AD Domain Controller Promotion
id: e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Dean Luxton
type: TTP
status: production
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: AD Domain Controller Promotion Event Detected for $dest$
risk_objects:
diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml
index 521bf5c6b7..1aca7670b2 100644
--- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml
+++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml
@@ -1,7 +1,7 @@
name: Windows AD Domain Replication ACL Addition
id: 8c372853-f459-4995-afdc-280c114d33ab
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Dean Luxton
type: TTP
status: production
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ has granted $user$ permission to replicate AD objects
risk_objects:
diff --git a/detections/endpoint/windows_ad_domain_root_acl_deletion.yml b/detections/endpoint/windows_ad_domain_root_acl_deletion.yml
index dea1960c4b..c81a9c1c36 100644
--- a/detections/endpoint/windows_ad_domain_root_acl_deletion.yml
+++ b/detections/endpoint/windows_ad_domain_root_acl_deletion.yml
@@ -1,7 +1,7 @@
name: Windows AD Domain Root ACL Deletion
id: 3cb56e57-5642-4638-907f-8dfde9afb889
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ has removed $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$
risk_objects:
diff --git a/detections/endpoint/windows_ad_domain_root_acl_modification.yml b/detections/endpoint/windows_ad_domain_root_acl_modification.yml
index 8bc6a68c62..de281e8bf7 100644
--- a/detections/endpoint/windows_ad_domain_root_acl_modification.yml
+++ b/detections/endpoint/windows_ad_domain_root_acl_modification.yml
@@ -1,7 +1,7 @@
name: Windows AD Domain Root ACL Modification
id: 4981e2db-1372-440d-816e-3e7e2ed74433
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ has granted $user$ $aceAccessRights$ ACL rights to domain root $ObjectDN$
risk_objects:
diff --git a/detections/endpoint/windows_ad_dsrm_account_changes.yml b/detections/endpoint/windows_ad_dsrm_account_changes.yml
index d3b4701527..c4c2635c73 100644
--- a/detections/endpoint/windows_ad_dsrm_account_changes.yml
+++ b/detections/endpoint/windows_ad_dsrm_account_changes.yml
@@ -1,7 +1,7 @@
name: Windows AD DSRM Account Changes
id: 08cb291e-ea77-48e8-a95a-0799319bf056
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Dean Luxton
type: TTP
status: production
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: DSRM Account Changes Initiated on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_dsrm_password_reset.yml b/detections/endpoint/windows_ad_dsrm_password_reset.yml
index 6973c8a596..aebfe08135 100644
--- a/detections/endpoint/windows_ad_dsrm_password_reset.yml
+++ b/detections/endpoint/windows_ad_dsrm_password_reset.yml
@@ -1,7 +1,7 @@
name: Windows AD DSRM Password Reset
id: d1ab841c-36a6-46cf-b50f-b2b04b31182a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
type: TTP
status: production
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: DSRM Account Password was reset on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_gpo_deleted.yml b/detections/endpoint/windows_ad_gpo_deleted.yml
index 598bbfde98..81d6656de9 100644
--- a/detections/endpoint/windows_ad_gpo_deleted.yml
+++ b/detections/endpoint/windows_ad_gpo_deleted.yml
@@ -1,7 +1,7 @@
name: Windows AD GPO Deleted
id: 0d41772b-35ab-4e1c-a2ba-d0b455481aee
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: GPO $policyName$ was deleted by $src_user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_gpo_disabled.yml b/detections/endpoint/windows_ad_gpo_disabled.yml
index d053321d90..23e44043e3 100644
--- a/detections/endpoint/windows_ad_gpo_disabled.yml
+++ b/detections/endpoint/windows_ad_gpo_disabled.yml
@@ -1,7 +1,7 @@
name: Windows AD GPO Disabled
id: 72793bc0-c0cd-400e-9e60-fdf36f278917
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ has disabled GPO $policyName$
risk_objects:
diff --git a/detections/endpoint/windows_ad_gpo_new_cse_addition.yml b/detections/endpoint/windows_ad_gpo_new_cse_addition.yml
index b22c5af0da..609b3011ca 100644
--- a/detections/endpoint/windows_ad_gpo_new_cse_addition.yml
+++ b/detections/endpoint/windows_ad_gpo_new_cse_addition.yml
@@ -1,7 +1,7 @@
name: Windows AD GPO New CSE Addition
id: 700c11d1-da09-47b2-81aa-358c143c7986
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -46,9 +46,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ has added new GPO Client Side Extensions $newPolicy$ to the policy $policyName$
risk_objects:
diff --git a/detections/endpoint/windows_ad_hidden_ou_creation.yml b/detections/endpoint/windows_ad_hidden_ou_creation.yml
index b44ad3dfa9..e08d8d4279 100644
--- a/detections/endpoint/windows_ad_hidden_ou_creation.yml
+++ b/detections/endpoint/windows_ad_hidden_ou_creation.yml
@@ -1,7 +1,7 @@
name: Windows AD Hidden OU Creation
id: 66b6ad5e-339a-40af-b721-dacefc7bdb75
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ has hidden the contents of OU $ObjectDN$ from $user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_object_owner_updated.yml b/detections/endpoint/windows_ad_object_owner_updated.yml
index 95957b2b06..97ca4a41cd 100644
--- a/detections/endpoint/windows_ad_object_owner_updated.yml
+++ b/detections/endpoint/windows_ad_object_owner_updated.yml
@@ -1,7 +1,7 @@
name: Windows AD Object Owner Updated
id: 4af01f6b-d8d4-4f96-8635-758a01557130
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ has made $user$ the owner of AD object $ObjectDN$
risk_objects:
diff --git a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml
index 21492ea64c..72a43df021 100644
--- a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml
+++ b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml
@@ -1,7 +1,7 @@
name: Windows AD Privileged Account SID History Addition
id: 6b521149-b91c-43aa-ba97-c2cac59ec830
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Dean Luxton
type: TTP
status: production
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Privileged User Account SID History Attribute was added to $userSid$ by $src_user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_privileged_group_modification.yml b/detections/endpoint/windows_ad_privileged_group_modification.yml
index 182358c28b..9232232c61 100644
--- a/detections/endpoint/windows_ad_privileged_group_modification.yml
+++ b/detections/endpoint/windows_ad_privileged_group_modification.yml
@@ -1,7 +1,7 @@
name: Windows AD Privileged Group Modification
id: 187bf937-c436-4c65-bbcb-7539ffe02da1
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ was added to privileged AD Group $Group_Name$ by $src_user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml
index 768eff33df..275d22831f 100644
--- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml
+++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml
@@ -1,7 +1,7 @@
name: Windows AD Privileged Object Access Activity
id: dc2f58bc-8cd2-4e51-962a-694b963acde0
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The account $user$ accessed $object_count$ privileged AD object(s).
risk_objects:
diff --git a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml
index 90755ffde8..83aa9120d5 100644
--- a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml
+++ b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml
@@ -1,7 +1,7 @@
name: Windows AD Replication Request Initiated by User Account
id: 51307514-1236-49f6-8686-d46d93cc2821
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Dean Luxton
type: TTP
status: production
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Active Directory Replication Request Initiated by User Account $user$ from $src_ip$
risk_objects:
diff --git a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml
index 5bd98c79ff..a1ac56fdd0 100644
--- a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml
+++ b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml
@@ -1,7 +1,7 @@
name: Windows AD Replication Request Initiated from Unsanctioned Location
id: 50998483-bb15-457b-a870-965080d9e3d3
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Dean Luxton
type: TTP
status: production
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Active Directory Replication Request Initiated from Unsanctioned Location $src_ip$ by $user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml
index 26fddbb94d..3a680c64e6 100644
--- a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml
+++ b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml
@@ -1,7 +1,7 @@
name: Windows AD Same Domain SID History Addition
id: 5fde0b7c-df7a-40b1-9b3a-294c00f0289d
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Dean Luxton
type: TTP
status: production
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Active Directory SID History Attribute was added to $user$ by $src_user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_self_dacl_assignment.yml b/detections/endpoint/windows_ad_self_dacl_assignment.yml
index aa573324cd..93b57e4550 100644
--- a/detections/endpoint/windows_ad_self_dacl_assignment.yml
+++ b/detections/endpoint/windows_ad_self_dacl_assignment.yml
@@ -1,7 +1,7 @@
name: Windows AD Self DACL Assignment
id: 16132445-da9f-4d03-ad44-56d717dcd67d
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -95,9 +95,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ has created a DACL on $ObjectDN$ to grant themselves $aceControlAccessRights$ across $aceAccessRights$
risk_objects:
diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml
index b5c8c42452..ea0d8d6bf4 100644
--- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml
+++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml
@@ -1,7 +1,7 @@
name: Windows AD ServicePrincipalName Added To Domain Account
id: 8a1259cb-0ea7-409c-8bfe-74bad89259f9
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: TTP
status: production
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$ObjectDN$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ObjectDN$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$ObjectDN$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Servince Principal Name for $ObjectDN$ was set by $user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml
index 8a71c30995..f69897d208 100644
--- a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml
+++ b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml
@@ -1,7 +1,7 @@
name: Windows AD Short Lived Domain Account ServicePrincipalName
id: b681977c-d90c-4efc-81a5-c58f945fb541
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: TTP
status: production
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Servince Principal Name for $user$ was set and shortly deleted
risk_objects:
diff --git a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml
index 30b4f27271..917e07f30b 100644
--- a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml
+++ b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml
@@ -1,7 +1,7 @@
name: Windows AD Short Lived Domain Controller SPN Attribute
id: 57e27f27-369c-4df8-af08-e8c7ee8373d4
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Dean Luxton
type: TTP
status: production
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Short Lived Domain Controller SPN AD Attribute Triggered by $src_user$
risk_objects:
diff --git a/detections/endpoint/windows_ad_short_lived_server_object.yml b/detections/endpoint/windows_ad_short_lived_server_object.yml
index cdb06d85b6..87aaa58f1f 100644
--- a/detections/endpoint/windows_ad_short_lived_server_object.yml
+++ b/detections/endpoint/windows_ad_short_lived_server_object.yml
@@ -1,7 +1,7 @@
name: Windows AD Short Lived Server Object
id: 193769d3-1e33-43a9-970e-ad4a88256cdb
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: TTP
status: production
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A short-lived server object was created and deleted on $Computer$
risk_objects:
diff --git a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml
index b726447cd2..bdf1ec75f2 100644
--- a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml
+++ b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml
@@ -1,7 +1,7 @@
name: Windows AD SID History Attribute Modified
id: 1155e47d-307f-4247-beab-71071e3a458c
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: TTP
status: production
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: SID History AD attribute modified by $SubjectUserName$ for $ObjectDN$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_ad_suspicious_attribute_modification.yml b/detections/endpoint/windows_ad_suspicious_attribute_modification.yml
index 62b82a0f20..73b1374db4 100644
--- a/detections/endpoint/windows_ad_suspicious_attribute_modification.yml
+++ b/detections/endpoint/windows_ad_suspicious_attribute_modification.yml
@@ -1,7 +1,7 @@
name: Windows AD Suspicious Attribute Modification
id: 5682052e-ce55-4f9f-8d28-59191420b7e0
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_user$ has added $AttributeLDAPDisplayName$ ACL rights to $ObjectClass$ $ObjectDN$
risk_objects:
diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml
index 2bc68d6129..fe90044a7a 100644
--- a/detections/endpoint/windows_adfind_exe.yml
+++ b/detections/endpoint/windows_adfind_exe.yml
@@ -1,7 +1,7 @@
name: Windows AdFind Exe
id: bd3b0187-189b-46c0-be45-f52da2bae67f
-version: 12
-date: '2026-03-12'
+version: 13
+date: '2026-03-31'
author: Jose Hernandez, Bhavin Patel, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -71,9 +71,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $user$ spawned $process$ indicative of Active Directory discovery on machine - [$dest$]
risk_objects:
diff --git a/detections/endpoint/windows_admin_permission_discovery.yml b/detections/endpoint/windows_admin_permission_discovery.yml
index 7df8104122..c68e45d3ae 100644
--- a/detections/endpoint/windows_admin_permission_discovery.yml
+++ b/detections/endpoint/windows_admin_permission_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Admin Permission Discovery
id: e08620cb-9488-4052-832d-97bcc0afd414
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file was created in root drive C:/ on host - $dest$
risk_objects:
diff --git a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml
index d457dacdc9..8b5fb94e34 100644
--- a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml
+++ b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml
@@ -1,7 +1,7 @@
name: Windows Administrative Shares Accessed On Multiple Hosts
id: d92f2d95-05fb-48a7-910f-4d3d61ab8655
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: TTP
status: production
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$host_targets$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes.
risk_objects:
diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml
index bbf12b524e..14f029c6ae 100644
--- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml
+++ b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml
@@ -1,7 +1,7 @@
name: Windows Admon Default Group Policy Object Modified
id: 83458004-db60-4170-857d-8572f16f070b
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dcName$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A default domain group policy was updated on $dcName$
risk_objects:
diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml
index 7bbed9c819..d169e46fed 100644
--- a/detections/endpoint/windows_admon_group_policy_object_created.yml
+++ b/detections/endpoint/windows_admon_group_policy_object_created.yml
@@ -1,7 +1,7 @@
name: Windows Admon Group Policy Object Created
id: 69201633-30d9-48ef-b1b6-e680805f0582
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dcName$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dcName$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new group policy objected was created on $dcName$
risk_objects:
diff --git a/detections/endpoint/windows_advanced_installer_msix_with_ai_stubs_execution.yml b/detections/endpoint/windows_advanced_installer_msix_with_ai_stubs_execution.yml
index f4418207aa..6dcc5d29de 100644
--- a/detections/endpoint/windows_advanced_installer_msix_with_ai_stubs_execution.yml
+++ b/detections/endpoint/windows_advanced_installer_msix_with_ai_stubs_execution.yml
@@ -1,7 +1,7 @@
name: Windows Advanced Installer MSIX with AI_STUBS Execution
id: 56b2e58c-5909-49a3-998e-1f4815186ec2
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -25,9 +25,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Advanced Installer MSIX package with AI_STUBS execution detected on $dest$ by user $user$
risk_objects:
diff --git a/detections/endpoint/windows_ai_platform_dns_query.yml b/detections/endpoint/windows_ai_platform_dns_query.yml
index cd2368625c..9c6efd68c4 100644
--- a/detections/endpoint/windows_ai_platform_dns_query.yml
+++ b/detections/endpoint/windows_ai_platform_dns_query.yml
@@ -1,7 +1,7 @@
name: Windows AI Platform DNS Query
id: 1ad89d24-c856-4a0e-8fdf-c20c7b9febe1
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process $process_name$ made a DNS query for $query$ from host $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_alternate_datastream___base64_content.yml b/detections/endpoint/windows_alternate_datastream___base64_content.yml
index ce336757e6..1f4dd8eb33 100644
--- a/detections/endpoint/windows_alternate_datastream___base64_content.yml
+++ b/detections/endpoint/windows_alternate_datastream___base64_content.yml
@@ -1,7 +1,7 @@
name: Windows Alternate DataStream - Base64 Content
id: 683f48de-982f-4a7e-9aac-9cec550da498
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Steven Dick, Teoderick Contreras, Michael Haag, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Base64 content written to an NTFS alternate data stream in $dest$, see command field for details.
risk_objects:
diff --git a/detections/endpoint/windows_alternate_datastream___executable_content.yml b/detections/endpoint/windows_alternate_datastream___executable_content.yml
index 193855123e..5acb8d0247 100644
--- a/detections/endpoint/windows_alternate_datastream___executable_content.yml
+++ b/detections/endpoint/windows_alternate_datastream___executable_content.yml
@@ -1,7 +1,7 @@
name: Windows Alternate DataStream - Executable Content
id: a258bf2a-34fd-4986-8086-78f506e00206
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Base64 content written to an NTFS alternate data stream in $dest$, see command field for details.
risk_objects:
diff --git a/detections/endpoint/windows_alternate_datastream___process_execution.yml b/detections/endpoint/windows_alternate_datastream___process_execution.yml
index fb8e0a5282..dd659c1b14 100644
--- a/detections/endpoint/windows_alternate_datastream___process_execution.yml
+++ b/detections/endpoint/windows_alternate_datastream___process_execution.yml
@@ -1,7 +1,7 @@
name: Windows Alternate DataStream - Process Execution
id: 30c32c5c-41fe-45db-84fe-275e4320da3f
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -58,9 +58,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The $process_name$ process was executed by $user$ using data from an NTFS alternate data stream.
risk_objects:
diff --git a/detections/endpoint/windows_anonymous_pipe_activity.yml b/detections/endpoint/windows_anonymous_pipe_activity.yml
index d17f0edd76..71a91c8ded 100644
--- a/detections/endpoint/windows_anonymous_pipe_activity.yml
+++ b/detections/endpoint/windows_anonymous_pipe_activity.yml
@@ -1,7 +1,7 @@
name: Windows Anonymous Pipe Activity
id: ee301e1e-cd81-4011-a911-e5f049b9e3d5
-version: 5
-date: '2025-10-31'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Hunting
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Salt Typhoon
diff --git a/detections/endpoint/windows_apache_benchmark_binary.yml b/detections/endpoint/windows_apache_benchmark_binary.yml
index 17f0714414..6779c4e152 100644
--- a/detections/endpoint/windows_apache_benchmark_binary.yml
+++ b/detections/endpoint/windows_apache_benchmark_binary.yml
@@ -1,7 +1,7 @@
name: Windows Apache Benchmark Binary
id: 894f48ea-8d85-4dcd-9132-c66cdb407c9b
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A known MetaSploit default payload has been identified on $dest$ ran by $user$, $parent_process_name$ spawning $process_name$.
risk_objects:
diff --git a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml
index e18a312aee..55816e79d7 100644
--- a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml
+++ b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml
@@ -1,7 +1,7 @@
name: Windows App Layer Protocol Qakbot NamedPipe
id: 63a2c15e-9448-43c5-a4a8-9852266aaada
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $Image$ is creating or connecting to a named pipe $PipeName$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml
index fa990900a3..0d21756811 100644
--- a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml
+++ b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml
@@ -1,7 +1,7 @@
name: Windows App Layer Protocol Wermgr Connect To NamedPipe
id: 2f3a4092-548b-421c-9caa-84918e1787ef
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: wermgr.exe process is creating or connecting to a named pipe $PipeName$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml
index 7a6ef602b8..648d1f8358 100644
--- a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml
+++ b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml
@@ -1,7 +1,7 @@
name: Windows Application Layer Protocol RMS Radmin Tool Namedpipe
id: b62a6040-49f4-47c8-b3f6-fc1adb952a33
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: possible RMS admin tool named pipe was created in endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml b/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml
index c74bcbc5d4..b4d0049aac 100644
--- a/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml
+++ b/detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml
@@ -1,7 +1,7 @@
name: Windows Application Whitelisting Bypass Attempt via Rundll32
id: 1ef5dab0-e1f1-495d-a272-d134583c10b1
-version: 4
-date: '2026-03-24'
+version: 5
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -70,9 +70,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ loading syssetup.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_applocker_block_events.yml b/detections/endpoint/windows_applocker_block_events.yml
index cd9cc90e18..8627412515 100644
--- a/detections/endpoint/windows_applocker_block_events.yml
+++ b/detections/endpoint/windows_applocker_block_events.yml
@@ -1,7 +1,7 @@
name: Windows AppLocker Block Events
id: e369afe8-cd35-47a3-9c1e-d813efc1f7dd
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source: []
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of AppLocker policy violation has been detected on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml
index bf0ebae94f..a93e60540a 100644
--- a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml
+++ b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml
@@ -1,7 +1,7 @@
name: Windows AppLocker Privilege Escalation via Unauthorized Bypass
id: bca48629-7fa2-40d3-9e5d-807564504e28
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source: []
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An attempt to bypass application restrictions was detected on a host $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_appx_deployment_full_trust_package_installation.yml b/detections/endpoint/windows_appx_deployment_full_trust_package_installation.yml
index f0642268cc..e41d192f25 100644
--- a/detections/endpoint/windows_appx_deployment_full_trust_package_installation.yml
+++ b/detections/endpoint/windows_appx_deployment_full_trust_package_installation.yml
@@ -1,7 +1,7 @@
name: Windows AppX Deployment Full Trust Package Installation
id: 8560de46-ea2d-4c69-8ca3-5b78b90f1338
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Hunting
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Look for related PowerShell activity from the same dest
search: '`powershell` EventCode=4104 dest="$dest$" | stats count by ScriptBlockText'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_appx_deployment_unsigned_package_installation.yml b/detections/endpoint/windows_appx_deployment_unsigned_package_installation.yml
index 9bf37da08e..5ddcbc9656 100644
--- a/detections/endpoint/windows_appx_deployment_unsigned_package_installation.yml
+++ b/detections/endpoint/windows_appx_deployment_unsigned_package_installation.yml
@@ -1,7 +1,7 @@
name: Windows AppX Deployment Unsigned Package Installation
id: 9b5e7c14-f8d2-4a3b-b1a7-e5c9f2a8d123
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Look for related PowerShell activity from the same dest
search: '`powershell` EventCode=4104 dest="$dest$" ScriptBlockText="*Add-AppxPackage*" OR ScriptBlockText="*Add-AppPackage*" | stats count by ScriptBlockText'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_archive_collected_data_via_powershell.yml b/detections/endpoint/windows_archive_collected_data_via_powershell.yml
index 841f9996e3..fe7d3cb369 100644
--- a/detections/endpoint/windows_archive_collected_data_via_powershell.yml
+++ b/detections/endpoint/windows_archive_collected_data_via_powershell.yml
@@ -1,7 +1,7 @@
name: Windows Archive Collected Data via Powershell
id: 74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Archive Collected Data via Powershell on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml
index c38729e208..9db3fef4d5 100644
--- a/detections/endpoint/windows_archive_collected_data_via_rar.yml
+++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml
@@ -1,7 +1,7 @@
name: Windows Archive Collected Data via Rar
id: 2015de95-fe91-413d-9d62-2fe011b67e82
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a Rar.exe commandline used in archiving collected data on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml
index 59fcb2112f..592e36bfd0 100644
--- a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml
+++ b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml
@@ -1,7 +1,7 @@
name: Windows Archived Collected Data In TEMP Folder
id: cb56a1ea-e0b1-46d5-913f-e024cba40cbe
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An archive file [$file_name$] was created in a temporary folder on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_attempt_to_stop_security_service.yml b/detections/endpoint/windows_attempt_to_stop_security_service.yml
index 1abcd90020..1749906e4b 100644
--- a/detections/endpoint/windows_attempt_to_stop_security_service.yml
+++ b/detections/endpoint/windows_attempt_to_stop_security_service.yml
@@ -1,7 +1,7 @@
name: Windows Attempt To Stop Security Service
id: 9ed27cea-4e27-4eff-b2c6-aac9e78a7517
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Rico Valdez, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_audit_policy_auditing_option_disabled_via_auditpol.yml b/detections/endpoint/windows_audit_policy_auditing_option_disabled_via_auditpol.yml
index 8678e74645..9e6479fdb4 100644
--- a/detections/endpoint/windows_audit_policy_auditing_option_disabled_via_auditpol.yml
+++ b/detections/endpoint/windows_audit_policy_auditing_option_disabled_via_auditpol.yml
@@ -1,7 +1,7 @@
name: Windows Audit Policy Auditing Option Disabled via Auditpol
id: 663a7a50-b752-4c84-975b-8325ca3f6f9e
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable an audit policy auditing option on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml b/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml
index 57b642219d..0ce4c8b1f3 100644
--- a/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml
+++ b/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml
@@ -1,7 +1,7 @@
name: Windows Audit Policy Auditing Option Modified - Registry
id: 27914692-9c62-44ea-9129-ceb429b61bd0
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The auditing option $registry_value_name$ from the configured Audit Policy was modified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_audit_policy_cleared_via_auditpol.yml b/detections/endpoint/windows_audit_policy_cleared_via_auditpol.yml
index 6282ac7544..fda1ab9d9c 100644
--- a/detections/endpoint/windows_audit_policy_cleared_via_auditpol.yml
+++ b/detections/endpoint/windows_audit_policy_cleared_via_auditpol.yml
@@ -1,7 +1,7 @@
name: Windows Audit Policy Cleared via Auditpol
id: f067f7cf-f41b-4a60-985e-c23e268a13cb
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to clear logging on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml b/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml
index ea2d634ae2..fc9714ea1a 100644
--- a/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml
+++ b/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml
@@ -1,7 +1,7 @@
name: Windows Audit Policy Disabled via Auditpol
id: 14e008e5-6723-4298-b0d4-e95b24e10c18
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ with CommandLine $process$ was identified attempting to disable and audit policy category/sub-category on $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml b/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml
index ceed33dd95..ba6d4245df 100644
--- a/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml
+++ b/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml
@@ -1,7 +1,7 @@
name: Windows Audit Policy Disabled via Legacy Auditpol
id: d2cef287-c2b7-4496-a609-7a548c1e27f9
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ with CommandLine $process$ was identified attempting to disable and audit policy category/sub-category on $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml b/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml
index 9ef55a3637..2940c67d5f 100644
--- a/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml
+++ b/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml
@@ -1,7 +1,7 @@
name: Windows Audit Policy Excluded Category via Auditpol
id: 083708d4-d763-4ba2-87ac-105b526de81a
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ with CommandLine $process$ was identified attempting to exclude a specific user events on $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml b/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml
index 1c0da47b47..081d68589f 100644
--- a/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml
+++ b/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml
@@ -1,7 +1,7 @@
name: Windows Audit Policy Restored via Auditpol
id: d7d1795b-ea18-47e5-9ca6-2c330d052d21
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to restore and audit policy on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml b/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml
index 8e5a35cc14..392765704e 100644
--- a/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml
+++ b/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml
@@ -1,7 +1,7 @@
name: Windows Audit Policy Security Descriptor Tampering via Auditpol
id: 5628e0b7-73dc-4f1b-b37a-6e68efc2225f
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ with commandline $process$ was identified attempting to modify the audit policy security descriptor on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml
index 3021419963..b6557cf7fb 100644
--- a/detections/endpoint/windows_autoit3_execution.yml
+++ b/detections/endpoint/windows_autoit3_execution.yml
@@ -1,7 +1,7 @@
name: Windows AutoIt3 Execution
id: 0ecb40d9-492b-4a57-9f87-515dd742794c
-version: 12
-date: '2026-03-16'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -49,9 +49,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Execution of AutoIt3 detected. The source process is $parent_process_name$ and the destination process is $process_name$ on $dest$ by
risk_objects:
diff --git a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml
index 5b997b5760..0d9799dc9d 100644
--- a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml
+++ b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml
@@ -1,7 +1,7 @@
name: Windows Autostart Execution LSASS Driver Registry Modification
id: 57fb8656-141e-4d8a-9f51-62cff4ecb82a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The registry values for DirectoryServiceExtPt or LsaDbExtPt were modified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml
index 74b6d83f7c..ec7178dcee 100644
--- a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml
+++ b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml
@@ -1,7 +1,7 @@
name: Windows Binary Proxy Execution Mavinject DLL Injection
id: ccf4b61b-1b26-4f2e-a089-f2009c569c57
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting load a DLL.
risk_objects:
diff --git a/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml b/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml
index ca452c6994..e8d90a9cdb 100644
--- a/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml
+++ b/detections/endpoint/windows_bitdefender_submission_wizard_dll_sideloading.yml
@@ -1,7 +1,7 @@
name: Windows BitDefender Submission Wizard DLL Sideloading
id: a1b2c3d4-e5f6-4789-a012-3456789abcde
-version: 1
-date: '2026-03-13'
+version: 2
+date: '2026-03-31'
author: Michael Haag, Splunk
status: experimental
type: TTP
@@ -54,9 +54,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$User$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$User$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$User$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Bitdefender Submission Wizard loaded $ImageLoaded$ from a non-standard path on $dest$ by user $User$, indicating potential DLL side-loading activity.
risk_objects:
diff --git a/detections/endpoint/windows_bitlocker_suspicious_command_usage.yml b/detections/endpoint/windows_bitlocker_suspicious_command_usage.yml
index 8300c5a8b1..cd75589160 100644
--- a/detections/endpoint/windows_bitlocker_suspicious_command_usage.yml
+++ b/detections/endpoint/windows_bitlocker_suspicious_command_usage.yml
@@ -1,7 +1,7 @@
name: Windows BitLocker Suspicious Command Usage
id: d0e6ec70-6e40-41a2-8b93-8d9ff077a746
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate processes on $dest$
search: '| from datamodel Endpoint.Processes | search process_name = $process_name$ AND dest = "$dest$"'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_bluetooth_service_installed_from_uncommon_location.yml b/detections/endpoint/windows_bluetooth_service_installed_from_uncommon_location.yml
index 752eb4149e..7ed0ec6aba 100644
--- a/detections/endpoint/windows_bluetooth_service_installed_from_uncommon_location.yml
+++ b/detections/endpoint/windows_bluetooth_service_installed_from_uncommon_location.yml
@@ -1,7 +1,7 @@
name: Windows Bluetooth Service Installed From Uncommon Location
id: f12b81e6-2fa2-48e0-95cd-f5f7e4d9ac89
-version: 1
-date: '2026-03-13'
+version: 2
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious BluetoothService created on $dest$ with binary path $ImagePath$ in user-writable directory, indicating potential malware persistence
risk_objects:
diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml
index 11ed26f076..27c9417ed5 100644
--- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml
+++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml
@@ -1,7 +1,7 @@
name: Windows Boot or Logon Autostart Execution In Startup Folder
id: 99d157cb-923f-4a00-aee9-1f385412146f
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process dropped a file in %startup% folder on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml b/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml
index 5d1f6d7267..92f70a40c4 100644
--- a/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml
+++ b/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml
@@ -1,7 +1,7 @@
name: Windows Browser Process Launched with Unusual Flags
id: 841e2abc-0442-4e7f-b445-b22680632a08
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: chromium browser that has unusual flags for muting or audio and prevent de-elevation of the current process in $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml
index 36414c2749..d44bfce8bc 100644
--- a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml
+++ b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml
@@ -1,7 +1,7 @@
name: Windows Bypass UAC via Pkgmgr Tool
id: cce58e2c-988a-4319-9390-0daa9eefa3cd
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A pkgmgr.exe executed with package manager xml input file on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_cab_file_on_disk.yml b/detections/endpoint/windows_cab_file_on_disk.yml
index e3192d4606..4fe77162f5 100644
--- a/detections/endpoint/windows_cab_file_on_disk.yml
+++ b/detections/endpoint/windows_cab_file_on_disk.yml
@@ -1,7 +1,7 @@
name: Windows CAB File on Disk
id: 622f08d0-69ef-42c2-8139-66088bc25acd
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A .cab file was written to disk on endpoint $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml b/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml
index 721e5ce489..be2adc7f90 100644
--- a/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml
+++ b/detections/endpoint/windows_cabinet_file_extraction_via_expand.yml
@@ -1,7 +1,7 @@
name: Windows Cabinet File Extraction Via Expand
id: 4e3e3b8c-6d3a-4b47-9f5a-9e3e0a0a6f2f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -43,15 +43,14 @@ drilldown_searches:
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
search: |
- | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") starthoursago=168
- | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name"
+ | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name"
values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories"
values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
by normalized_risk_object
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: expand.exe extracted cabinet contents on $dest$ executed by $user$.
risk_objects:
diff --git a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml
index 2359df0d5e..259deff117 100644
--- a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml
+++ b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml
@@ -1,7 +1,7 @@
name: Windows Cached Domain Credentials Reg Query
id: 40ccb8e0-1785-466e-901e-6a8b75c04ecd
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process with commandline $process$ tries to retrieve cache domain credential logon count on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_certutil_root_certificate_addition.yml b/detections/endpoint/windows_certutil_root_certificate_addition.yml
index 730fca5290..6bf3d6cb25 100644
--- a/detections/endpoint/windows_certutil_root_certificate_addition.yml
+++ b/detections/endpoint/windows_certutil_root_certificate_addition.yml
@@ -1,7 +1,7 @@
name: Windows Certutil Root Certificate Addition
id: e9926391-ec0c-4bad-8a95-e450dbf6aae4
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -72,9 +72,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A potentially suspicious certificate was added to the Root certificate store via Certutil on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_change_file_association_command_to_notepad.yml b/detections/endpoint/windows_change_file_association_command_to_notepad.yml
index a134a07c6b..3ad53a9bd4 100644
--- a/detections/endpoint/windows_change_file_association_command_to_notepad.yml
+++ b/detections/endpoint/windows_change_file_association_command_to_notepad.yml
@@ -1,7 +1,7 @@
name: Windows Change File Association Command To Notepad
id: 339155d6-34cb-4788-9d00-e67f190af93a
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -67,9 +67,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process with commandline $process$ set the execution command of a file association to notepad.exe on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml b/detections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml
index e6b2a62169..37c31a87bd 100644
--- a/detections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml
+++ b/detections/endpoint/windows_chrome_auto_update_disabled_via_registry.yml
@@ -1,7 +1,7 @@
name: Windows Chrome Auto-Update Disabled via Registry
id: 619eac6c-0f03-4699-ae29-5f337877bcf9
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -55,9 +55,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Chrome Auto-update in $registry_path$ was disabled on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_chrome_enable_extension_loading_via_command_line.yml b/detections/endpoint/windows_chrome_enable_extension_loading_via_command_line.yml
index 15282fe447..80fc420dd6 100644
--- a/detections/endpoint/windows_chrome_enable_extension_loading_via_command_line.yml
+++ b/detections/endpoint/windows_chrome_enable_extension_loading_via_command_line.yml
@@ -1,7 +1,7 @@
name: Windows Chrome Enable Extension Loading via Command-Line
id: da355155-1d23-48f9-bf95-e534ae273ab0
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A $process_name$ process attempted to enable browser extension loading via command line $process$ on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_chrome_extension_allowed_registry_modification.yml b/detections/endpoint/windows_chrome_extension_allowed_registry_modification.yml
index 08187546ae..d0ac210f6f 100644
--- a/detections/endpoint/windows_chrome_extension_allowed_registry_modification.yml
+++ b/detections/endpoint/windows_chrome_extension_allowed_registry_modification.yml
@@ -1,7 +1,7 @@
name: Windows Chrome Extension Allowed Registry Modification
id: 2846089a-ffe9-4881-a2a2-43f3be2b8cc7
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Chrome ExtensionInstallAllowlist Policy in $registry_path$ was modified on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_chromium_browser_launched_with_small_window_size.yml b/detections/endpoint/windows_chromium_browser_launched_with_small_window_size.yml
index 29d43bf8d4..d3be5e9810 100644
--- a/detections/endpoint/windows_chromium_browser_launched_with_small_window_size.yml
+++ b/detections/endpoint/windows_chromium_browser_launched_with_small_window_size.yml
@@ -1,7 +1,7 @@
name: Windows Chromium Browser Launched with Small Window Size
id: 88103f56-8f5c-411f-a87f-71bee776f140
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Chromium-based browser process was launched on $dest$ by user $user$ with an unusually small window size ($window_width$ x $window_height$ pixels). The process was spawned by $parent_process_name$ and included the following command-line parameters $process$.
risk_objects:
diff --git a/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml b/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml
index 0065ea9d28..bee6a83e69 100644
--- a/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml
+++ b/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml
@@ -1,7 +1,7 @@
name: Windows Chromium Browser No Security Sandbox Process
id: 314cb263-7eeb-4d45-b693-bb21699c73d2
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A chromium process with the --no-sandbox flag was launched on $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml
index dbfb078a82..df5d8bd49e 100644
--- a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml
+++ b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml
@@ -1,7 +1,7 @@
name: Windows Chromium Browser with Custom User Data Directory
id: 4f546cf4-15aa-4368-80f7-940e92bc551e
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A chromium process with the --user-data-dir flag was launched on $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_chromium_process_launched_with_disable_popup_blocking.yml b/detections/endpoint/windows_chromium_process_launched_with_disable_popup_blocking.yml
index bcaa68a4fe..a4bb28a111 100644
--- a/detections/endpoint/windows_chromium_process_launched_with_disable_popup_blocking.yml
+++ b/detections/endpoint/windows_chromium_process_launched_with_disable_popup_blocking.yml
@@ -1,7 +1,7 @@
name: Windows Chromium process Launched with Disable Popup Blocking
id: 95f8acd6-978e-42d6-99c1-85baacdd2b46
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Chromium-based browser process $process_name$ was launched by $parent_process_name$ on $dest$ by the user $user$ with the command-line $process$.
risk_objects:
diff --git a/detections/endpoint/windows_chromium_process_launched_with_logging_disabled.yml b/detections/endpoint/windows_chromium_process_launched_with_logging_disabled.yml
index 938f913116..b84f15a147 100644
--- a/detections/endpoint/windows_chromium_process_launched_with_logging_disabled.yml
+++ b/detections/endpoint/windows_chromium_process_launched_with_logging_disabled.yml
@@ -1,7 +1,7 @@
name: Windows Chromium Process Launched with Logging Disabled
id: d31de944-4e61-468f-9154-e50690f0e99e
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Chromium-based browser process $process_name$ was launched by $parent_process_name$ on $dest$ by the user $user$ with the command-line $process$.
risk_objects:
diff --git a/detections/endpoint/windows_chromium_process_loaded_extension_via_command_line.yml b/detections/endpoint/windows_chromium_process_loaded_extension_via_command_line.yml
index 8f6d689dbc..6358df69ff 100644
--- a/detections/endpoint/windows_chromium_process_loaded_extension_via_command_line.yml
+++ b/detections/endpoint/windows_chromium_process_loaded_extension_via_command_line.yml
@@ -1,7 +1,7 @@
name: Windows Chromium Process Loaded Extension via Command-Line
id: 1b8a468a-52e3-4206-b14a-73165441684c
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $process_name$ was launched by $parent_process_name$ on $dest$ by user $user$ and attempted to load a browser extension via command-line $process$.
risk_objects:
diff --git a/detections/endpoint/windows_chromium_process_with_disabled_extensions.yml b/detections/endpoint/windows_chromium_process_with_disabled_extensions.yml
index 206659559e..5901f5100c 100644
--- a/detections/endpoint/windows_chromium_process_with_disabled_extensions.yml
+++ b/detections/endpoint/windows_chromium_process_with_disabled_extensions.yml
@@ -1,7 +1,7 @@
name: Windows Chromium Process with Disabled Extensions
id: ce245717-779b-483b-bc52-fc7a94729973
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ launched a Chromium-based browser on $dest$ with the --disable-extensions flag. Parent process $parent_process_name$. Command line $process$.
risk_objects:
diff --git a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml
index d689a12d03..017a4f104a 100644
--- a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml
+++ b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml
@@ -1,7 +1,7 @@
name: Windows Cisco Secure Endpoint Related Service Stopped
id: df74f45f-01c8-4fd6-bcb8-f6a9ea58307a
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Cisco Secure Endpoint Service $display_name$ stopped on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml
index 9aa06f04af..a745fa73ff 100644
--- a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml
+++ b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml
@@ -1,7 +1,7 @@
name: Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
id: 44badcb1-2e8c-4628-9537-021bbae571ad
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious use of `sfc.exe` stopping the Immunet Protect service on $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml
index 662614080f..ca937a7d49 100644
--- a/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml
+++ b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml
@@ -1,7 +1,7 @@
name: Windows Cisco Secure Endpoint Unblock File Via Sfc
id: 9a7a490c-5581-4c95-bab5-a21e351293ef
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious use of `sfc.exe` unblocking a potentially harmful file on $dest$ by user $user$
risk_objects:
diff --git a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml
index d2b5313653..8d095c5b3b 100644
--- a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml
+++ b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml
@@ -1,7 +1,7 @@
name: Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
id: ba6e7f4d-a85e-4a14-8e7d-41f4b82e3c9a
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious use of `sfc.exe` to uninstall the Immunet Protect service on $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml
index 64d77e1d0d..c19f2c8aee 100644
--- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml
+++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml
@@ -1,7 +1,7 @@
name: Windows ClipBoard Data via Get-ClipBoard
id: ab73289e-2246-4de0-a14b-67006c72a893
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml
index 5c053df49d..66286ed5e5 100644
--- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml
+++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml
@@ -1,7 +1,7 @@
name: Windows Cmdline Tool Execution From Non-Shell Process
id: 2afa393f-b88d-41b7-9793-623c93a2dfde
-version: 11
-date: '2026-03-26'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml
index 84635007f1..7b1d6fe316 100644
--- a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml
+++ b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml
@@ -1,7 +1,7 @@
name: Windows COM Hijacking InprocServer32 Modification
id: b7bd83c0-92b5-4fc7-b286-23eccfa2c561
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to modify InProcServer32 within the registry.
risk_objects:
diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml
index 4e4fba8397..9e18b35eae 100644
--- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml
+++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml
@@ -1,7 +1,7 @@
name: Windows Command and Scripting Interpreter Path Traversal Exec
id: 58fcdeb1-728d-415d-b0d7-3ab18a275ec2
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process $parent_process_name$ has spawned a child $process_name$ with path traversal commandline $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml
index eb67e3bd21..a4485cdbc1 100644
--- a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml
+++ b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml
@@ -1,7 +1,7 @@
name: Windows Command Shell DCRat ForkBomb Payload
id: 2bb1a362-7aa8-444a-92ed-1987e8da83e1
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple cmd.exe processes with child process of notepad.exe executed on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml
index 12bf73ccbc..19e58dcfd6 100644
--- a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml
+++ b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml
@@ -1,7 +1,7 @@
name: Windows Common Abused Cmd Shell Risk Behavior
id: e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a
-version: 8
-date: '2026-02-25'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Correlation
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Azorult
diff --git a/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml b/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml
index aff0140000..88b7eb04b7 100644
--- a/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml
+++ b/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml
@@ -1,7 +1,7 @@
name: Windows Compatibility Telemetry Suspicious Child Process
id: 56fe46ca-ffef-46fe-8f0e-5cd4b7b4cc0c
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate processes on $dest$
search: '| from datamodel Endpoint.Processes | search dest = "$dest$" AND process_name = "$process_name$"'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml
index 70d753921b..aec5ce7e21 100644
--- a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml
+++ b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml
@@ -1,7 +1,7 @@
name: Windows Compatibility Telemetry Tampering Through Registry
id: 43834687-cc48-4878-a2fa-f76e4271791f
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate registry changes on $dest$
search: '| from datamodel Endpoint.Registry | search registry_path = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*" AND dest = "$dest$"'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_computer_account_created_by_computer_account.yml b/detections/endpoint/windows_computer_account_created_by_computer_account.yml
index fca3f7a791..cb50805dfa 100644
--- a/detections/endpoint/windows_computer_account_created_by_computer_account.yml
+++ b/detections/endpoint/windows_computer_account_created_by_computer_account.yml
@@ -1,7 +1,7 @@
name: Windows Computer Account Created by Computer Account
id: 97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Computer Account on $dest$ created by a computer account (possibly indicative of Kerberos relay attack).
risk_objects:
diff --git a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml
index 8ac44e2beb..13c207b9b1 100644
--- a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml
+++ b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml
@@ -1,7 +1,7 @@
name: Windows Computer Account Requesting Kerberos Ticket
id: fb3b2bb3-75a4-4279-848a-165b42624770
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Computer Account requested a Kerberos ticket on $dest$, possibly indicative of Kerberos relay attack.
risk_objects:
diff --git a/detections/endpoint/windows_computer_account_with_spn.yml b/detections/endpoint/windows_computer_account_with_spn.yml
index 66ad874a2f..3704f9515f 100644
--- a/detections/endpoint/windows_computer_account_with_spn.yml
+++ b/detections/endpoint/windows_computer_account_with_spn.yml
@@ -1,7 +1,7 @@
name: Windows Computer Account With SPN
id: 9a3e57e7-33f4-470e-b25d-165baa6e8357
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Computer Account was created with SPNs related to Kerberos on $dest$, possibly indicative of Kerberos relay attack.
risk_objects:
diff --git a/detections/endpoint/windows_computerdefaults_spawning_a_process.yml b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml
index c6b368c495..5a81b381b7 100644
--- a/detections/endpoint/windows_computerdefaults_spawning_a_process.yml
+++ b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml
@@ -1,7 +1,7 @@
name: Windows ComputerDefaults Spawning a Process
id: 697eb4c0-1008-4c3c-b5ae-7bd9b39adbd6
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A ComputerDefaults.exe process $parent_process_name$ spawning child process $process_name$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_conhost_with_headless_argument.yml b/detections/endpoint/windows_conhost_with_headless_argument.yml
index 325b8672bb..a76184a1b1 100644
--- a/detections/endpoint/windows_conhost_with_headless_argument.yml
+++ b/detections/endpoint/windows_conhost_with_headless_argument.yml
@@ -1,7 +1,7 @@
name: Windows ConHost with Headless Argument
id: d5039508-998d-4cfc-8b5e-9dcd679d9a62
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows ConHost with Headless Argument detected on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/windows_consolehost_history_file_deletion.yml b/detections/endpoint/windows_consolehost_history_file_deletion.yml
index f185647d30..8a850e0e5b 100644
--- a/detections/endpoint/windows_consolehost_history_file_deletion.yml
+++ b/detections/endpoint/windows_consolehost_history_file_deletion.yml
@@ -1,7 +1,7 @@
name: Windows ConsoleHost History File Deletion
id: a203040e-f8fd-49bb-8424-d2fabf277322
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process $process_name$ delete ConsoleHost_History.txt on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_create_local_account.yml b/detections/endpoint/windows_create_local_account.yml
index 85352754a9..9e7f834bbd 100644
--- a/detections/endpoint/windows_create_local_account.yml
+++ b/detections/endpoint/windows_create_local_account.yml
@@ -1,7 +1,7 @@
name: Windows Create Local Account
id: 3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The following $user$ was added to $dest$ as a local account.
risk_objects:
diff --git a/detections/endpoint/windows_create_local_administrator_account_via_net.yml b/detections/endpoint/windows_create_local_administrator_account_via_net.yml
index 156422f187..128f331ef7 100644
--- a/detections/endpoint/windows_create_local_administrator_account_via_net.yml
+++ b/detections/endpoint/windows_create_local_administrator_account_via_net.yml
@@ -1,7 +1,7 @@
name: Windows Create Local Administrator Account Via Net
id: 2c568c34-bb57-4b43-9d75-19c605b98e70
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators group.
risk_objects:
diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml
index be961edbe2..71dacfb5da 100644
--- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml
+++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml
@@ -1,7 +1,7 @@
name: Windows Credential Access From Browser Password Store
id: 72013a8e-5cea-408a-9d51-5585386b4d69
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-31'
author: Teoderick Contreras, Bhavin Patel Splunk
data_source:
- Windows Event Log Security 4663
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A non-common browser process $process_name$ accessing browser user data folder on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml
index fb97161ad5..c7a8b1abbc 100644
--- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml
+++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml
@@ -1,7 +1,7 @@
name: Windows Credential Dumping LSASS Memory Createdump
id: b3b7ce35-fce5-4c73-85f4-700aeada81a9
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to dump a process.
risk_objects:
diff --git a/detections/endpoint/windows_credential_target_information_structure_in_commandline.yml b/detections/endpoint/windows_credential_target_information_structure_in_commandline.yml
index 762be04242..e275283e03 100644
--- a/detections/endpoint/windows_credential_target_information_structure_in_commandline.yml
+++ b/detections/endpoint/windows_credential_target_information_structure_in_commandline.yml
@@ -1,7 +1,7 @@
name: Windows Credential Target Information Structure in Commandline
id: f79c5d7a-dd99-4263-93e1-49ace5634c82
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of CREDENTIAL_TARGET_INFORMATION magic string was identified in a command on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml b/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml
index d697e86461..f1ae7f0d41 100644
--- a/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml
+++ b/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml
@@ -1,7 +1,7 @@
name: Windows Credentials Access via VaultCli Module
id: c0d89118-3f89-4cd7-8140-1f39e7210681
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 7
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of process $process_name$ loading the file $ImageLoaded$ was identified on endpoint $dest$ to potentially capture credentials in memory.
risk_objects:
diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml
index 800c4dc568..bfe237deb8 100644
--- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml
+++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml
@@ -1,7 +1,7 @@
name: Windows Credentials from Password Stores Chrome Copied in TEMP Dir
id: 4d14c86d-fdee-4393-94da-238d2706902f
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 11
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Chrome Password Store File [$file_name$] was copied in %temp% folder on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml
index d7b2a6ce1c..1ca7c6373a 100644
--- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml
+++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml
@@ -1,7 +1,7 @@
name: Windows Credentials from Password Stores Chrome Extension Access
id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A non-chrome process $process_name$ accessing chrome browser extension folder files on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml
index 9e934f1374..cd9c101cf0 100644
--- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml
+++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml
@@ -1,7 +1,7 @@
name: Windows Credentials from Password Stores Chrome LocalState Access
id: 3b1d09a8-a26f-473e-a510-6c6613573657
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A non-chrome process $process_name$ accessing "Chrome\\User Data\\Local State" file on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml
index a7dda912ef..b008c87efb 100644
--- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml
+++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml
@@ -1,7 +1,7 @@
name: Windows Credentials from Password Stores Chrome Login Data Access
id: 0d32ba37-80fc-4429-809c-0ba15801aeaf
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A non-chrome process $process_name$ accessing Chrome "Login Data" file on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_credentials_from_password_stores_creation.yml b/detections/endpoint/windows_credentials_from_password_stores_creation.yml
index 278206ea9c..b69ef8c7fb 100644
--- a/detections/endpoint/windows_credentials_from_password_stores_creation.yml
+++ b/detections/endpoint/windows_credentials_from_password_stores_creation.yml
@@ -1,7 +1,7 @@
name: Windows Credentials from Password Stores Creation
id: c0c5a479-bf57-4ca0-af3a-4c7081e5ba05
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process $process_name$ was executed on $dest$ to create stored credentials
risk_objects:
diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml
index 2d5ee96492..cd409423cb 100644
--- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml
+++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml
@@ -1,7 +1,7 @@
name: Windows Credentials from Password Stores Deletion
id: 46d676aa-40c6-4fe6-b917-d23b621f0f89
-version: 11
-date: '2026-03-24'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process $process_name$ was executed on $dest$ to delete stored credentials
risk_objects:
diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml
index e65ed0ffcd..9c84712ea5 100644
--- a/detections/endpoint/windows_credentials_from_password_stores_query.yml
+++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml
@@ -1,7 +1,7 @@
name: Windows Credentials from Password Stores Query
id: db02d6b4-5d5b-4c33-8d8f-f0577516a8c7
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process $process_name$ was executed on $dest$ to display stored username and credentials.
risk_objects:
diff --git a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml
index 5e06e277ff..579189928e 100644
--- a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml
+++ b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml
@@ -1,7 +1,7 @@
name: Windows Credentials from Web Browsers Saved in TEMP Folder
id: b36b23ea-763c-417b-bd4a-6a378dabad1a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 11
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A known credential file name - [$file_name$] was saved in %temp% folder of [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_credentials_in_registry_reg_query.yml b/detections/endpoint/windows_credentials_in_registry_reg_query.yml
index bd22976b37..9e87fbc306 100644
--- a/detections/endpoint/windows_credentials_in_registry_reg_query.yml
+++ b/detections/endpoint/windows_credentials_in_registry_reg_query.yml
@@ -1,7 +1,7 @@
name: Windows Credentials in Registry Reg Query
id: a8b3124e-2278-4b73-ae9c-585117079fb2
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: reg query commandline $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml
index 8d8301eb65..efc8e357ca 100644
--- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml
+++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml
@@ -1,7 +1,7 @@
name: Windows Curl Download to Suspicious Path
id: c32f091e-30db-11ec-8738-acde48001122
-version: 19
-date: '2026-03-10'
+version: 20
+date: '2026-03-31'
author: Michael Haag, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -70,9 +70,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ to download a file to a suspicious directory.
risk_objects:
diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml
index fe8d9556d8..e3fecd7ad5 100644
--- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml
+++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml
@@ -1,7 +1,7 @@
name: Windows Curl Upload to Remote Destination
id: 42f8f1a2-4228-11ec-aade-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ uploading a file to a remote destination.
risk_objects:
diff --git a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml
index f07e608963..a707122d5d 100644
--- a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml
+++ b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml
@@ -1,7 +1,7 @@
name: Windows Data Destruction Recursive Exec Files Deletion
id: 3596a799-6320-4a2f-8772-a9e98ddb2960
-version: 11
-date: '2026-03-16'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The process $process_name$ has removed a significant quantity of executable files, totaling [$count$], from the destination $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml
index 8bfa78d125..0a21fcf378 100644
--- a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml
+++ b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml
@@ -1,7 +1,7 @@
name: Windows Defacement Modify Transcodedwallpaper File
id: e11c3d90-5bc7-42ad-94cd-ba75db10d897
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modification or creation of transcodedwallpaper file by $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_default_group_policy_object_modified.yml b/detections/endpoint/windows_default_group_policy_object_modified.yml
index d67ee016dc..130b68de79 100644
--- a/detections/endpoint/windows_default_group_policy_object_modified.yml
+++ b/detections/endpoint/windows_default_group_policy_object_modified.yml
@@ -1,7 +1,7 @@
name: Windows Default Group Policy Object Modified
id: fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A default group policy object was modified on $Computer$ by $SubjectUserSid$
risk_objects:
diff --git a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml
index cfe597ed0c..046d3315c0 100644
--- a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml
+++ b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml
@@ -1,7 +1,7 @@
name: Windows Default Group Policy Object Modified with GPME
id: eaf688b3-bb8f-454d-b105-920a862cd8cb
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A default group policy object was opened with Group Policy Manage Editor on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_default_rdp_file_creation_by_non_mstsc_process.yml b/detections/endpoint/windows_default_rdp_file_creation_by_non_mstsc_process.yml
index 942bb3e8da..3b76adbb83 100644
--- a/detections/endpoint/windows_default_rdp_file_creation_by_non_mstsc_process.yml
+++ b/detections/endpoint/windows_default_rdp_file_creation_by_non_mstsc_process.yml
@@ -1,7 +1,7 @@
name: Windows Default RDP File Creation By Non MSTSC Process
id: 692226f1-84e3-4f63-a747-d53e65699608
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -45,9 +45,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a file related to rdp connection named as default.rdp has been identified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_default_rdp_file_deletion.yml b/detections/endpoint/windows_default_rdp_file_deletion.yml
index 593b7faf10..5796da3f08 100644
--- a/detections/endpoint/windows_default_rdp_file_deletion.yml
+++ b/detections/endpoint/windows_default_rdp_file_deletion.yml
@@ -1,7 +1,7 @@
name: Windows Default Rdp File Deletion
id: 30a334c1-f9a5-4fbd-8958-5b65a8435cb2
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a file related to rdp connection named as default.rdp has been deleted on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_default_rdp_file_unhidden.yml b/detections/endpoint/windows_default_rdp_file_unhidden.yml
index 5e0edf7f2b..3e30376c7d 100644
--- a/detections/endpoint/windows_default_rdp_file_unhidden.yml
+++ b/detections/endpoint/windows_default_rdp_file_unhidden.yml
@@ -1,7 +1,7 @@
name: Windows Default Rdp File Unhidden
id: f5c1f64b-db59-4913-991e-3dac8adff288
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process unhiding default.rdp on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_defender_asr_audit_events.yml b/detections/endpoint/windows_defender_asr_audit_events.yml
index 7dffd60c2c..87fad6ff89 100644
--- a/detections/endpoint/windows_defender_asr_audit_events.yml
+++ b/detections/endpoint/windows_defender_asr_audit_events.yml
@@ -1,7 +1,7 @@
name: Windows Defender ASR Audit Events
id: 0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: ASR audit event, $ASR_Rule$, was triggered on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_defender_asr_block_events.yml b/detections/endpoint/windows_defender_asr_block_events.yml
index b64c721a67..ba32fe678b 100644
--- a/detections/endpoint/windows_defender_asr_block_events.yml
+++ b/detections/endpoint/windows_defender_asr_block_events.yml
@@ -1,7 +1,7 @@
name: Windows Defender ASR Block Events
id: 026f5f4e-e99f-4155-9e63-911ba587300b
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: ASR block event, $ASR_Rule$, was triggered on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_defender_asr_or_threat_configuration_tamper.yml b/detections/endpoint/windows_defender_asr_or_threat_configuration_tamper.yml
index 6e0db6ba3c..cf3608f0d7 100644
--- a/detections/endpoint/windows_defender_asr_or_threat_configuration_tamper.yml
+++ b/detections/endpoint/windows_defender_asr_or_threat_configuration_tamper.yml
@@ -1,7 +1,7 @@
name: Windows Defender ASR or Threat Configuration Tamper
id: d0c07718-19d1-4de2-aea9-e0ffff0ed986
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -67,9 +67,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: ASR or Threat detection tamper activity executed via $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_defender_asr_rule_disabled.yml b/detections/endpoint/windows_defender_asr_rule_disabled.yml
index f017326beb..a43ce903bb 100644
--- a/detections/endpoint/windows_defender_asr_rule_disabled.yml
+++ b/detections/endpoint/windows_defender_asr_rule_disabled.yml
@@ -1,7 +1,7 @@
name: Windows Defender ASR Rule Disabled
id: 429d611b-3183-49a7-b235-fc4203c4e1cb
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: ASR rule disabled event, $ASR_Rule$, was triggered on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml
index a4718436ab..42bf3e4d07 100644
--- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml
+++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml
@@ -1,7 +1,7 @@
name: Windows Defender Exclusion Registry Entry
id: 13395a44-4dd9-11ec-9df7-acde48001122
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender
risk_objects:
diff --git a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml
index 181514101d..d0fe197da3 100644
--- a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml
+++ b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml
@@ -1,7 +1,7 @@
name: Windows Deleted Registry By A Non Critical Process File Path
id: 15e70689-f55b-489e-8a80-6d0cd6d8aad2
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The registry was deleted by a suspicious process named $process_name$ with the process path $process_path$ on dest $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_detect_network_scanner_behavior.yml b/detections/endpoint/windows_detect_network_scanner_behavior.yml
index d82bf3eb01..0d00f25344 100644
--- a/detections/endpoint/windows_detect_network_scanner_behavior.yml
+++ b/detections/endpoint/windows_detect_network_scanner_behavior.yml
@@ -1,7 +1,7 @@
name: Windows Detect Network Scanner Behavior
id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$
risk_objects:
diff --git a/detections/endpoint/windows_developer_signed_msix_package_installation.yml b/detections/endpoint/windows_developer_signed_msix_package_installation.yml
index f36349c78f..e96518eb99 100644
--- a/detections/endpoint/windows_developer_signed_msix_package_installation.yml
+++ b/detections/endpoint/windows_developer_signed_msix_package_installation.yml
@@ -1,7 +1,7 @@
name: Windows Developer-Signed MSIX Package Installation
id: 2c0427aa-982c-4e97-bc33-bddeda4fd095
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A developer-signed MSIX package "$PackageMoniker$" was installed on $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml
index 65269f624f..729aa4639e 100644
--- a/detections/endpoint/windows_disable_change_password_through_registry.yml
+++ b/detections/endpoint/windows_disable_change_password_through_registry.yml
@@ -1,7 +1,7 @@
name: Windows Disable Change Password Through Registry
id: 0df33e1a-9ef6-11ec-a1ad-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Registry modification in "DisableChangePassword" on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_disable_internet_explorer_addons.yml b/detections/endpoint/windows_disable_internet_explorer_addons.yml
index 92420063af..184b539122 100644
--- a/detections/endpoint/windows_disable_internet_explorer_addons.yml
+++ b/detections/endpoint/windows_disable_internet_explorer_addons.yml
@@ -1,7 +1,7 @@
name: Windows Disable Internet Explorer Addons
id: 65224d8b-b95d-44ec-bb44-408d830c1258
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An iexplore.exe process with the -extoff flag was launched on $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml
index 02cb50360a..b91adbc6e3 100644
--- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml
+++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml
@@ -1,7 +1,7 @@
name: Windows Disable Lock Workstation Feature Through Registry
id: c82adbc6-9f00-11ec-a81f-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Registry modification in "DisableLockWorkstation" on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml
index dab668d5ab..b6f99e4b6d 100644
--- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml
+++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml
@@ -1,7 +1,7 @@
name: Windows Disable LogOff Button Through Registry
id: b2fb6830-9ed1-11ec-9fcb-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Registry modification in "NoLogOff" on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml
index ee6a35f3eb..9001c5356f 100644
--- a/detections/endpoint/windows_disable_memory_crash_dump.yml
+++ b/detections/endpoint/windows_disable_memory_crash_dump.yml
@@ -1,7 +1,7 @@
name: Windows Disable Memory Crash Dump
id: 59e54602-9680-11ec-a8a6-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process was identified attempting to disable memory crash dumps on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml
index 81b588a3b9..3830a58d0a 100644
--- a/detections/endpoint/windows_disable_notification_center.yml
+++ b/detections/endpoint/windows_disable_notification_center.yml
@@ -1,7 +1,7 @@
name: Windows Disable Notification Center
id: 1cd983c8-8fd6-11ec-a09d-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Windows notification center was disabled on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml
index 90313540d0..7f206da9f7 100644
--- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml
+++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml
@@ -1,7 +1,7 @@
name: Windows Disable or Modify Tools Via Taskkill
id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A taskkill process to terminate process is executed on host- $dest$
risk_objects:
diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml
index 13fb1bd398..2cdcae9630 100644
--- a/detections/endpoint/windows_disable_or_stop_browser_process.yml
+++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml
@@ -1,7 +1,7 @@
name: Windows Disable or Stop Browser Process
id: 220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 1
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process commandline- [$process$] that tries to kill browser on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml
index e56d3f8932..8fdc102c36 100644
--- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml
+++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml
@@ -1,7 +1,7 @@
name: Windows Disable Shutdown Button Through Registry
id: 55fb2958-9ecd-11ec-a06a-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Registry modification in "shutdownwithoutlogon" on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml
index ae16142aea..cd359fba2e 100644
--- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml
+++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml
@@ -1,7 +1,7 @@
name: Windows Disable Windows Event Logging Disable HTTP Logging
id: 23fb6787-255f-4d5b-9a66-9fd7504032b5
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable IIS HTTP Logging.
risk_objects:
diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml
index 7db6d173b4..ae7bdfe4fd 100644
--- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml
+++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml
@@ -1,7 +1,7 @@
name: Windows Disable Windows Group Policy Features Through Registry
id: 63a449ae-9f04-11ec-945e-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Registry modification to disable windows group policy features on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml
index b1ca41ec3c..d98b8b5419 100644
--- a/detections/endpoint/windows_disableantispyware_registry.yml
+++ b/detections/endpoint/windows_disableantispyware_registry.yml
@@ -1,7 +1,7 @@
name: Windows DisableAntiSpyware Registry
id: 23150a40-9301-4195-b802-5bb4f43067fb
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Rod Soto, Jose Hernandez, Michael Haag, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows DisableAntiSpyware registry key set to 'disabled' on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_diskshadow_proxy_execution.yml b/detections/endpoint/windows_diskshadow_proxy_execution.yml
index 61e3ee7a90..2412077121 100644
--- a/detections/endpoint/windows_diskshadow_proxy_execution.yml
+++ b/detections/endpoint/windows_diskshadow_proxy_execution.yml
@@ -1,7 +1,7 @@
name: Windows Diskshadow Proxy Execution
id: 58adae9e-8ea3-11ec-90f6-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Lou Stella, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible Signed Binary Proxy Execution on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_dism_install_powershell_web_access.yml b/detections/endpoint/windows_dism_install_powershell_web_access.yml
index 22ef83f10b..4ccf9d3e7c 100644
--- a/detections/endpoint/windows_dism_install_powershell_web_access.yml
+++ b/detections/endpoint/windows_dism_install_powershell_web_access.yml
@@ -1,7 +1,7 @@
name: Windows DISM Install PowerShell Web Access
id: fa6142a7-c364-4d11-9954-895dd9efb2d4
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Windows Event Log Security 4688
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell Web Access has been installed on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_dism_remove_defender.yml b/detections/endpoint/windows_dism_remove_defender.yml
index 38f8074252..d6b51e4470 100644
--- a/detections/endpoint/windows_dism_remove_defender.yml
+++ b/detections/endpoint/windows_dism_remove_defender.yml
@@ -1,7 +1,7 @@
name: Windows DISM Remove Defender
id: 8567da9e-47f0-11ec-99a9-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable Windows Defender.
risk_objects:
diff --git a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml
index c18039a362..cc415a8d2a 100644
--- a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml
+++ b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml
@@ -1,7 +1,7 @@
name: Windows DLL Search Order Hijacking with iscsicpl
id: f39ee679-3b1e-4f47-841c-5c3c580acda2
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to elevate access.
risk_objects:
diff --git a/detections/endpoint/windows_dll_side_loading_in_calc.yml b/detections/endpoint/windows_dll_side_loading_in_calc.yml
index 88257c9666..ef8846771d 100644
--- a/detections/endpoint/windows_dll_side_loading_in_calc.yml
+++ b/detections/endpoint/windows_dll_side_loading_in_calc.yml
@@ -1,7 +1,7 @@
name: Windows DLL Side-Loading In Calc
id: af01f6db-26ac-440e-8d89-2793e303f137
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The [ $Image$ ] process loaded the [ $ImageLoaded$ ] DLL from a non-standard location on [ $dest$ ]
risk_objects:
diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml
index 6a375a745a..5142160ccc 100644
--- a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml
+++ b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml
@@ -1,7 +1,7 @@
name: Windows DLL Side-Loading Process Child Of Calc
id: 295ca9ed-e97b-4520-90f7-dfb6469902e1
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $parent_process_name$ spawned a child process of $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_dns_gather_network_info.yml b/detections/endpoint/windows_dns_gather_network_info.yml
index bfc03fdc7f..b515036548 100644
--- a/detections/endpoint/windows_dns_gather_network_info.yml
+++ b/detections/endpoint/windows_dns_gather_network_info.yml
@@ -1,7 +1,7 @@
name: Windows DNS Gather Network Info
id: 347e0892-e8f3-4512-afda-dc0e3fa996f3
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
type: Anomaly
status: production
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process commandline $process$ to enumerate dns record on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_dns_query_request_to_tinyurl.yml b/detections/endpoint/windows_dns_query_request_to_tinyurl.yml
index a02582ec44..aad3f88c55 100644
--- a/detections/endpoint/windows_dns_query_request_to_tinyurl.yml
+++ b/detections/endpoint/windows_dns_query_request_to_tinyurl.yml
@@ -1,7 +1,7 @@
name: Windows DNS Query Request To TinyUrl
id: b1ea79da-719c-437c-acaf-5c93f838f425
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious process $process_name$ made a DNS query for $QueryName$ on $dvc$
risk_objects:
diff --git a/detections/endpoint/windows_dnsadmins_new_member_added.yml b/detections/endpoint/windows_dnsadmins_new_member_added.yml
index 47bc3f72de..2c7a7df4a3 100644
--- a/detections/endpoint/windows_dnsadmins_new_member_added.yml
+++ b/detections/endpoint/windows_dnsadmins_new_member_added.yml
@@ -1,7 +1,7 @@
name: Windows DnsAdmins New Member Added
id: 27e600aa-77f8-4614-bc80-2662a67e2f48
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new member $user$ added to the DnsAdmins group by $src_user$
risk_objects:
diff --git a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml
index d824a1ccf5..df16c79e4c 100644
--- a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml
+++ b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml
@@ -1,7 +1,7 @@
name: Windows Domain Account Discovery Via Get-NetComputer
id: a7fbbc4e-4571-424a-b627-6968e1c939e4
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Domain Account Discovery Via Get-NetComputer on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml
index f35c263f8d..736b5f1222 100644
--- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml
+++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml
@@ -1,7 +1,7 @@
name: Windows Domain Admin Impersonation Indicator
id: 10381f93-6d38-470a-9c30-d25478e3bd3f
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$TargetUserName$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$TargetUserName$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$TargetUserName$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $TargetUserName$ may be impersonating a Domain Administrator through a forged Kerberos ticket.
risk_objects:
diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml
index ea86c832b4..9fa28d1eec 100644
--- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml
+++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml
@@ -1,7 +1,7 @@
name: Windows DotNet Binary in Non Standard Path
id: fddf3b56-7933-11ec-98a6-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -70,9 +70,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml
index 5cc7a661a1..69844242c9 100644
--- a/detections/endpoint/windows_driver_load_non_standard_path.yml
+++ b/detections/endpoint/windows_driver_load_non_standard_path.yml
@@ -1,7 +1,7 @@
name: Windows Driver Load Non-Standard Path
id: 9216ef3d-066a-4958-8f27-c84589465e62
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A kernel mode driver was loaded from a non-standard path on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_enable_powershell_web_access.yml b/detections/endpoint/windows_enable_powershell_web_access.yml
index 913940d706..555d54f725 100644
--- a/detections/endpoint/windows_enable_powershell_web_access.yml
+++ b/detections/endpoint/windows_enable_powershell_web_access.yml
@@ -1,7 +1,7 @@
name: Windows Enable PowerShell Web Access
id: 175bb2de-6227-416b-9678-9b61999cd21f
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Powershell Script Block Logging 4104
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell Web Access has been enabled on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml
index 2390b9563a..5be85f3b7e 100644
--- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml
+++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml
@@ -1,7 +1,7 @@
name: Windows Enable Win32 ScheduledJob via Registry
id: 12c80db8-ef62-4456-92df-b23e1b3219f6
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
type: Anomaly
status: production
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process has modified the schedule task registry value - EnableAt - on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml
index 24a27d7b22..8e8e07a410 100644
--- a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml
+++ b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml
@@ -1,7 +1,7 @@
name: Windows ESX Admins Group Creation Security Event
id: 53b4c927-5ec4-47cd-8aed-d4b303304f87
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Windows Event Log Security 4727
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: ESX Admins group $EventCodeDescription$ on $dest$ by user $SubjectUserName$.
risk_objects:
diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml
index 0dc4d0271c..5121eb1f8c 100644
--- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml
+++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml
@@ -1,7 +1,7 @@
name: Windows ESX Admins Group Creation via Net
id: 3d7df60b-3332-4667-8090-afe03e08dce0
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An attempt to create an "ESX Admins" group was detected on $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml
index 57475a6c1c..e6db661fcd 100644
--- a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml
+++ b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml
@@ -1,7 +1,7 @@
name: Windows ESX Admins Group Creation via PowerShell
id: f48a5557-be06-4b96-b8e8-be563e387620
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Powershell Script Block Logging 4104
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell command to create "ESX Admins" group detected on host $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/windows_event_log_cleared.yml b/detections/endpoint/windows_event_log_cleared.yml
index 8f39354c62..123b5b377c 100644
--- a/detections/endpoint/windows_event_log_cleared.yml
+++ b/detections/endpoint/windows_event_log_cleared.yml
@@ -1,7 +1,7 @@
name: Windows Event Log Cleared
id: ad517544-aff9-4c96-bd99-d6eb43bfbb6a
-version: 17
-date: '2026-03-10'
+version: 18
+date: '2026-03-31'
author: Rico Valdez, Michael Haag, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows $object$ cleared on $dest$ via EventCode $EventCode$
risk_objects:
diff --git a/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml b/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml
index 7271dcb6ec..7f10aefd61 100644
--- a/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml
+++ b/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml
@@ -1,7 +1,7 @@
name: Windows Eventlog Cleared Via Wevtutil
id: fdb829a8-db84-4832-b64b-3e964cd44f01
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Eventlog was cleared using the Wevtutil.exe utility on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml
index b8dbc6dd18..d8b622f309 100644
--- a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml
+++ b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml
@@ -1,7 +1,7 @@
name: Windows EventLog Recon Activity Using Log Query Utilities
id: dc167f8b-3f9d-4460-9c98-8b6e703fd628
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -90,9 +90,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious log query $process$ command was run on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/windows_excel_spawning_microsoft_project_application.yml b/detections/endpoint/windows_excel_spawning_microsoft_project_application.yml
index 31179265b1..f993ae416f 100644
--- a/detections/endpoint/windows_excel_spawning_microsoft_project_application.yml
+++ b/detections/endpoint/windows_excel_spawning_microsoft_project_application.yml
@@ -1,7 +1,7 @@
name: Windows Excel Spawning Microsoft Project Application
id: ee54241e-0815-4423-9729-e1f5dfc402de
-version: 1
-date: '2026-03-16'
+version: 2
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -48,9 +48,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $parent_process_name$ spawned $process_name$ on $dest$, indicative of ActivateMicrosoftApp() use
risk_objects:
diff --git a/detections/endpoint/windows_excessive_disabled_services_event.yml b/detections/endpoint/windows_excessive_disabled_services_event.yml
index b15d38548e..95df383da0 100644
--- a/detections/endpoint/windows_excessive_disabled_services_event.yml
+++ b/detections/endpoint/windows_excessive_disabled_services_event.yml
@@ -1,7 +1,7 @@
name: Windows Excessive Disabled Services Event
id: c3f85976-94a5-11ec-9a58-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An excessive number (Count - $MessageCount$) of Windows services were disabled on dest - $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_excessive_service_stop_attempt.yml b/detections/endpoint/windows_excessive_service_stop_attempt.yml
index b0be2cf7b9..50ef6da02f 100644
--- a/detections/endpoint/windows_excessive_service_stop_attempt.yml
+++ b/detections/endpoint/windows_excessive_service_stop_attempt.yml
@@ -1,7 +1,7 @@
name: Windows Excessive Service Stop Attempt
id: 8f3a614f-6b98-4f7d-82dd-d0df38452a8b
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An excessive amount of $process_name$ was executed on $dest$ attempting to disable services.
risk_objects:
diff --git a/detections/endpoint/windows_excessive_usage_of_net_app.yml b/detections/endpoint/windows_excessive_usage_of_net_app.yml
index 8f8d0d106f..b19ce10ca9 100644
--- a/detections/endpoint/windows_excessive_usage_of_net_app.yml
+++ b/detections/endpoint/windows_excessive_usage_of_net_app.yml
@@ -1,7 +1,7 @@
name: Windows Excessive Usage Of Net App
id: 355ba810-0a20-4215-8485-9ce3f87f2e38
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Excessive usage of net1.exe or net.exe within 1m, with command line $process$ has been detected on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/windows_executable_in_loaded_modules.yml b/detections/endpoint/windows_executable_in_loaded_modules.yml
index bb6b0aa8bd..18814569cd 100644
--- a/detections/endpoint/windows_executable_in_loaded_modules.yml
+++ b/detections/endpoint/windows_executable_in_loaded_modules.yml
@@ -1,7 +1,7 @@
name: Windows Executable in Loaded Modules
id: 3e27af56-fcf0-4113-988d-24969b062be7
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An executable $ImageLoaded$ loaded by $Image$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml b/detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml
index 4f588620a9..492105dba9 100644
--- a/detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml
+++ b/detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml
@@ -1,7 +1,7 @@
name: Windows Executable Masquerading as Benign File Types
id: 0470c8e7-dd8d-420f-8302-073e8a2b66f0
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A valid Windows PE executable $file_name$ located in $file_path$ was dropped on $dest$, disguised as a non-executable file type.
risk_objects:
diff --git a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml
index 014b6b1149..04825319cf 100644
--- a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml
+++ b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml
@@ -1,7 +1,7 @@
name: Windows Execute Arbitrary Commands with MSDT
id: e1d5145f-38fe-42b9-a5d5-457796715f97
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -47,9 +47,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A parent process $parent_process_name$ has spawned a child process $process_name$ on host $dest$ possibly indicative of indirect command execution.
risk_objects:
diff --git a/detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml b/detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml
index c15d1640df..3264b0753c 100644
--- a/detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml
+++ b/detections/endpoint/windows_execution_of_microsoft_msc_file_in_suspicious_path.yml
@@ -1,7 +1,7 @@
name: Windows Execution of Microsoft MSC File In Suspicious Path
id: ac30858b-7c25-4f0a-a7fa-bef036e49dc3
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -57,9 +57,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Microsoft Management Console process [ $process_name$ ] launched an .msc file [ $process$ ] on the target system [ $dest$ ].
risk_objects:
diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml
index fbd7b5f7fe..c7b6b5c9c5 100644
--- a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml
+++ b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml
@@ -1,7 +1,7 @@
name: Windows Exfiltration Over C2 Via Invoke RestMethod
id: 06ade821-f6fa-40d0-80af-15bc1d45b3ba
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell script on $dest$ is attempting to transfer files to a remote URL.
risk_objects:
diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml
index e5e36cea7d..7e50468769 100644
--- a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml
+++ b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml
@@ -1,7 +1,7 @@
name: Windows Exfiltration Over C2 Via Powershell UploadString
id: 59e8bf41-7472-412a-90d3-00f3afa452e9
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell script on $dest$ is attempting to transfer files to a remote URL.
risk_objects:
diff --git a/detections/endpoint/windows_explorer_lnk_exploit_process_launch_with_padding.yml b/detections/endpoint/windows_explorer_lnk_exploit_process_launch_with_padding.yml
index 8e1c25bb0b..e0ed574f4a 100644
--- a/detections/endpoint/windows_explorer_lnk_exploit_process_launch_with_padding.yml
+++ b/detections/endpoint/windows_explorer_lnk_exploit_process_launch_with_padding.yml
@@ -1,7 +1,7 @@
name: Windows Explorer LNK Exploit Process Launch With Padding
id: 8775fcf3-05e4-4525-bba2-a56e39d8d050
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, AJ King, Splunk, Jesse Hunter, Splunk Community Contributor
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Explorer.exe spawning PowerShell or cmd.exe with excessive padding (50+ spaces) on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/windows_export_certificate.yml b/detections/endpoint/windows_export_certificate.yml
index 83609ca5d2..e3ba83918c 100644
--- a/detections/endpoint/windows_export_certificate.yml
+++ b/detections/endpoint/windows_export_certificate.yml
@@ -1,7 +1,7 @@
name: Windows Export Certificate
id: d8ddfa9b-b724-4df9-9dbe-f34cc0936714
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An certificate was exported on $dest$ from the Windows Certificate Store.
risk_objects:
diff --git a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml
index 191bb40e9a..05ddaef30d 100644
--- a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml
+++ b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml
@@ -1,7 +1,7 @@
name: Windows File and Directory Enable ReadOnly Permissions
id: 1ae407b0-a042-4eb0-834a-590da055575e
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 1
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$process_name$] was executed on [$dest$] attempting to change the access to a file or directory into readonly permissions.
risk_objects:
diff --git a/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml
index 25c2c725b8..f1f7a80dd6 100644
--- a/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml
+++ b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml
@@ -1,7 +1,7 @@
name: Windows File and Directory Permissions Enable Inheritance
id: 0247f90a-aca4-47b2-a94d-e30f445d7b41
-version: 5
-date: '2026-02-25'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
type: Hunting
status: production
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Crypto Stealer
diff --git a/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml b/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml
index 0ed277c304..75bfcf9a8a 100644
--- a/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml
+++ b/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml
@@ -1,7 +1,7 @@
name: Windows File and Directory Permissions Remove Inheritance
id: 9b62da2c-e442-474f-83ca-fac4dabab1b3
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 1
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$process_name$] was executed on [$dest$] attempting to remove inheritance permissions.
risk_objects:
diff --git a/detections/endpoint/windows_file_collection_via_copy_utilities.yml b/detections/endpoint/windows_file_collection_via_copy_utilities.yml
index adfd1436df..e0ba2620a6 100644
--- a/detections/endpoint/windows_file_collection_via_copy_utilities.yml
+++ b/detections/endpoint/windows_file_collection_via_copy_utilities.yml
@@ -1,7 +1,7 @@
name: Windows File Collection Via Copy Utilities
id: dbdd556d-9da8-4c42-9980-8a3ffe25a758
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -57,9 +57,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to collect documents..
risk_objects:
diff --git a/detections/endpoint/windows_file_download_via_certutil.yml b/detections/endpoint/windows_file_download_via_certutil.yml
index 6bab7c184e..3387dce6c8 100644
--- a/detections/endpoint/windows_file_download_via_certutil.yml
+++ b/detections/endpoint/windows_file_download_via_certutil.yml
@@ -1,7 +1,7 @@
name: Windows File Download Via CertUtil
id: 7fac8d40-e370-45ea-a4a3-031bbcc18b02
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Michael Haag, Splunk
status: production
type: TTP
@@ -46,9 +46,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.
risk_objects:
diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml
index 4f55463717..4a680026c1 100644
--- a/detections/endpoint/windows_file_download_via_powershell.yml
+++ b/detections/endpoint/windows_file_download_via_powershell.yml
@@ -1,7 +1,7 @@
name: Windows File Download Via PowerShell
id: 58c4e56c-b5b8-46a3-b5fb-6537dca3c6de
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -47,9 +47,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: File download activity initiated on $dest$ by user $user$. $process_name$ was identified calling a download function $process$
risk_objects:
diff --git a/detections/endpoint/windows_file_share_discovery_with_powerview.yml b/detections/endpoint/windows_file_share_discovery_with_powerview.yml
index e8e95e4f09..55c5a8c4bd 100644
--- a/detections/endpoint/windows_file_share_discovery_with_powerview.yml
+++ b/detections/endpoint/windows_file_share_discovery_with_powerview.yml
@@ -1,7 +1,7 @@
name: Windows File Share Discovery With Powerview
id: a44c0be1-d7ab-41e4-92fd-aa9af4fe232c
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: TTP
status: production
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Invoke-ShareFinder commandlet was executed on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml
index 841d9e11c7..fbf3333d88 100644
--- a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml
+++ b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml
@@ -1,7 +1,7 @@
name: Windows File Transfer Protocol In Non-Common Process Path
id: 0f43758f-1fe9-470a-a9e4-780acc4d5407
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process $process_name$ is having a FTP connection to $dest$ in $dest_ip$
risk_objects:
diff --git a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml
index 9902181880..44d1b2fb5d 100644
--- a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml
+++ b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml
@@ -1,7 +1,7 @@
name: Windows File Without Extension In Critical Folder
id: 0dbcac64-963c-11ec-bf04-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Bhavin Patel, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Driver file with out file extension drop in $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml
index db18fc9529..dc81dadf71 100644
--- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml
+++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml
@@ -1,7 +1,7 @@
name: Windows Files and Dirs Access Rights Modification Via Icacls
id: c76b796c-27e1-4520-91c4-4a58695c749e
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process name $process_name$ with access right modification argument executed by $user$ to change security permission of a specific file or directory on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml
index 86ce1fa60c..d5f181a806 100644
--- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml
+++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml
@@ -1,7 +1,7 @@
name: Windows Find Domain Organizational Units with GetDomainOU
id: 0ada2f82-b7af-40cc-b1d7-1e5985afcb4e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml
index 86525333e1..262a617289 100644
--- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml
+++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml
@@ -1,7 +1,7 @@
name: Windows Find Interesting ACL with FindInterestingDomainAcl
id: e4a96dfd-667a-4487-b942-ccef5a1e81e8
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/windows_findstr_gpp_discovery.yml b/detections/endpoint/windows_findstr_gpp_discovery.yml
index 13b4d3dc27..9dede788b2 100644
--- a/detections/endpoint/windows_findstr_gpp_discovery.yml
+++ b/detections/endpoint/windows_findstr_gpp_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Findstr GPP Discovery
id: 1631ac2d-f2a9-42fa-8a59-d6e210d472f5
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: TTP
status: production
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Findstr was executed to discover GPP credentials on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_firewall_rule_added.yml b/detections/endpoint/windows_firewall_rule_added.yml
index ced1bdfa10..c5752d2bb4 100644
--- a/detections/endpoint/windows_firewall_rule_added.yml
+++ b/detections/endpoint/windows_firewall_rule_added.yml
@@ -1,7 +1,7 @@
name: Windows Firewall Rule Added
id: efc25501-4e75-4075-8cc5-ac80f2847d80
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a new firewall rule $RuleName$ added on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_firewall_rule_deletion.yml b/detections/endpoint/windows_firewall_rule_deletion.yml
index ef77ca6011..3bc97fc24a 100644
--- a/detections/endpoint/windows_firewall_rule_deletion.yml
+++ b/detections/endpoint/windows_firewall_rule_deletion.yml
@@ -1,7 +1,7 @@
name: Windows Firewall Rule Deletion
id: ca5327e1-0a91-4e23-bbd4-8901806c00e1
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a firewall rule $RuleName$ has been modified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_firewall_rule_modification.yml b/detections/endpoint/windows_firewall_rule_modification.yml
index 2a11629c3a..a736b8a81f 100644
--- a/detections/endpoint/windows_firewall_rule_modification.yml
+++ b/detections/endpoint/windows_firewall_rule_modification.yml
@@ -1,7 +1,7 @@
name: Windows Firewall Rule Modification
id: fe7efbf7-5f82-44b9-8c33-316189ab2393
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a firewall rule $RuleName$ has been modified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml
index d9d3282bdd..b5c86cd142 100644
--- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml
+++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml
@@ -1,7 +1,7 @@
name: Windows Forest Discovery with GetForestDomain
id: a14803b2-4bd9-4c08-8b57-c37980edebe8
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/windows_gather_victim_host_information_camera.yml b/detections/endpoint/windows_gather_victim_host_information_camera.yml
index 3558c17429..52faab7a49 100644
--- a/detections/endpoint/windows_gather_victim_host_information_camera.yml
+++ b/detections/endpoint/windows_gather_victim_host_information_camera.yml
@@ -1,7 +1,7 @@
name: Windows Gather Victim Host Information Camera
id: e4df4676-ea41-4397-b160-3ee0140dc332
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Powershell script to enumerate camera detected on host - $dest$
risk_objects:
diff --git a/detections/endpoint/windows_gdrive_binary_activity.yml b/detections/endpoint/windows_gdrive_binary_activity.yml
index 08c19738f2..f1cf0fe83f 100644
--- a/detections/endpoint/windows_gdrive_binary_activity.yml
+++ b/detections/endpoint/windows_gdrive_binary_activity.yml
@@ -1,7 +1,7 @@
name: Windows Gdrive Binary Activity
id: 9e7bd7c8-1c08-496e-9ffe-fd84ceb322e7
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified attempting to interact with Google Drive on endpoint $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml
index ba9d11c63d..0ca86f55c8 100644
--- a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml
+++ b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Get-AdComputer Unconstrained Delegation Discovery
id: c8640777-469f-4638-ab44-c34a3233ffac
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious PowerShell Get-ADComputer was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml
index 30fa149236..f811f51d78 100644
--- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml
+++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml
@@ -1,7 +1,7 @@
name: Windows Get Local Admin with FindLocalAdminAccess
id: d2988160-3ce9-4310-b59d-905334920cdd
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$ by user $user_id$.
risk_objects:
diff --git a/detections/endpoint/windows_global_object_access_audit_list_cleared_via_auditpol.yml b/detections/endpoint/windows_global_object_access_audit_list_cleared_via_auditpol.yml
index dc64ba1f53..8792c3fb18 100644
--- a/detections/endpoint/windows_global_object_access_audit_list_cleared_via_auditpol.yml
+++ b/detections/endpoint/windows_global_object_access_audit_list_cleared_via_auditpol.yml
@@ -1,7 +1,7 @@
name: Windows Global Object Access Audit List Cleared Via Auditpol
id: 802a0930-0a4a-4451-bf6c-6366c6b6d9e7
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to clear the global object access audit policy on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_group_policy_object_created.yml b/detections/endpoint/windows_group_policy_object_created.yml
index 80e7f3f1ef..d07f2e18ef 100644
--- a/detections/endpoint/windows_group_policy_object_created.yml
+++ b/detections/endpoint/windows_group_policy_object_created.yml
@@ -1,7 +1,7 @@
name: Windows Group Policy Object Created
id: 23add2a8-ea22-4fd4-8bc0-8c0b822373a1
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$User$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$User$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$User$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new group policy objected was created by $User$
risk_objects:
diff --git a/detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml b/detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml
index 1cfff8e4df..5d16aaecf7 100644
--- a/detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml
+++ b/detections/endpoint/windows_handle_duplication_in_known_uac_bypass_binaries.yml
@@ -1,7 +1,7 @@
name: Windows Handle Duplication in Known UAC-Bypass Binaries
id: d7369bf5-1315-4138-b927-2dd8bb8c1da7
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process $SourceImage$ is duplicating the handle token of $TargetImage$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml
index 3ec19daf6b..fbb1abf0f3 100644
--- a/detections/endpoint/windows_hidden_schedule_task_settings.yml
+++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml
@@ -1,7 +1,7 @@
name: Windows Hidden Schedule Task Settings
id: 0b730470-5fe8-4b13-93a7-fe0ad014d0cc
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A schedule task with hidden setting enable in host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml
index 7bbcd2406b..45838e1ad8 100644
--- a/detections/endpoint/windows_hide_notification_features_through_registry.yml
+++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml
@@ -1,7 +1,7 @@
name: Windows Hide Notification Features Through Registry
id: cafa4bce-9f06-11ec-a7b2-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Registry modification to hide windows notification on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml
index 41f913f007..bcf18d7df8 100644
--- a/detections/endpoint/windows_high_file_deletion_frequency.yml
+++ b/detections/endpoint/windows_high_file_deletion_frequency.yml
@@ -1,7 +1,7 @@
name: Windows High File Deletion Frequency
id: 45b125c4-866f-11eb-a95a-acde48001122
-version: 13
-date: '2026-03-16'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Elevated file deletion rate observed from process [$process_name$] on machine $dest$
risk_objects:
diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml
index 926ac871dd..efe3df28c0 100644
--- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml
+++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml
@@ -1,7 +1,7 @@
name: Windows Hijack Execution Flow Version Dll Side Load
id: 8351340b-ac0e-41ec-8b07-dd01bf32d6ea
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process $Image$ loading $ImageLoaded$ as a side load dll on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_hosts_file_access.yml b/detections/endpoint/windows_hosts_file_access.yml
index 1fb234ed19..c636f4b5d2 100644
--- a/detections/endpoint/windows_hosts_file_access.yml
+++ b/detections/endpoint/windows_hosts_file_access.yml
@@ -1,7 +1,7 @@
name: Windows Hosts File Access
id: b34bcf35-5380-4b00-b208-5531303fb751
-version: 2
-date: '2026-03-26'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -45,9 +45,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$process_name$] attempting to access the hosts file [$object_file_path$] on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml
index afa063fd22..8dda997686 100644
--- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml
+++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml
@@ -1,7 +1,7 @@
name: Windows HTTP Network Communication From MSIExec
id: b0fd38c7-f71a-43a2-870e-f3ca06bcdd99
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$
risk_objects:
diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml
index dc04912cda..680e52a58b 100644
--- a/detections/endpoint/windows_iis_components_add_new_module.yml
+++ b/detections/endpoint/windows_iis_components_add_new_module.yml
@@ -1,7 +1,7 @@
name: Windows IIS Components Add New Module
id: 38fe731c-1f13-43d4-b878-a5bbe44807e3
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to install a new IIS module.
risk_objects:
diff --git a/detections/endpoint/windows_iis_components_module_failed_to_load.yml b/detections/endpoint/windows_iis_components_module_failed_to_load.yml
index 5c0f053df9..83cee61310 100644
--- a/detections/endpoint/windows_iis_components_module_failed_to_load.yml
+++ b/detections/endpoint/windows_iis_components_module_failed_to_load.yml
@@ -1,7 +1,7 @@
name: Windows IIS Components Module Failed to Load
id: 40c2ba5b-dd6a-496b-9e6e-c9524d0be167
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new IIS Module has been loaded and should be reviewed on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_iis_components_new_module_added.yml b/detections/endpoint/windows_iis_components_new_module_added.yml
index 674bb101a5..78b7dba538 100644
--- a/detections/endpoint/windows_iis_components_new_module_added.yml
+++ b/detections/endpoint/windows_iis_components_new_module_added.yml
@@ -1,7 +1,7 @@
name: Windows IIS Components New Module Added
id: 55f22929-cfd3-4388-ba5c-4d01fac7ee7e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new IIS Module has been loaded and should be reviewed on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml
index d414212493..52f799f17e 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Change Win Defender Health Check Intervals
id: 5211c260-820e-4366-b983-84bbfb5c263a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: change in the health check interval of Windows Defender on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml
index c9d92af52a..3cf058d4a9 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Change Win Defender Quick Scan Interval
id: 783f0798-f679-4c17-b3b3-187febf0b9b8
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender QuickScanInterval feature was modified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml
index dd2bca9b60..5cb6a7879d 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Change Win Defender Throttle Rate
id: f7da5fca-9261-43de-a4d0-130dad1e4f4d
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender ThrottleDetectionEventsRate feature was modified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml
index effaa4337f..5c46648c71 100644
--- a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml
+++ b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Change Win Defender Tracing Level
id: fe9391cd-952a-4c64-8f56-727cb0d4f2d4
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender WppTracingLevel registry was modified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
index 4a1a689d92..5a99546c1b 100644
--- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
+++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Configure App Install Control
id: c54b7439-cfb1-44c3-bb35-b0409553077c
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Define Windows Defender App Install Control registry set to disable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml
index fb0a8cfcb2..0d43c0dc9a 100644
--- a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml
+++ b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Define Win Defender Threat Action
id: 7215831c-8252-4ae3-8d43-db588e82f952
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Define Windows Defender threat action through registry on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml
index 8d1f792454..fd4a3ebe9f 100644
--- a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml
+++ b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Delete Win Defender Profile Registry
id: 65d4b105-ec52-48ec-ac46-289d0fbf7d96
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender Logger registry key set to 'disabled' on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml
index 99e9826c06..4f42d53d43 100644
--- a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml
+++ b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Deny Security Software With Applocker
id: e0b6ca60-9e29-4450-b51a-bba0abae2313
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Applocker registry modification to deny the action of several AV products on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml
index c752f50fd4..6ab560e8af 100644
--- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml
+++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Controlled Folder Access
id: 3032741c-d6fc-4c69-8988-be8043d6478c
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender ControlledFolderAccess feature set to disable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml
index 14212e5336..97a7fb735b 100644
--- a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml
+++ b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Defender Firewall And Network
id: 8467d8cd-b0f9-46fa-ac84-a30ad138983e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender firewall and network protection section feature set to disable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml
index 2329baf7ca..2cbcd151bb 100644
--- a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml
+++ b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Defender Protocol Recognition
id: b2215bfb-6171-4137-af17-1a02fdd8d043
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender Protocol Recognition set to disable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml
index e480d5ddf7..ab35d16a43 100644
--- a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml
+++ b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable PUA Protection
id: fbfef407-cfee-4866-88c1-f8de1c16147c
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender PUA protection set to disable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml
index bfc1262bd4..494d8a4753 100644
--- a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml
+++ b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Realtime Signature Delivery
id: ffd99aea-542f-448e-b737-091c1b417274
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender File realtime signature delivery set to disable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
index 31daa0830f..c39e1f1366 100644
--- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
+++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Web Evaluation
id: e234970c-dcf5-4f80-b6a9-3a562544ca5b
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender web content evaluation feature set to disable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml
index d7bdbd96f2..5f032cfac2 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Win Defender App Guard
id: 8b700d7e-54ad-4d7d-81cc-1456c4703306
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender AuditApplicationGuard feature set to disable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml
index d66ba228f7..e71805257e 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Win Defender Compute File Hashes
id: fe52c280-98bd-4596-b6f6-a13bbf8ac7c6
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender File hashes computation set to disable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml
index b40746c8ce..99851462f7 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Win Defender Gen reports
id: 93f114f6-cb1e-419b-ac3f-9e11a3045e70
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender DisableGenericRePorts registry is set to enable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml
index 8cc3611ddc..65bd7ddebb 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Win Defender Network Protection
id: 8b6c15c7-5556-463d-83c7-986326c21f12
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender Exploit Guard network protection set to disable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml
index 014500e640..ec5c857b1c 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Win Defender Report Infection
id: 201946c6-b1d5-42bb-a7e0-5f7123f47fc4
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender DontReportInfectionInformation registry is enabled on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml
index cc1628bb9f..46b94e4e01 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Win Defender Scan On Update
id: 0418e72f-e710-4867-b656-0688e1523e09
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender DisableScanOnUpdate feature set to enable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml
index 3de6a04931..7cde424678 100644
--- a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml
+++ b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Disable Win Defender Signature Retirement
id: 7567a72f-bada-489d-aef1-59743fb64a66
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender DisableSignatureRetirement registry is set to enable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml
index bf7c5ac82b..7a6de6858b 100644
--- a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml
+++ b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Overide Win Defender Phishing Filter
id: 10ca081c-57b1-4a78-ba56-14a40a7e116a
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Bhavin Patel, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender Phishing Filter registry was modified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
index 1df5558926..b4fdcf5c43 100644
--- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
+++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Override SmartScreen Prompt
id: 08058866-7987-486f-b042-275715ef6e9d
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender SmartScreen prompt was override on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml
index a5a4df89c6..44a733a9a3 100644
--- a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml
+++ b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defense Set Win Defender Smart Screen Level To Warn
id: cc2a3425-2703-47e7-818f-3dca1b0bc56f
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender SmartScreen Level to Warn on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml
index a4cc303da4..d663613164 100644
--- a/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml
+++ b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defenses Disable Auto Logger Session
id: dc6a5613-d024-47e7-9997-ab6477a483d3
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Auto Logger Session or Provider registry value set to 'disabled' on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml
index 6fb1ba867b..ea2ae73812 100644
--- a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml
+++ b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defenses Disable AV AutoStart via Registry
id: 31a13f43-812e-4752-a6ca-c6c87bf03e83
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 13
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: disable anti-virus autostart via registry on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_impair_defenses_disable_hvci.yml b/detections/endpoint/windows_impair_defenses_disable_hvci.yml
index d39a7b1cb4..fc8b37297a 100644
--- a/detections/endpoint/windows_impair_defenses_disable_hvci.yml
+++ b/detections/endpoint/windows_impair_defenses_disable_hvci.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defenses Disable HVCI
id: b061dfcc-f0aa-42cc-a6d4-a87f172acb79
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: HVCI has been disabled on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml
index 470c1e250e..04b0df1c85 100644
--- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml
+++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml
@@ -1,7 +1,7 @@
name: Windows Impair Defenses Disable Win Defender Auto Logging
id: 76406a0f-f5e0-4167-8e1f-337fdc0f1b0c
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Defender Logger registry key set to 'disabled' on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_important_audit_policy_disabled.yml b/detections/endpoint/windows_important_audit_policy_disabled.yml
index 47ea560616..1512a25286 100644
--- a/detections/endpoint/windows_important_audit_policy_disabled.yml
+++ b/detections/endpoint/windows_important_audit_policy_disabled.yml
@@ -1,7 +1,7 @@
name: Windows Important Audit Policy Disabled
id: 1bf500e5-1226-41d9-af5d-ed1f577929f2
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
type: TTP
status: production
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Important audit policy "$SubCategory$" of category "$Category$" was disabled on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_increase_in_group_or_object_modification_activity.yml b/detections/endpoint/windows_increase_in_group_or_object_modification_activity.yml
index 04e4d0dcec..27a1a072af 100644
--- a/detections/endpoint/windows_increase_in_group_or_object_modification_activity.yml
+++ b/detections/endpoint/windows_increase_in_group_or_object_modification_activity.yml
@@ -1,7 +1,7 @@
name: Windows Increase in Group or Object Modification Activity
id: 4f9564dd-a204-4f22-b375-4dfca3a68731
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Spike in Group or Object Modifications performed by $src_user$
risk_objects:
diff --git a/detections/endpoint/windows_increase_in_user_modification_activity.yml b/detections/endpoint/windows_increase_in_user_modification_activity.yml
index d2339efc59..c093e4a66c 100644
--- a/detections/endpoint/windows_increase_in_user_modification_activity.yml
+++ b/detections/endpoint/windows_increase_in_user_modification_activity.yml
@@ -1,7 +1,7 @@
name: Windows Increase in User Modification Activity
id: 0995fca1-f346-432f-b0bf-a66d14e6b428
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Spike in User Modification actions performed by $src_user$
risk_objects:
diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml
index ddb33ef4bc..66a13a6d15 100644
--- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml
+++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml
@@ -1,7 +1,7 @@
name: Windows Indicator Removal Via Rmdir
id: c4566d2c-b094-48a1-9c59-d66e22065560
-version: 10
-date: '2026-03-24'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process execute rmdir command to delete files and directory tree on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml
index bddc15262c..681c531340 100644
--- a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml
+++ b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml
@@ -1,7 +1,7 @@
name: Windows Indirect Command Execution Via forfiles
id: 1fdf31c9-ff4d-4c48-b799-0e8666e08787
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Eric McGinnis, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The forfiles command (forfiles.exe) launched the process name - $process_name$
risk_objects:
diff --git a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml
index 8ff2fd36c7..6762eb002f 100644
--- a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml
+++ b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml
@@ -1,7 +1,7 @@
name: Windows Indirect Command Execution Via pcalua
id: 3428ac18-a410-4823-816c-ce697d26f7a8
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Eric McGinnis, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Program Compatability Assistant (pcalua.exe) launched the process $process_name$
risk_objects:
diff --git a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml
index 01c89eec4a..6923e3f8eb 100644
--- a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml
+++ b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml
@@ -1,7 +1,7 @@
name: Windows Indirect Command Execution Via Series Of Forfiles
id: bfdaabe7-3db8-48c5-80c1-220f9b8f22be
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: excessive forfiles process execution on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml
index f2cab5ced7..3bf8d824b3 100644
--- a/detections/endpoint/windows_information_discovery_fsutil.yml
+++ b/detections/endpoint/windows_information_discovery_fsutil.yml
@@ -1,7 +1,7 @@
name: Windows Information Discovery Fsutil
id: 2181f261-93e6-4166-a5a9-47deac58feff
-version: 11
-date: '2026-03-26'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -57,9 +57,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process $process_name$ with commandline $process$ is executed on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml
index 8323d5ab6d..79cc7e04ba 100644
--- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml
+++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml
@@ -1,7 +1,7 @@
name: Windows Ingress Tool Transfer Using Explorer
id: 76753bab-f116-4ea3-8fb9-89b638be58a9
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote payload.
risk_objects:
diff --git a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml
index 5d1f2c10b9..ba0acd3bc3 100644
--- a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml
+++ b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml
@@ -1,7 +1,7 @@
name: Windows InProcServer32 New Outlook Form
id: fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Sysmon EventID 13
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry key associated with a new Outlook form installation was created or modified. This could indicate exploitation of CVE-2024-21378 on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_installutil_credential_theft.yml b/detections/endpoint/windows_installutil_credential_theft.yml
index bdf1a97736..4499689d4a 100644
--- a/detections/endpoint/windows_installutil_credential_theft.yml
+++ b/detections/endpoint/windows_installutil_credential_theft.yml
@@ -1,7 +1,7 @@
name: Windows InstallUtil Credential Theft
id: ccfeddec-43ec-11ec-b494-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Mauricio Velazo, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of process name [$process_name$] loading a file [$loaded_file$] was identified on endpoint- [$dest$] to potentially capture credentials in memory.
risk_objects:
diff --git a/detections/endpoint/windows_installutil_in_non_standard_path.yml b/detections/endpoint/windows_installutil_in_non_standard_path.yml
index 0d1095af5d..e38be09b37 100644
--- a/detections/endpoint/windows_installutil_in_non_standard_path.yml
+++ b/detections/endpoint/windows_installutil_in_non_standard_path.yml
@@ -1,7 +1,7 @@
name: Windows InstallUtil in Non Standard Path
id: dcf74b22-7933-11ec-857c-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ from a non-standard path was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml
index d48478de3a..576def4e32 100644
--- a/detections/endpoint/windows_installutil_remote_network_connection.yml
+++ b/detections/endpoint/windows_installutil_remote_network_connection.yml
@@ -1,7 +1,7 @@
name: Windows InstallUtil Remote Network Connection
id: 4fbf9270-43da-11ec-9486-acde48001122
-version: 17
-date: '2026-03-10'
+version: 18
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -52,9 +52,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ generating a remote download.
risk_objects:
diff --git a/detections/endpoint/windows_installutil_uninstall_option.yml b/detections/endpoint/windows_installutil_uninstall_option.yml
index 8f5dd588ff..05e641a88d 100644
--- a/detections/endpoint/windows_installutil_uninstall_option.yml
+++ b/detections/endpoint/windows_installutil_uninstall_option.yml
@@ -1,7 +1,7 @@
name: Windows InstallUtil Uninstall Option
id: cfa7b9ac-43f0-11ec-9b48-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ performing an uninstall.
risk_objects:
diff --git a/detections/endpoint/windows_installutil_url_in_command_line.yml b/detections/endpoint/windows_installutil_url_in_command_line.yml
index 4fe7ebc177..f39d93d7a9 100644
--- a/detections/endpoint/windows_installutil_url_in_command_line.yml
+++ b/detections/endpoint/windows_installutil_url_in_command_line.yml
@@ -1,7 +1,7 @@
name: Windows InstallUtil URL in Command Line
id: 28e06670-43df-11ec-a569-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ passing a URL on the command-line.
risk_objects:
diff --git a/detections/endpoint/windows_kerberos_coercion_via_dns.yml b/detections/endpoint/windows_kerberos_coercion_via_dns.yml
index bc85d927bb..193f730602 100644
--- a/detections/endpoint/windows_kerberos_coercion_via_dns.yml
+++ b/detections/endpoint/windows_kerberos_coercion_via_dns.yml
@@ -1,7 +1,7 @@
name: Windows Kerberos Coercion via DNS
id: 9029b575-6f6b-4ab1-b660-67b24b7e9c3d
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A possible Kerberos coercion DNS object was created $dest$
risk_objects:
diff --git a/detections/endpoint/windows_kerberos_local_successful_logon.yml b/detections/endpoint/windows_kerberos_local_successful_logon.yml
index 9a94cf8e6b..3caa0b7cc4 100644
--- a/detections/endpoint/windows_kerberos_local_successful_logon.yml
+++ b/detections/endpoint/windows_kerberos_local_successful_logon.yml
@@ -1,7 +1,7 @@
name: Windows Kerberos Local Successful Logon
id: 8309c3a8-4d34-48ae-ad66-631658214653
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A successful localhost Kerberos authentication event occurred on $dest$, possibly indicative of Kerberos relay attack.
risk_objects:
diff --git a/detections/endpoint/windows_known_abused_dll_created.yml b/detections/endpoint/windows_known_abused_dll_created.yml
index abc64d8807..89195043bd 100644
--- a/detections/endpoint/windows_known_abused_dll_created.yml
+++ b/detections/endpoint/windows_known_abused_dll_created.yml
@@ -1,7 +1,7 @@
name: Windows Known Abused DLL Created
id: ea91651a-772a-4b02-ac3d-985b364a5f07
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The file [$file_name$] was written to an unusual location on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml
index 02e7ac8c03..fca89cb078 100644
--- a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml
+++ b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml
@@ -1,7 +1,7 @@
name: Windows Known Abused DLL Loaded Suspiciously
id: dd6d1f16-adc0-4e87-9c34-06189516b803
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The module [$loaded_file$] was loaded from an unusual location.
risk_objects:
diff --git a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml
index 7b6c27571b..76858b5fd7 100644
--- a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml
+++ b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml
@@ -1,7 +1,7 @@
name: Windows Known GraphicalProton Loaded Modules
id: bf471c94-0324-4b19-a113-d02749b969bc
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Known GraphicalProton backdoor Loaded Modules on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_krbrelayup_service_creation.yml b/detections/endpoint/windows_krbrelayup_service_creation.yml
index a28be79bc8..bd8e8b927c 100644
--- a/detections/endpoint/windows_krbrelayup_service_creation.yml
+++ b/detections/endpoint/windows_krbrelayup_service_creation.yml
@@ -1,7 +1,7 @@
name: Windows KrbRelayUp Service Creation
id: e40ef542-8241-4419-9af4-6324582ea60a
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A service was created on $dest$, related to KrbRelayUp.
risk_objects:
diff --git a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml
index 60189e4644..393564fdcf 100644
--- a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml
+++ b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml
@@ -1,7 +1,7 @@
name: Windows Large Number of Computer Service Tickets Requested
id: 386ad394-c9a7-4b4f-b66f-586252de20f0
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: Anomaly
status: production
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$IpAddress$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$IpAddress$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$IpAddress$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A large number of kerberos computer service tickets were requested by $IpAddress$ within 5 minutes.
risk_objects:
diff --git a/detections/endpoint/windows_ldifde_directory_object_behavior.yml b/detections/endpoint/windows_ldifde_directory_object_behavior.yml
index 3be0c68b67..47d3ad1e3a 100644
--- a/detections/endpoint/windows_ldifde_directory_object_behavior.yml
+++ b/detections/endpoint/windows_ldifde_directory_object_behavior.yml
@@ -1,7 +1,7 @@
name: Windows Ldifde Directory Object Behavior
id: 35cd29ca-f08c-4489-8815-f715c45460d3
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller.
risk_objects:
diff --git a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml
index 083fd93aee..52a212eefc 100644
--- a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml
+++ b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Linked Policies In ADSI Discovery
id: 510ea428-4731-4d2f-8829-a28293e427aa
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows PowerShell [Adsisearcher] was used user enumeration on $user_id$
risk_objects:
diff --git a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml
index b2286f4824..783f0316f0 100644
--- a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml
+++ b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml
@@ -1,7 +1,7 @@
name: Windows List ENV Variables Via SET Command From Uncommon Parent
id: aec157f4-8783-4584-aca6-754c4dc7fba9
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: non-shell parent process has a child process $process_name$ with a commandline $process$ to fetch env variables on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_local_administrator_credential_stuffing.yml b/detections/endpoint/windows_local_administrator_credential_stuffing.yml
index f292b5bb6f..a08d7f62bd 100644
--- a/detections/endpoint/windows_local_administrator_credential_stuffing.yml
+++ b/detections/endpoint/windows_local_administrator_credential_stuffing.yml
@@ -1,7 +1,7 @@
name: Windows Local Administrator Credential Stuffing
id: 09555511-aca6-484a-b6ab-72cd03d73c34
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: TTP
status: production
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$host_targets$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Local Administrator credential stuffing attack coming from $IpAddress$
risk_objects:
diff --git a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml
index 18e077f2c4..5618a98923 100644
--- a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml
+++ b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml
@@ -1,7 +1,7 @@
name: Windows LOLBAS Executed As Renamed File
id: fd496996-7d9e-4894-8d40-bb85b6192dc6
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The file originally named $original_file_name$ was executed as $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml
index cf1c966414..fd2c8c6cf4 100644
--- a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml
+++ b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml
@@ -1,7 +1,7 @@
name: Windows LOLBAS Executed Outside Expected Path
id: 326fdf44-b90c-4d2e-adca-1fd140b10536
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -54,9 +54,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The user $user$ executed a LOLBAS [$process_name$] from an unexpected location [$process_path$] with CommandLine [$process$] on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
index 81ee469811..b559714dd2 100644
--- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
+++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
@@ -1,7 +1,7 @@
name: Windows LSA Secrets NoLMhash Registry
id: 48cc1605-538c-4223-8382-e36bee5b540d
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows LSA Secrets NoLMhash Registry on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml
index 4c22553a24..3978af9c26 100644
--- a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml
+++ b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml
@@ -1,7 +1,7 @@
name: Windows Mail Protocol In Non-Common Process Path
id: ac3311f5-661d-4e99-bd1f-3ec665b05441
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process $process_name$ is having a SMTP connection to $dest$ in $dest_ip$
risk_objects:
diff --git a/detections/endpoint/windows_mark_of_the_web_bypass.yml b/detections/endpoint/windows_mark_of_the_web_bypass.yml
index 66dafa7e6e..5ffae9fbc3 100644
--- a/detections/endpoint/windows_mark_of_the_web_bypass.yml
+++ b/detections/endpoint/windows_mark_of_the_web_bypass.yml
@@ -1,7 +1,7 @@
name: Windows Mark Of The Web Bypass
id: 8ca13343-7405-4916-a2d1-ae34ce0c28ae
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A mark-of-the-web data stream is deleted on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml
index 36303158bb..5a0aad3ced 100644
--- a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml
+++ b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml
@@ -1,7 +1,7 @@
name: Windows Masquerading Explorer As Child Process
id: 61490da9-52a1-4855-a0c5-28233c88c481
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: explorer.exe has a suspicious parent process $parent_process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_masquerading_msdtc_process.yml b/detections/endpoint/windows_masquerading_msdtc_process.yml
index 3351189b63..461f5b9b35 100644
--- a/detections/endpoint/windows_masquerading_msdtc_process.yml
+++ b/detections/endpoint/windows_masquerading_msdtc_process.yml
@@ -1,7 +1,7 @@
name: Windows Masquerading Msdtc Process
id: 238f3a07-8440-480b-b26f-462f41d9a47c
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: msdtc.exe process with process commandline used by PlugX malware on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml
index a94e527317..4f7397cfd5 100644
--- a/detections/endpoint/windows_mimikatz_binary_execution.yml
+++ b/detections/endpoint/windows_mimikatz_binary_execution.yml
@@ -1,7 +1,7 @@
name: Windows Mimikatz Binary Execution
id: a9e0d6d3-9676-4e26-994d-4e0406bb4467
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting dump credentials.
risk_objects:
diff --git a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml
index 462dc86cf9..1c01b2a297 100644
--- a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml
+++ b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml
@@ -1,7 +1,7 @@
name: Windows Mimikatz Crypto Export File Extensions
id: 3a9a6806-16a8-4cda-8d73-b49d10a05b16
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Certificate file extensions realted to Mimikatz were identified on disk on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_mmc_loaded_script_engine_dll.yml b/detections/endpoint/windows_mmc_loaded_script_engine_dll.yml
index 2345f10162..eeebd6cfca 100644
--- a/detections/endpoint/windows_mmc_loaded_script_engine_dll.yml
+++ b/detections/endpoint/windows_mmc_loaded_script_engine_dll.yml
@@ -1,7 +1,7 @@
name: Windows MMC Loaded Script Engine DLL
id: 785bbfb5-d404-42d1-ab9d-45c37a2c75cd
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process [ $process_name$ ] loaded [ $ImageLoaded$ ] on [ $dest$ ].
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml
index 41df031aca..4636d20c04 100644
--- a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml
+++ b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry AuthenticationLevelOverride
id: 6410a403-36bb-490f-a06a-11c3be7d2a41
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry for authentication level settings was modified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_auto_update_notif.yml b/detections/endpoint/windows_modify_registry_auto_update_notif.yml
index 21d2a206cd..ae3259b473 100644
--- a/detections/endpoint/windows_modify_registry_auto_update_notif.yml
+++ b/detections/endpoint/windows_modify_registry_auto_update_notif.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Auto Update Notif
id: 4d1409df-40c7-4b11-aec4-bd0e709dfc12
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification in Windows auto update notification on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml
index 0f60bbd24a..84cc9be45b 100644
--- a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml
+++ b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Configure BitLocker
id: bd1c770f-1b55-411e-b49e-20d07bcac5f8
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 13
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification in Windows bitlocker registry settings on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_default_icon_setting.yml b/detections/endpoint/windows_modify_registry_default_icon_setting.yml
index 06a2474542..de1b0f0bbc 100644
--- a/detections/endpoint/windows_modify_registry_default_icon_setting.yml
+++ b/detections/endpoint/windows_modify_registry_default_icon_setting.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Default Icon Setting
id: a7a7afdb-3c58-45b6-9bff-63e5acfd9d40
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious registry modification to change the default icon association of windows to ransomware was detected on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml
index f18e8ac320..c35ca43328 100644
--- a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml
+++ b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Delete Firewall Rules
id: 41c61539-98ca-4750-b3ec-7c29a2f06343
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 12
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: firewall deletion found in registry on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_disable_rdp.yml b/detections/endpoint/windows_modify_registry_disable_rdp.yml
index e97012ecc8..e3f77429d2 100644
--- a/detections/endpoint/windows_modify_registry_disable_rdp.yml
+++ b/detections/endpoint/windows_modify_registry_disable_rdp.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Disable RDP
id: 11ed764f-eb9c-4be7-bdad-2209b9d33ee1
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 13
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification in Windows RDP registry settings on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
index 2ddc566496..2db6ea1dd7 100644
--- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
+++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Disable Restricted Admin
id: cee573a0-7587-48e6-ae99-10e8c657e89a
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Modify Registry Disable Restricted Admin on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml
index d5e30870d6..ffd6153b7b 100644
--- a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml
+++ b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Disable Toast Notifications
id: ed4eeacb-8d5a-488e-bc97-1ce6ded63b84
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry for DisallowRun settings was modified to enable on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml
index db5185d31d..31aa752043 100644
--- a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml
+++ b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Disable Win Defender Raw Write Notif
id: 0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The registry for raw write notification settings was modified to disable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml
index 5a4300b8c0..556ab0d902 100644
--- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml
+++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Disable WinDefender Notifications
id: 8e207707-ad40-4eb3-b865-3a52aec91f26
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification to disable Windows Defender notification on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml
index bac3b7bb78..0f25237782 100644
--- a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml
+++ b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Disable Windows Security Center Notif
id: 27ed3e79-6d86-44dd-b9ab-524451c97a7b
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry for security center notification settings was modified to disable mode on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml
index 7315a72260..4bbe401908 100644
--- a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml
+++ b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry DisableRemoteDesktopAntiAlias
id: 4927c6f1-4667-42e6-bd7a-f5222116386b
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry for remote desktop settings was modified to be DisableRemoteDesktopAntiAlias on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml
index 20fa6130f8..177f005a5c 100644
--- a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml
+++ b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry DisableSecuritySettings
id: 989019b4-b7aa-418a-9a17-2293e91288b6
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry for terminal services settings was modified to disable security settings on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml
index ea3833d829..e7e8a29873 100644
--- a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml
+++ b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Disabling WER Settings
id: 21cbcaf1-b51f-496d-a0c1-858ff3070452
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry for WER settings was modified to be disabled on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml
index 032ba5fe2d..06a4e59225 100644
--- a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml
+++ b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry DisAllow Windows App
id: 4bc788d3-c83a-48c5-a4e2-e0c6dba57889
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The registry for DisallowRun settings was modified to enable on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml
index 617fd3d15b..2237ca962c 100644
--- a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml
+++ b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Do Not Connect To Win Update
id: e09c598e-8dd0-4e73-b740-4b96b689199e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a registry modification in Windows auto update configuration on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_dontshowui.yml b/detections/endpoint/windows_modify_registry_dontshowui.yml
index ed602b4271..102f03bef3 100644
--- a/detections/endpoint/windows_modify_registry_dontshowui.yml
+++ b/detections/endpoint/windows_modify_registry_dontshowui.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry DontShowUI
id: 4ff9767b-fdf2-489c-83a5-c6c34412d72e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry for WER settings was modified to be disable show UI on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
index 9f8d1f92b5..0db8b5a166 100644
--- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
+++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry EnableLinkedConnections
id: 93048164-3358-4af0-8680-aa5f38440516
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification in Windows EnableLinkedConnections configuration on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml
index ab48c79dd4..d9c895d511 100644
--- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml
+++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry LongPathsEnabled
id: 36f9626c-4272-4808-aadd-267acce681c0
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification in Windows LongPathEnable configuration on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml
index 26d9ff6fdd..bc7f1615d6 100644
--- a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml
+++ b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry MaxConnectionPerServer
id: 064cd09f-1ff4-4823-97e0-45c2f5b087ec
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification in max connection per server configuration on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml
index e75785452e..06061782c4 100644
--- a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml
+++ b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry No Auto Reboot With Logon User
id: 6a12fa9f-580d-4627-8c7f-313e359bdc6a
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification in Windows auto update configuration on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_no_auto_update.yml b/detections/endpoint/windows_modify_registry_no_auto_update.yml
index fc243b12a3..68b324ca01 100644
--- a/detections/endpoint/windows_modify_registry_no_auto_update.yml
+++ b/detections/endpoint/windows_modify_registry_no_auto_update.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry No Auto Update
id: fbd4f333-17bb-4eab-89cb-860fa2e0600e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification in Windows auto update configuration on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
index 2538067598..caba25bca1 100644
--- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
+++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry NoChangingWallPaper
id: a2276412-e254-4e9a-9082-4d92edb6a3e0
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry settings was modified to disable changing of wallpaper on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml
index a47618d218..7279e1d2ed 100644
--- a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml
+++ b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry on Smart Card Group Policy
id: 1522145a-8e86-4f83-89a8-baf62a8f489d
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 13
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification in Windows Smart Card Group Policy registry settings on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_proxyenable.yml b/detections/endpoint/windows_modify_registry_proxyenable.yml
index 12f10aa3f3..8e3852c4d7 100644
--- a/detections/endpoint/windows_modify_registry_proxyenable.yml
+++ b/detections/endpoint/windows_modify_registry_proxyenable.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry ProxyEnable
id: b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry settings was modified to enable proxy on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_proxyserver.yml b/detections/endpoint/windows_modify_registry_proxyserver.yml
index 67133956fa..c8f0c6aa61 100644
--- a/detections/endpoint/windows_modify_registry_proxyserver.yml
+++ b/detections/endpoint/windows_modify_registry_proxyserver.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry ProxyServer
id: 12bdaa0b-3c59-4489-aae1-bff6d67746ef
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry settings was modified to setup proxy server on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml
index f6b6c44fa4..bb4d0954a1 100644
--- a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml
+++ b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Qakbot Binary Data Registry
id: 2e768497-04e0-4188-b800-70dd2be0e30d
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Registry with binary data created by $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml
index 4780e504a0..803cc7d0a5 100644
--- a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml
+++ b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Regedit Silent Reg Import
id: 824dd598-71be-4203-bc3b-024f4cda340e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The regedit app was executed with silet mode parameter to import .reg file on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_risk_behavior.yml b/detections/endpoint/windows_modify_registry_risk_behavior.yml
index 03f8338e76..b0ba04ec64 100644
--- a/detections/endpoint/windows_modify_registry_risk_behavior.yml
+++ b/detections/endpoint/windows_modify_registry_risk_behavior.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Risk Behavior
id: 5eb479b1-a5ea-4e01-8365-780078613776
-version: 7
-date: '2026-02-25'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Correlation
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Windows Registry Abuse
diff --git a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml
index d90f082cba..693b33056d 100644
--- a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml
+++ b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Suppress Win Defender Notif
id: e3b42daf-fff4-429d-bec8-2a199468cea9
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry for suppresing windows fdefender notification settings was modified to disabled on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_tamper_protection.yml b/detections/endpoint/windows_modify_registry_tamper_protection.yml
index 1129ab6366..9eb5240347 100644
--- a/detections/endpoint/windows_modify_registry_tamper_protection.yml
+++ b/detections/endpoint/windows_modify_registry_tamper_protection.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Tamper Protection
id: 12094335-88fc-4c3a-b55f-e62dd8c93c23
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification to tamper Windows Defender protection on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml
index 58881a832f..5056987590 100644
--- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml
+++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry to Add or Modify Firewall Rule
id: 43254751-e2ce-409a-b6b4-4f851e8dcc26
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 13
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: firewall deletion found in registry on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml
index 8ac332d357..0a991b9061 100644
--- a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml
+++ b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry UpdateServiceUrlAlternate
id: ca4e94fb-7969-4d63-8630-3625809a1f70
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification in Windows auto update configuration on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_utilize_progids.yml b/detections/endpoint/windows_modify_registry_utilize_progids.yml
index a65b6bdd59..5897906a62 100644
--- a/detections/endpoint/windows_modify_registry_utilize_progids.yml
+++ b/detections/endpoint/windows_modify_registry_utilize_progids.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry Utilize ProgIDs
id: 64fa82dd-fd11-472a-9e94-c221fffa591d
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 13
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A possible ValleyRAT Registry modification in [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml
index dc96c8a44d..5eb5cce9c2 100644
--- a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml
+++ b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry ValleyRAT C2 Config
id: ac59298a-8d81-4c02-8c9b-ffdac993891f
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 13
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification related to ValleyRAT on [$dest$]
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml
index bd15567624..4d61ea25bc 100644
--- a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml
+++ b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry ValleyRat PWN Reg Entry
id: 6947c44e-be1f-4dd9-b198-bc42be5be196
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 13
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A possible ValleyRAT Registry modification in [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml
index b639764896..e1112823c0 100644
--- a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml
+++ b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml
@@ -1,7 +1,7 @@
name: Windows Modify Registry With MD5 Reg Key Name
id: 4662c6b1-0754-455e-b9ff-3ee730af3ba8
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A md5 registry value name $registry_value_name$ is created on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml
index f8cda1b4ee..c8e1adb75b 100644
--- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml
+++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml
@@ -1,7 +1,7 @@
name: Windows Modify Show Compress Color And Info Tip Registry
id: b7548c2e-9a10-11ec-99e3-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Registry modification in "ShowCompColor" and "ShowInfoTips" on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml
index d0d237ba7c..08b46fbf9f 100644
--- a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml
+++ b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml
@@ -1,7 +1,7 @@
name: Windows Modify System Firewall with Notable Process Path
id: cd6d7410-9146-4471-a418-49edba6dadc4
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Will Metcalf, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: firewall allowed program commandline $process$ of $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml
index 002965acf2..0660413060 100644
--- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml
+++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml
@@ -1,7 +1,7 @@
name: Windows MOF Event Triggered Execution via WMI
id: e59b5a73-32bf-4467-a585-452c36ae10c1
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -25,9 +25,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ loading a MOF file.
risk_objects:
diff --git a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml
index aeab45e33e..1e625cb535 100644
--- a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml
+++ b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml
@@ -1,7 +1,7 @@
name: Windows MOVEit Transfer Writing ASPX
id: c0ed2aca-5666-45b3-813f-ddfac3f3eda0
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The MOVEit application on $dest$ has written a new ASPX file $file_name$ to disk.
risk_objects:
diff --git a/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml b/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml
index 8515fd49d1..50ded2246d 100644
--- a/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml
+++ b/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml
@@ -1,7 +1,7 @@
name: Windows MpCmdRun RemoveDefinitions Execution
id: b2442e49-bd3f-4685-a2dc-2bdc292563bf
-version: 1
-date: '2026-03-03'
+version: 2
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of [$process_name$] attempting to remove definitions from the Windows Malware Protection Engine via the Command [$process$] on [$dest$] by user [$user$].
risk_objects:
diff --git a/detections/endpoint/windows_msc_eviltwin_directory_path_manipulation.yml b/detections/endpoint/windows_msc_eviltwin_directory_path_manipulation.yml
index 69f27f71ed..731bda7bae 100644
--- a/detections/endpoint/windows_msc_eviltwin_directory_path_manipulation.yml
+++ b/detections/endpoint/windows_msc_eviltwin_directory_path_manipulation.yml
@@ -1,7 +1,7 @@
name: Windows MSC EvilTwin Directory Path Manipulation
id: 7f6b8a95-3fb7-429a-8c53-e5d4f8d92a10
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process $process_name$ executed an MSC file with suspicious directory path manipulation on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml
index d68dce90bc..f759575ef8 100644
--- a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml
+++ b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml
@@ -1,7 +1,7 @@
name: Windows MSExchange Management Mailbox Cmdlet Usage
id: 396de86f-25e7-4b0e-be09-a330be35249d
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -25,9 +25,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_mshta_execution_in_registry.yml b/detections/endpoint/windows_mshta_execution_in_registry.yml
index fa02f1af2e..6a2318922b 100644
--- a/detections/endpoint/windows_mshta_execution_in_registry.yml
+++ b/detections/endpoint/windows_mshta_execution_in_registry.yml
@@ -1,7 +1,7 @@
name: Windows Mshta Execution In Registry
id: e13ceade-b673-4d34-adc4-4d9c01729753
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry $registry_path$ contains mshta $registry_value_data$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml
index 7a323a9722..929b66b1b7 100644
--- a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml
+++ b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml
@@ -1,7 +1,7 @@
name: Windows MSHTA Writing to World Writable Path
id: efbcf8ee-bc75-47f1-8985-a5c638c4faf0
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Sysmon EventID 11
@@ -50,9 +50,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $Image$ writing to $TargetFilename$ was detected on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml
index 101af8db90..9ecfb11f35 100644
--- a/detections/endpoint/windows_msiexec_dllregisterserver.yml
+++ b/detections/endpoint/windows_msiexec_dllregisterserver.yml
@@ -1,7 +1,7 @@
name: Windows MSIExec DLLRegisterServer
id: fdb59aef-d88f-4909-8369-ec2afbd2c398
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to register a file.
risk_objects:
diff --git a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml
index 9d39c14fc4..fb82deeb77 100644
--- a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml
+++ b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml
@@ -1,7 +1,7 @@
name: Windows MsiExec HideWindow Rundll32 Execution
id: 9683271d-92e4-43b5-a907-1983bfb9f7fd
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a msiexec parent process with /hidewindow rundll32 process commandline on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml
index a3e6a91e41..7d3d6e1de6 100644
--- a/detections/endpoint/windows_msiexec_remote_download.yml
+++ b/detections/endpoint/windows_msiexec_remote_download.yml
@@ -1,7 +1,7 @@
name: Windows MSIExec Remote Download
id: 6aa49ff2-3c92-4586-83e0-d83eb693dfda
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote file.
risk_objects:
diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml
index a46d191fd7..43541eea38 100644
--- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml
+++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml
@@ -1,7 +1,7 @@
name: Windows MSIExec Spawn Discovery Command
id: e9d05aa2-32f0-411b-930c-5b8ca5c4fcee
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ running different discovery commands.
risk_objects:
diff --git a/detections/endpoint/windows_msiexec_spawn_windbg.yml b/detections/endpoint/windows_msiexec_spawn_windbg.yml
index ca78b10c0c..5efa6e0bd9 100644
--- a/detections/endpoint/windows_msiexec_spawn_windbg.yml
+++ b/detections/endpoint/windows_msiexec_spawn_windbg.yml
@@ -1,7 +1,7 @@
name: Windows MSIExec Spawn WinDBG
id: 9a18f7c2-1fe3-47b8-9467-8b3976770a30
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml
index f1cb6447d5..1f85734be2 100644
--- a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml
+++ b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml
@@ -1,7 +1,7 @@
name: Windows MSIExec Unregister DLLRegisterServer
id: a27db3c5-1a9a-46df-a577-765d3f1a3c24
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to unregister a file.
risk_objects:
diff --git a/detections/endpoint/windows_mstsc_rdp_commandline.yml b/detections/endpoint/windows_mstsc_rdp_commandline.yml
index bf21dbeddb..b299019b9c 100644
--- a/detections/endpoint/windows_mstsc_rdp_commandline.yml
+++ b/detections/endpoint/windows_mstsc_rdp_commandline.yml
@@ -1,7 +1,7 @@
name: Windows MSTSC RDP Commandline
id: 3718549b-867e-4084-b770-790e8dab6ab8
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a mstsc.exe process commandline $process$ executed on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_multiple_account_passwords_changed.yml b/detections/endpoint/windows_multiple_account_passwords_changed.yml
index afba225adb..f1e059464f 100644
--- a/detections/endpoint/windows_multiple_account_passwords_changed.yml
+++ b/detections/endpoint/windows_multiple_account_passwords_changed.yml
@@ -1,7 +1,7 @@
name: Windows Multiple Account Passwords Changed
id: faefb681-14be-4f0d-9cac-0bc0160c7280
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4724
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $src_user$ changed the passwords of multiple accounts in a short period of time.
risk_objects:
diff --git a/detections/endpoint/windows_multiple_accounts_deleted.yml b/detections/endpoint/windows_multiple_accounts_deleted.yml
index 6c1f750d40..27264ccc99 100644
--- a/detections/endpoint/windows_multiple_accounts_deleted.yml
+++ b/detections/endpoint/windows_multiple_accounts_deleted.yml
@@ -1,7 +1,7 @@
name: Windows Multiple Accounts Deleted
id: 49c0d4d6-c55d-4d3a-b3d5-7709fafed70d
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4726
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $src_user$ deleted multiple accounts in a short period of time.
risk_objects:
diff --git a/detections/endpoint/windows_multiple_accounts_disabled.yml b/detections/endpoint/windows_multiple_accounts_disabled.yml
index 0398404233..fa03cc2cec 100644
--- a/detections/endpoint/windows_multiple_accounts_disabled.yml
+++ b/detections/endpoint/windows_multiple_accounts_disabled.yml
@@ -1,7 +1,7 @@
name: Windows Multiple Accounts Disabled
id: 5d93894e-befa-4429-abde-7fc541020b7b
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4725
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $src_user$ disabled multiple accounts in a short period of time.
risk_objects:
diff --git a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml
index db55ac0389..dfeab101ee 100644
--- a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml
+++ b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml
@@ -1,7 +1,7 @@
name: Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
id: 98f22d82-9d62-11eb-9fcf-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: TTP
status: production
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12
| bucket span=5m _time
diff --git a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml
index 38899728d7..befa9a74c0 100644
--- a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml
+++ b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml
@@ -1,7 +1,7 @@
name: Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
id: 001266a6-9d5b-11eb-829b-acde48001122
-date: '2026-03-10'
-version: 10
+date: '2026-03-31'
+version: 11
type: TTP
status: production
author: Mauricio Velazco, Splunk
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6
| bucket span=5m _time
diff --git a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml
index 4d3eca96cc..499976be06 100644
--- a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml
+++ b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml
@@ -1,12 +1,12 @@
name: Windows Multiple Invalid Users Failed To Authenticate Using NTLM
id: 57ad5a64-9df7-11eb-a290-acde48001122
type: TTP
-version: 11
+version: 12
author: Mauricio Velazco, Splunk
status: production
data_source:
- Windows Event Log Security 4776
-date: '2026-03-10'
+date: '2026-03-31'
description: The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates non-existent usernames. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the Active Directory environment.
how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation' within `Account Logon` needs to be enabled.
known_false_positives: A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Workstation$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064
| bucket span=5m _time
diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml
index fb8ad96774..68494bfeae 100644
--- a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml
+++ b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml
@@ -1,7 +1,7 @@
name: Windows Multiple NTLM Null Domain Authentications
id: c187ce2c-c88e-4cec-8a1c-607ca0dedd78
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -25,9 +25,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The device [$dest$] was the target of $count$ NTLM authentications from $src_count$ sources using $unique_count$ unique user accounts.
risk_objects:
diff --git a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml
index b1e4e82332..2858736f56 100644
--- a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml
+++ b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml
@@ -1,12 +1,12 @@
name: Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
id: e61918fa-9ca4-11eb-836c-acde48001122
type: TTP
-version: 11
+version: 12
status: production
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4648
-date: '2026-03-10'
+date: '2026-03-31'
description: The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly specifying account credentials. This detection is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.
how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.
known_false_positives: A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc.
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$
| bucket span=5m _time
diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml
index 4251aa9abc..050a93755f 100644
--- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml
+++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml
@@ -3,10 +3,10 @@ id: 7ed272a4-9c77-11eb-af22-acde48001122
author: Mauricio Velazco, Splunk
type: TTP
status: production
-version: 11
+version: 12
data_source:
- Windows Event Log Security 4776
-date: '2026-03-10'
+date: '2026-03-31'
description: The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates a bad password. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges. If confirmed malicious, this activity could lead to unauthorized access to sensitive information or further compromise of the Active Directory environment.
how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential Validation` within `Account Logon` needs to be enabled.
known_false_positives: A host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could represent a password spraying attack against the host's local accounts.
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Workstation$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A
| bucket span=5m _time
diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml
index 3c1d44ce97..2fba024661 100644
--- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml
+++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml
@@ -1,12 +1,12 @@
name: Windows Multiple Users Failed To Authenticate From Process
id: 9015385a-9c84-11eb-bef2-acde48001122
type: TTP
-version: 11
+version: 12
status: production
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4625
-date: '2026-03-10'
+date: '2026-03-31'
description: The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member servers, and workstations. This activity is significant as it may represent an adversary attempting to gain initial access or elevate privileges within an Active Directory environment. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or further compromise of the network, posing a severe security risk.
how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers aas well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled.
known_false_positives: A process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. Possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-"
| bucket span=5m _time
diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml
index 54b264394b..00d1cb63c8 100644
--- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml
+++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml
@@ -1,8 +1,8 @@
name: Windows Multiple Users Failed To Authenticate Using Kerberos
id: 3a91a212-98a9-11eb-b86a-acde48001122
type: TTP
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
status: production
author: Mauricio Velazco, Splunk
data_source:
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18
| bucket span=5m _time
diff --git a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml
index 7650d6f40e..e39a8f0777 100644
--- a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml
+++ b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml
@@ -3,8 +3,8 @@ id: 80f9d53e-9ca1-11eb-b0d6-acde48001122
author: Mauricio Velazco, Splunk
type: TTP
status: production
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
data_source:
- Windows Event Log Security 4625
description: The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. It leverages Windows Event 4625 with Logon Type 3, indicating remote authentication attempts. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges in an Active Directory environment. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information. This detection is crucial for real-time security monitoring and threat hunting.
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-"
| bucket span=5m _time
diff --git a/detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml b/detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml
index a5653101e1..a40625ede8 100644
--- a/detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml
+++ b/detections/endpoint/windows_netsupport_rmm_dll_loaded_by_uncommon_process.yml
@@ -1,7 +1,7 @@
name: Windows NetSupport RMM DLL Loaded By Uncommon Process
id: 125f96f9-6f34-418b-b868-c4a8d7fb865f
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -49,9 +49,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml
index 44e9383fe5..a290065646 100644
--- a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml
+++ b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml
@@ -1,7 +1,7 @@
name: Windows New Custom Security Descriptor Set On EventLog Channel
id: c0e5dd5a-2117-41d5-a04c-82a762a86a38
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Michael Haag, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified/added/deleted registry entry $registry_path$ in $dest$
risk_objects:
diff --git a/detections/endpoint/windows_new_default_file_association_value_set.yml b/detections/endpoint/windows_new_default_file_association_value_set.yml
index 694e477aee..d454d109ad 100644
--- a/detections/endpoint/windows_new_default_file_association_value_set.yml
+++ b/detections/endpoint/windows_new_default_file_association_value_set.yml
@@ -1,7 +1,7 @@
name: Windows New Default File Association Value Set
id: 7d1f031f-f1c9-43be-8b0b-c4e3e8a8928a
-version: 3
-date: '2025-05-02'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Hunting
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Hermetic Wiper
diff --git a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml
index 06d4d6271f..bed5dff99d 100644
--- a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml
+++ b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml
@@ -1,7 +1,7 @@
name: Windows New Deny Permission Set On Service SD Via Sc.EXE
id: d0f6a5e5-dbfd-46e1-8bd5-2e2905947c33
-version: 8
-date: '2026-03-25'
+version: 9
+date: '2026-03-31'
author: Nasreddine Bencherchali, Michael Haag, Splunk
status: production
type: Anomaly
@@ -69,9 +69,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml
index 39d9730edd..3dd3cf8dc8 100644
--- a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml
+++ b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml
@@ -1,7 +1,7 @@
name: Windows New EventLog ChannelAccess Registry Value Set
id: 16eb11bc-ef42-42e8-9d0c-d21e0fa15725
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Michael Haag, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: modified/added/deleted registry entry $registry_path$ in $dest$
risk_objects:
diff --git a/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml
index a461de0a35..925c3eb2bd 100644
--- a/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml
+++ b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml
@@ -1,7 +1,7 @@
name: Windows New Service Security Descriptor Set Via Sc.EXE
id: cde00c31-042a-4307-bf70-25e471da56e9
-version: 8
-date: '2026-03-25'
+version: 9
+date: '2026-03-31'
author: Nasreddine Bencherchali, Michael Haag, Splunk
status: production
type: Anomaly
@@ -54,9 +54,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to change the security descriptor of a service on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml
index 0ac9bc1a66..7d1d738963 100644
--- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml
+++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml
@@ -1,7 +1,7 @@
name: Windows Ngrok Reverse Proxy Usage
id: e2549f2c-0aef-408a-b0c1-e0f270623436
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A reverse proxy was identified spawning from $parent_process_name$ - $process_name$ on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml
index c13ea583d1..56cc5a5c49 100644
--- a/detections/endpoint/windows_nirsoft_advancedrun.yml
+++ b/detections/endpoint/windows_nirsoft_advancedrun.yml
@@ -1,7 +1,7 @@
name: Windows NirSoft AdvancedRun
id: bb4f3090-7ae4-11ec-897f-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of advancedrun.exe, $process_name$, was spawned by $parent_process_name$ on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/windows_nirsoft_tool_bundle_file_created.yml b/detections/endpoint/windows_nirsoft_tool_bundle_file_created.yml
index 95c6a67558..e170358bf3 100644
--- a/detections/endpoint/windows_nirsoft_tool_bundle_file_created.yml
+++ b/detections/endpoint/windows_nirsoft_tool_bundle_file_created.yml
@@ -1,7 +1,7 @@
name: Windows NirSoft Tool Bundle File Created
id: a2c8e8f8-18d6-4ad4-acf4-f58903bebe41
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -62,9 +62,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: NirSoft tool bundle file $file_name$ created on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml
index 8db1e87893..9453f7433f 100644
--- a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml
+++ b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml
@@ -1,7 +1,7 @@
name: Windows Njrat Fileless Storage via Registry
id: a5fffbbd-271f-4980-94ed-4fbf17f0af1c
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a suspicious registry entry related to NjRAT keylloging registry on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml
index 693dd15b12..50f7931e0e 100644
--- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml
+++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml
@@ -1,7 +1,7 @@
name: Windows Non Discord App Access Discord LevelDB
id: 1166360c-d495-45ac-87a6-8948aac1fa07
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Windows Event Log Security 4663
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A non-discord process $process_name$ accessing discord "leveldb" file on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml
index 5cecdd8d26..044a1c9573 100644
--- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml
+++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml
@@ -1,7 +1,7 @@
name: Windows Non-System Account Targeting Lsass
id: b1ce9a72-73cf-11ec-981b-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process, $parent_process_path$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.
risk_objects:
diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
index ef21835262..b7843066d2 100644
--- a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
+++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml
@@ -1,7 +1,7 @@
name: Windows Obfuscated Files or Information via RAR SFX
id: 4ab6862b-ce88-4223-96c0-f6da2cffb898
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 11
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process drops [$file_name$] on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_odbcconf_load_dll.yml b/detections/endpoint/windows_odbcconf_load_dll.yml
index 04606e3912..6fddf253b7 100644
--- a/detections/endpoint/windows_odbcconf_load_dll.yml
+++ b/detections/endpoint/windows_odbcconf_load_dll.yml
@@ -1,7 +1,7 @@
name: Windows Odbcconf Load DLL
id: 141e7fca-a9f0-40fd-a539-9aac8be41f1b
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.
risk_objects:
diff --git a/detections/endpoint/windows_odbcconf_load_response_file.yml b/detections/endpoint/windows_odbcconf_load_response_file.yml
index 41f16f8d32..bb2bb56770 100644
--- a/detections/endpoint/windows_odbcconf_load_response_file.yml
+++ b/detections/endpoint/windows_odbcconf_load_response_file.yml
@@ -1,7 +1,7 @@
name: Windows Odbcconf Load Response File
id: 1acafff9-1347-4b40-abae-f35aa4ba85c1
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to circumvent controls.
risk_objects:
diff --git a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml
index 13ac566ba3..6ed727003a 100644
--- a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml
+++ b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Dropped Cab or Inf File
id: dbdd251e-dd45-4ec9-a555-f5e151391746
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -48,9 +48,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified on $dest$ writing an inf or cab file to this. This is not typical of $process_name$.
risk_objects:
diff --git a/detections/endpoint/windows_office_product_dropped_uncommon_file.yml b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml
index 0487243348..1c8bee7ad2 100644
--- a/detections/endpoint/windows_office_product_dropped_uncommon_file.yml
+++ b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Dropped Uncommon File
id: 7ac0fced-9eae-4381-a748-90dcd1aa9393
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github
status: production
type: Anomaly
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process $process_name$ drops a file $file_name$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml
index 700d2aef7d..b32fc9999d 100644
--- a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml
+++ b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Loaded MSHTML Module
id: 4cc015c9-687c-40d2-adcc-46350f66e10c
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Michael Haag, Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ was identified on endpoint $dest$ loading mshtml.dll.
risk_objects:
diff --git a/detections/endpoint/windows_office_product_loading_taskschd_dll.yml b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml
index 92ad078c30..b42fb75533 100644
--- a/detections/endpoint/windows_office_product_loading_taskschd_dll.yml
+++ b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Loading Taskschd DLL
id: d7297cfa-1f04-4714-bfbe-3679e0666959
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An Office document was identified creating a scheduled task on $dest$. Investigate further.
risk_objects:
diff --git a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml
index 0ec71d35b3..42746ae431 100644
--- a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml
+++ b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Loading VBE7 DLL
id: 7cfec906-2697-43f7-898b-83634a051d9a
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Office document executing a macro on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml
index 50d11a4b38..a284edfbb1 100644
--- a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml
+++ b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Spawned Child Process For Download
id: f02b64b8-cbea-4f75-bf77-7a05111566b1
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Office document spawning suspicious child process on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_office_product_spawned_control.yml b/detections/endpoint/windows_office_product_spawned_control.yml
index ff2e3ed1e1..1de26e46d4 100644
--- a/detections/endpoint/windows_office_product_spawned_control.yml
+++ b/detections/endpoint/windows_office_product_spawned_control.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Spawned Control
id: 081c485d-ac8d-4bee-ad4c-525772fead4d
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ clicking a suspicious attachment.
risk_objects:
diff --git a/detections/endpoint/windows_office_product_spawned_msdt.yml b/detections/endpoint/windows_office_product_spawned_msdt.yml
index 8d8cc8eb58..12f3b28ace 100644
--- a/detections/endpoint/windows_office_product_spawned_msdt.yml
+++ b/detections/endpoint/windows_office_product_spawned_msdt.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Spawned MSDT
id: a3148fad-3734-4b7f-9a71-62f08d39fab1
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Office process $parent_process_name$ has spawned a child process $process_name$ on host $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml
index 9e382c9606..b9233dd4c7 100644
--- a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml
+++ b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Spawned Rundll32 With No DLL
id: f28e787e-69ca-480e-9f98-ab970e6d4bcc
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Office process $parent_process_name$ observed executing a suspicious child process $process_name$ with process id $process_id$ and no dll commandline $process$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml
index 859e68e949..3dcfe1a9f1 100644
--- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml
+++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml
@@ -1,7 +1,7 @@
name: Windows Office Product Spawned Uncommon Process
id: 55d8741c-fa32-4692-8109-410304961eb8
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -77,9 +77,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: User $user$ on $dest$ spawned Windows Script Host from Winword.exe
risk_objects:
diff --git a/detections/endpoint/windows_outlook_dialogs_disabled_from_unusual_process.yml b/detections/endpoint/windows_outlook_dialogs_disabled_from_unusual_process.yml
index 5cf5261946..e28b6bc67d 100644
--- a/detections/endpoint/windows_outlook_dialogs_disabled_from_unusual_process.yml
+++ b/detections/endpoint/windows_outlook_dialogs_disabled_from_unusual_process.yml
@@ -1,7 +1,7 @@
name: Windows Outlook Dialogs Disabled from Unusual Process
id: 94e3ba29-6245-4f25-8d47-d5b6b34c40ac
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Outlook Dialog registry key modified on $dest$ by unusual process
risk_objects:
diff --git a/detections/endpoint/windows_outlook_loadmacroprovideronboot_persistence.yml b/detections/endpoint/windows_outlook_loadmacroprovideronboot_persistence.yml
index a8cd7984ff..4bdcff9feb 100644
--- a/detections/endpoint/windows_outlook_loadmacroprovideronboot_persistence.yml
+++ b/detections/endpoint/windows_outlook_loadmacroprovideronboot_persistence.yml
@@ -1,7 +1,7 @@
name: Windows Outlook LoadMacroProviderOnBoot Persistence
id: 93c91139-01f8-4905-802b-0d106f026b13
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Outlook LoadMacroProviderOnBoot registry key modified on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_outlook_macro_created_by_suspicious_process.yml b/detections/endpoint/windows_outlook_macro_created_by_suspicious_process.yml
index 8f9996b091..66e7bcc99a 100644
--- a/detections/endpoint/windows_outlook_macro_created_by_suspicious_process.yml
+++ b/detections/endpoint/windows_outlook_macro_created_by_suspicious_process.yml
@@ -1,7 +1,7 @@
name: Windows Outlook Macro Created by Suspicious Process
id: 3ec347e3-a94a-4a8b-a918-8306ea403182
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious Outlook macro $file_name$ created on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_outlook_macro_security_modified.yml b/detections/endpoint/windows_outlook_macro_security_modified.yml
index d0c0341995..7001d085d3 100644
--- a/detections/endpoint/windows_outlook_macro_security_modified.yml
+++ b/detections/endpoint/windows_outlook_macro_security_modified.yml
@@ -1,7 +1,7 @@
name: Windows Outlook Macro Security Modified
id: 47872bb4-9987-4c33-a897-4d2d1ac7d4c2
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Outlook Macro Security Level registry modified on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_outlook_webview_registry_modification.yml b/detections/endpoint/windows_outlook_webview_registry_modification.yml
index 03061487f8..4cc9a9d0eb 100644
--- a/detections/endpoint/windows_outlook_webview_registry_modification.yml
+++ b/detections/endpoint/windows_outlook_webview_registry_modification.yml
@@ -1,7 +1,7 @@
name: Windows Outlook WebView Registry Modification
id: 6e1ad5d4-d9af-496a-96ec-f31c11cd09f2
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Sysmon EventID 13
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Modification of Outlook WebView registry values on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml
index 8cb40a2131..e3a2b815eb 100644
--- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml
+++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml
@@ -1,7 +1,7 @@
name: Windows PaperCut NG Spawn Shell
id: a602d9a2-aaea-45f8-bf0f-d851168d61ca
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The PaperCut NG application has spawned a shell $process_name$ on endpoint $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml
index f6b2958782..cf4e637b05 100644
--- a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml
+++ b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml
@@ -1,7 +1,7 @@
name: Windows Parent PID Spoofing with Explorer
id: 17f8f69c-5d00-4c88-9c6f-493bbdef20a1
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An explorer.exe process with process commandline $process$ on dest $dest$
risk_objects:
diff --git a/detections/endpoint/windows_password_managers_discovery.yml b/detections/endpoint/windows_password_managers_discovery.yml
index e4994aedd2..999a8ab91f 100644
--- a/detections/endpoint/windows_password_managers_discovery.yml
+++ b/detections/endpoint/windows_password_managers_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Password Managers Discovery
id: a3b3bc96-1c4f-4eba-8218-027cac739a48
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process with commandline $process$ that can retrieve information related to password manager databases on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml
index d49d2a8b18..70689c15d2 100644
--- a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml
+++ b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml
@@ -1,7 +1,7 @@
name: Windows Phishing Outlook Drop Dll In FORM Dir
id: fca01769-5163-4b3a-ae44-de874adfc9bc
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 1 AND Sysmon EventID 11
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: an outlook process dropped dll file into $file_path$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml
index 39735a6a4d..32ce510d48 100644
--- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml
+++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml
@@ -1,7 +1,7 @@
name: Windows Phishing PDF File Executes URL Link
id: 2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a pdf file opened in pdf viewer process $parent_process_name$ has a child process of a browser $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_possible_credential_dumping.yml b/detections/endpoint/windows_possible_credential_dumping.yml
index d36535b3b1..0536a38715 100644
--- a/detections/endpoint/windows_possible_credential_dumping.yml
+++ b/detections/endpoint/windows_possible_credential_dumping.yml
@@ -1,7 +1,7 @@
name: Windows Possible Credential Dumping
id: e4723b92-7266-11ec-af45-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user_id$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process, $SourceImage$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.
risk_objects:
diff --git a/detections/endpoint/windows_post_exploitation_risk_behavior.yml b/detections/endpoint/windows_post_exploitation_risk_behavior.yml
index a9231a1c00..f05e724aa9 100644
--- a/detections/endpoint/windows_post_exploitation_risk_behavior.yml
+++ b/detections/endpoint/windows_post_exploitation_risk_behavior.yml
@@ -1,7 +1,7 @@
name: Windows Post Exploitation Risk Behavior
id: edb930df-64c2-4bb7-9b5c-889ed53fb973
-version: 7
-date: '2026-02-25'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Correlation
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Windows Post-Exploitation
diff --git a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml
index cc5d06ec0e..ff1aba3ab7 100644
--- a/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml
+++ b/detections/endpoint/windows_potential_appdomainmanager_hijack_artifacts_creation.yml
@@ -1,7 +1,7 @@
name: Windows Potential AppDomainManager Hijack Artifacts Creation
id: be19b369-fd0c-42be-ae97-c10b6c01638f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -52,9 +52,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Windows AppDomainManager hijack artifact files created on [$dest$]
risk_objects:
diff --git a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml
index f401dc12e7..5a6eb450b2 100644
--- a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml
+++ b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell Add Module to Global Assembly Cache
id: 3fc16961-97e5-4a5b-a079-e4ab0d9763eb
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell was used to install a module to the Global Assembly Cache on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_cryptography_namespace.yml b/detections/endpoint/windows_powershell_cryptography_namespace.yml
index 50e71404b1..a5c15056a1 100644
--- a/detections/endpoint/windows_powershell_cryptography_namespace.yml
+++ b/detections/endpoint/windows_powershell_cryptography_namespace.yml
@@ -1,7 +1,7 @@
name: Windows Powershell Cryptography Namespace
id: f8b482f4-6d62-49fa-a905-dfa15698317b
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious powershell script contains cryptography command detected on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_powershell_disable_http_logging.yml b/detections/endpoint/windows_powershell_disable_http_logging.yml
index 4e2910e6ea..d1f997d948 100644
--- a/detections/endpoint/windows_powershell_disable_http_logging.yml
+++ b/detections/endpoint/windows_powershell_disable_http_logging.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell Disable HTTP Logging
id: 27958de0-2857-43ca-9d4c-b255cf59dcab
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell Cmdlet related to disable or modifying a IIS HTTP logging has occurred on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_export_certificate.yml b/detections/endpoint/windows_powershell_export_certificate.yml
index 9f5351f24a..885186a0bb 100644
--- a/detections/endpoint/windows_powershell_export_certificate.yml
+++ b/detections/endpoint/windows_powershell_export_certificate.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell Export Certificate
id: 5e38ded4-c964-41f4-8cb6-4a1a53c6929f
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell Cmdlet related to exporting a Certificate was ran on $dest$, attempting to export a certificate.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_export_pfxcertificate.yml b/detections/endpoint/windows_powershell_export_pfxcertificate.yml
index 6dd8eacf5b..72ecbc0ad9 100644
--- a/detections/endpoint/windows_powershell_export_pfxcertificate.yml
+++ b/detections/endpoint/windows_powershell_export_pfxcertificate.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell Export PfxCertificate
id: ed06725f-6da6-439f-9dcc-ab30e891297c
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell Cmdlet related to exporting a PFX Certificate was ran on $dest$, attempting to export a certificate.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_fakecaptcha_clipboard_execution.yml b/detections/endpoint/windows_powershell_fakecaptcha_clipboard_execution.yml
index 250503ff76..7a7cc6a96c 100644
--- a/detections/endpoint/windows_powershell_fakecaptcha_clipboard_execution.yml
+++ b/detections/endpoint/windows_powershell_fakecaptcha_clipboard_execution.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell FakeCAPTCHA Clipboard Execution
id: d81d4d3d-76b5-4f21-ab51-b17d5164c106
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -58,9 +58,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A potential FakeCAPTCHA/ClickFix campaign execution was detected on $dest$ running a PowerShell command with hidden window and suspicious verification strings typical of social engineering attacks.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml
index e451451da3..cc302f20e8 100644
--- a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml
+++ b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell Get CIMInstance Remote Computer
id: d8c972eb-ed84-431a-8869-ca4bd83257d1
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
type: Anomaly
status: production
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell Cmdlet Get-CIMInstnace was ran on $dest$, attempting to connect to a remote host.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_history_file_deletion.yml b/detections/endpoint/windows_powershell_history_file_deletion.yml
index 9f2770fb02..08c88c1a14 100644
--- a/detections/endpoint/windows_powershell_history_file_deletion.yml
+++ b/detections/endpoint/windows_powershell_history_file_deletion.yml
@@ -1,7 +1,7 @@
name: Windows Powershell History File Deletion
id: f1369394-48e1-4327-bf6d-14377f4b8687
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell related to deleting commandline history file deletion was executed on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml
index e146cd66b9..e1ea51bbb7 100644
--- a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml
+++ b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell IIS Components WebGlobalModule Usage
id: 33fc9f6f-0ce7-4696-924e-a69ec61a3d57
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell Cmdlet related to enabling, creating or modifying a IIS module has occurred on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_import_applocker_policy.yml b/detections/endpoint/windows_powershell_import_applocker_policy.yml
index d0fd4bd84f..3269bc38dd 100644
--- a/detections/endpoint/windows_powershell_import_applocker_policy.yml
+++ b/detections/endpoint/windows_powershell_import_applocker_policy.yml
@@ -1,7 +1,7 @@
name: Windows Powershell Import Applocker Policy
id: 102af98d-0ca3-4aa4-98d6-7ab2b98b955a
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml b/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml
index f61c360438..de32a98f2f 100644
--- a/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml
+++ b/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell Invoke-RestMethod IP Information Collection
id: 8db47e12-9c3e-4f5a-b0d6-e42a1895cd4f
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell script on $dest$ is collecting external IP or geolocation information using Invoke-RestMethod.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_logoff_user_via_quser.yml b/detections/endpoint/windows_powershell_logoff_user_via_quser.yml
index 1372bc797e..f56c899573 100644
--- a/detections/endpoint/windows_powershell_logoff_user_via_quser.yml
+++ b/detections/endpoint/windows_powershell_logoff_user_via_quser.yml
@@ -1,7 +1,7 @@
name: Windows Powershell Logoff User via Quser
id: 6d70780d-4cfe-4820-bafd-1b43941986b5
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Powershell Script Block Logging 4104
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Powershell process having commandline [$ScriptBlockText$] used to logoff user on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_powershell_msix_package_installation.yml b/detections/endpoint/windows_powershell_msix_package_installation.yml
index 9c035e5e9a..a22c06a621 100644
--- a/detections/endpoint/windows_powershell_msix_package_installation.yml
+++ b/detections/endpoint/windows_powershell_msix_package_installation.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell MSIX Package Installation
id: d2f77901-dbfa-42d9-8af7-dcd0f1a50a2f
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The user $user_id$ attempted to install an unsigned AppX package on $dest$ using PowerShell.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_process_implementing_manual_base64_decoder.yml b/detections/endpoint/windows_powershell_process_implementing_manual_base64_decoder.yml
index 5beabb43db..75cba7ecb0 100644
--- a/detections/endpoint/windows_powershell_process_implementing_manual_base64_decoder.yml
+++ b/detections/endpoint/windows_powershell_process_implementing_manual_base64_decoder.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell Process Implementing Manual Base64 Decoder
id: 08d67349-0808-4f55-b431-1037269fa517
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali
status: production
type: Anomaly
@@ -61,9 +61,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ executing a manual Base64 decoding routine $process$ was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_process_with_malicious_string.yml b/detections/endpoint/windows_powershell_process_with_malicious_string.yml
index 828c076621..e7dc66798f 100644
--- a/detections/endpoint/windows_powershell_process_with_malicious_string.yml
+++ b/detections/endpoint/windows_powershell_process_with_malicious_string.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell Process With Malicious String
id: 5df35d50-e1a3-4a52-a337-92e69d9b1b8a
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate PowerShell on $dest$
search: '| from datamodel:Endpoint.Processes | search dest=$dest|s$ process_name=$process_name$ "*$match$*"'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_powershell_remotesigned_file.yml b/detections/endpoint/windows_powershell_remotesigned_file.yml
index fd896050b3..745730eeef 100644
--- a/detections/endpoint/windows_powershell_remotesigned_file.yml
+++ b/detections/endpoint/windows_powershell_remotesigned_file.yml
@@ -1,7 +1,7 @@
name: Windows Powershell RemoteSigned File
id: f7f7456b-470d-4a95-9703-698250645ff4
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell commandline with remotesigned policy executed on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml
index 39049fe008..135a01b51c 100644
--- a/detections/endpoint/windows_powershell_scheduletask.yml
+++ b/detections/endpoint/windows_powershell_scheduletask.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell ScheduleTask
id: ddf82fcb-e9ee-40e3-8712-a50b5bf323fc
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The PowerShell cmdlets related to task creation, modification and start occurred on $dest$ by $user_id$.
risk_objects:
diff --git a/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml b/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml
index 55279bdbd0..6619a5e3dc 100644
--- a/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml
+++ b/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell Script Block With Malicious String
id: 0f09cedd-10f1-4b9f-bdea-7a8b06ea575d
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The user $user_id$ ran a known malicious PowerShell string matching *$match$* on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_powershell_script_from_windowsapps_directory.yml b/detections/endpoint/windows_powershell_script_from_windowsapps_directory.yml
index fb69cd9583..ffca1bfcae 100644
--- a/detections/endpoint/windows_powershell_script_from_windowsapps_directory.yml
+++ b/detections/endpoint/windows_powershell_script_from_windowsapps_directory.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell Script From WindowsApps Directory
id: 8c3d1f2e-7b4a-45e3-9d8f-6a2e4c9b1234
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Look for specific StartingScriptWrapper.ps1 execution
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name="powershell.exe" AND Processes.process="*StartingScriptWrapper.ps1*" by Processes.dest Processes.process Processes.parent_process_name'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml
index 1751fbf4be..73133f3188 100644
--- a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml
+++ b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml
@@ -1,7 +1,7 @@
name: Windows PowerShell WMI Win32 ScheduledJob
id: 47c69803-2c09-408b-b40a-063c064cbb16
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
type: TTP
status: production
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_powersploit_gpp_discovery.yml b/detections/endpoint/windows_powersploit_gpp_discovery.yml
index 098d3331e8..40c426ee2f 100644
--- a/detections/endpoint/windows_powersploit_gpp_discovery.yml
+++ b/detections/endpoint/windows_powersploit_gpp_discovery.yml
@@ -1,7 +1,7 @@
name: Windows PowerSploit GPP Discovery
id: 0130a0df-83a1-4647-9011-841e950ff302
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Commandlets leveraged to discover GPP credentials were executed on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml
index df9e5f9949..0dee992ebe 100644
--- a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml
+++ b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml
@@ -1,7 +1,7 @@
name: Windows PowerView AD Access Control List Enumeration
id: 39405650-c364-4e1e-a740-32a63ef042a6
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerView AD acccess control list enumeration detected on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml
index 9bef76abdb..b700a51658 100644
--- a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml
+++ b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml
@@ -1,7 +1,7 @@
name: Windows PowerView Constrained Delegation Discovery
id: 86dc8176-6e6c-42d6-9684-5444c6557ab3
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml
index 02f9cd1fb5..22ce2a90e5 100644
--- a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml
+++ b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml
@@ -1,7 +1,7 @@
name: Windows PowerView Kerberos Service Ticket Request
id: 970455a1-4ac2-47e1-a9a5-9e75443ddcb9
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerView commandlets used for requesting SPN service ticket executed on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_powerview_spn_discovery.yml b/detections/endpoint/windows_powerview_spn_discovery.yml
index dd265e7241..adef8d83fd 100644
--- a/detections/endpoint/windows_powerview_spn_discovery.yml
+++ b/detections/endpoint/windows_powerview_spn_discovery.yml
@@ -1,7 +1,7 @@
name: Windows PowerView SPN Discovery
id: a7093c28-796c-4ebb-9997-e2c18b870837
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PowerView commandlets used for SPN discovery executed on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml
index ad745860a9..8aa3fe120b 100644
--- a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml
+++ b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml
@@ -1,7 +1,7 @@
name: Windows PowerView Unconstrained Delegation Discovery
id: fbf9e47f-e531-4fea-942d-5c95af7ed4d6
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/windows_private_keys_discovery.yml b/detections/endpoint/windows_private_keys_discovery.yml
index 8f055324fb..3fa2ca4db0 100644
--- a/detections/endpoint/windows_private_keys_discovery.yml
+++ b/detections/endpoint/windows_private_keys_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Private Keys Discovery
id: 5c1c2877-06c0-40ee-a1a2-db71f1372b5b
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process with commandline $process$ that can retrieve information related to private keys on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml
index 13986f4e41..1db69810af 100644
--- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml
+++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml
@@ -1,7 +1,7 @@
name: Windows Privilege Escalation Suspicious Process Elevation
id: 6a80300a-9f8a-4f22-bd3e-09ca577cfdfc
-version: 10
-date: '2026-03-24'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -131,9 +131,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The user $src_user$ launched a process [$parent_process_name$] which spawned a suspicious elevated integrity process [$process_name$].
risk_objects:
diff --git a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml
index d81142bb6d..f43256051b 100644
--- a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml
+++ b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml
@@ -1,7 +1,7 @@
name: Windows Privilege Escalation System Process Without System Parent
id: 5a5351cd-ba7e-499e-ad82-2ce160ffa637
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$src_user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$src_user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$src_user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The process [$process_name$] on $dest$ was launched with system level integrity by $src_user$.
risk_objects:
diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml
index 64dfeff1b4..aac0b684ff 100644
--- a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml
+++ b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml
@@ -1,7 +1,7 @@
name: Windows Privilege Escalation User Process Spawn System Process
id: c9687a28-39ad-43c6-8bcf-eaf061ba0cbe
-version: 11
-date: '2026-03-24'
+version: 12
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -93,9 +93,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The user $user$ launched the process $process_name$ which spawned a system level integrity process.
risk_objects:
diff --git a/detections/endpoint/windows_privileged_group_modification.yml b/detections/endpoint/windows_privileged_group_modification.yml
index a11cb3088c..6710d25515 100644
--- a/detections/endpoint/windows_privileged_group_modification.yml
+++ b/detections/endpoint/windows_privileged_group_modification.yml
@@ -1,7 +1,7 @@
name: Windows Privileged Group Modification
id: b8cbef2c-2cc3-4550-b0fc-9715b7852df9
-version: 10
-date: '2026-03-23'
+version: 11
+date: '2026-03-31'
author: Brandon Sternfield, Optiv + ClearShark
status: production
type: TTP
@@ -90,9 +90,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A privileged group modification was detected. Group "$object$" ($object_category$) was $change_type$ on $dest$ by user $src_user$.
risk_objects:
diff --git a/detections/endpoint/windows_process_executed_from_removable_media.yml b/detections/endpoint/windows_process_executed_from_removable_media.yml
index e3dd1ce66d..5c0d3f1505 100644
--- a/detections/endpoint/windows_process_executed_from_removable_media.yml
+++ b/detections/endpoint/windows_process_executed_from_removable_media.yml
@@ -1,7 +1,7 @@
name: Windows Process Executed From Removable Media
id: b483804a-4cc0-49a4-9f00-ac29ba844d08
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -50,9 +50,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$" , "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$" , "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate USB events on $dest$
search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_current_directory=$object_handle$*'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_process_execution_from_rdp_share.yml b/detections/endpoint/windows_process_execution_from_rdp_share.yml
index b7054f0f7f..bf9b8b615d 100644
--- a/detections/endpoint/windows_process_execution_from_rdp_share.yml
+++ b/detections/endpoint/windows_process_execution_from_rdp_share.yml
@@ -1,7 +1,7 @@
name: Windows Process Execution From RDP Share
id: 6b1b84c4-3834-4dee-b062-9b79bdb31d15
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -58,9 +58,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process $process_name$ executed $process$ from RDP share on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml
index 2c4895236b..81a1753358 100644
--- a/detections/endpoint/windows_process_execution_in_temp_dir.yml
+++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml
@@ -1,7 +1,7 @@
name: Windows Process Execution in Temp Dir
id: f6fbe929-4187-4ba4-901e-8a34be838443
-version: 9
-date: '2026-03-26'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -25,9 +25,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious process $process_name$ running from temp directory- $process_path$ on host- $dest$
risk_objects:
diff --git a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml
index 90e66dcedb..7321f43824 100644
--- a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml
+++ b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml
@@ -1,7 +1,7 @@
name: Windows Process Injection In Non-Service SearchIndexer
id: d131673f-ede1-47f2-93a1-0108d3e7fafd
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An uncommon non-service searchindexer.exe process on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml b/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml
index da586b5500..5a0d8daa88 100644
--- a/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml
+++ b/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml
@@ -1,7 +1,7 @@
name: Windows Process Injection into Commonly Abused Processes
id: 1e1dedc6-f6f3-41a0-9dd7-a1245904fe75
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: 0xC0FFEEEE, Github Community
type: Anomaly
status: production
@@ -69,9 +69,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml
index 68e90da6e6..7676a4a0b7 100644
--- a/detections/endpoint/windows_process_injection_into_notepad.yml
+++ b/detections/endpoint/windows_process_injection_into_notepad.yml
@@ -1,7 +1,7 @@
name: Windows Process Injection into Notepad
id: b8340d0f-ba48-4391-bea7-9e793c5aae36
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
type: Anomaly
status: production
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $SourceImage$ injecting into $TargetImage$ was identified on endpoint $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml
index 5c465e4645..7ef03d8f5e 100644
--- a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml
+++ b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml
@@ -1,7 +1,7 @@
name: Windows Process Injection Of Wermgr to Known Browser
id: aec755a5-3a2c-4be0-ab34-6540e68644e9
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: wermgr.exe process $SourceImage$ create a remote thread to a browser process $TargetImage$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_process_injection_remote_thread.yml b/detections/endpoint/windows_process_injection_remote_thread.yml
index 1518b5d8b4..b1578f547b 100644
--- a/detections/endpoint/windows_process_injection_remote_thread.yml
+++ b/detections/endpoint/windows_process_injection_remote_thread.yml
@@ -1,7 +1,7 @@
name: Windows Process Injection Remote Thread
id: 8a618ade-ca8f-4d04-b972-2d526ba59924
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -54,9 +54,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process $SourceImage$ created a remote thread in target process $TargetImage$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_process_injection_wermgr_child_process.yml b/detections/endpoint/windows_process_injection_wermgr_child_process.yml
index 4eebf3222e..7d3ea6cf53 100644
--- a/detections/endpoint/windows_process_injection_wermgr_child_process.yml
+++ b/detections/endpoint/windows_process_injection_wermgr_child_process.yml
@@ -1,7 +1,7 @@
name: Windows Process Injection Wermgr Child Process
id: 360ae6b0-38b5-4328-9e2b-bc9436cddb17
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: wermgr parent process has a child process $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml
index 6507473990..6483a3d89b 100644
--- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml
+++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml
@@ -1,7 +1,7 @@
name: Windows Process With NamedPipe CommandLine
id: e64399d4-94a8-11ec-a9da-acde48001122
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process with named pipe in $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml
index 2db5e95978..9afccc0116 100644
--- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml
+++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml
@@ -1,7 +1,7 @@
name: Windows Process With NetExec Command Line Parameters
id: adbff89c-c1f2-4a2e-88a4-b5e645856510
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick, Github Community
status: production
type: TTP
@@ -46,9 +46,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate processes on $dest$
search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_name = $process_name$'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml
index 5dce47c714..7ffdd21fcc 100644
--- a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml
+++ b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml
@@ -1,7 +1,7 @@
name: Windows Processes Killed By Industroyer2 Malware
id: d8bea5ca-9d4a-4249-8b56-64a619109835
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process was terminated $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_product_key_registry_query.yml b/detections/endpoint/windows_product_key_registry_query.yml
index 85d22d9cc2..26ea080a20 100644
--- a/detections/endpoint/windows_product_key_registry_query.yml
+++ b/detections/endpoint/windows_product_key_registry_query.yml
@@ -1,7 +1,7 @@
name: Windows Product Key Registry Query
id: 977da0c0-c7d5-45de-8b7e-f79e959ca13d
-version: 1
-date: '2026-03-03'
+version: 2
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$process_name$] attempting to access the registry path [$object_file_path$] on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml
index 6cff9ab9a2..acb5381633 100644
--- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml
+++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml
@@ -1,7 +1,7 @@
name: Windows Protocol Tunneling with Plink
id: 8aac5e1e-0fab-4437-af0b-c6e60af23eed
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -46,9 +46,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to tunnel to a remote destination.
risk_objects:
diff --git a/detections/endpoint/windows_proxy_via_netsh.yml b/detections/endpoint/windows_proxy_via_netsh.yml
index 5d0f788be4..23bffb36a7 100644
--- a/detections/endpoint/windows_proxy_via_netsh.yml
+++ b/detections/endpoint/windows_proxy_via_netsh.yml
@@ -1,7 +1,7 @@
name: Windows Proxy Via Netsh
id: c137bfe8-6036-4cff-b77b-4e327dd0a1cf
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process $process_name$ has launched netsh with command-line $process$ on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml
index 5c3f8da22b..378cdcca11 100644
--- a/detections/endpoint/windows_proxy_via_registry.yml
+++ b/detections/endpoint/windows_proxy_via_registry.yml
@@ -1,7 +1,7 @@
name: Windows Proxy Via Registry
id: 0270455b-1385-4579-9ac5-e77046c508ae
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification for port proxy in$dest$
risk_objects:
diff --git a/detections/endpoint/windows_pstools_recon_usage.yml b/detections/endpoint/windows_pstools_recon_usage.yml
index 6ca85fed1c..0ea3147695 100644
--- a/detections/endpoint/windows_pstools_recon_usage.yml
+++ b/detections/endpoint/windows_pstools_recon_usage.yml
@@ -1,7 +1,7 @@
name: Windows PsTools Recon Usage
id: 9a5f4b3e-1d2b-4c6f-9a8e-3b7d2f5c1a6e
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali
status: production
type: Anomaly
@@ -87,9 +87,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: PsTools binary $process_name$ was executed on host $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_pua_named_pipe.yml b/detections/endpoint/windows_pua_named_pipe.yml
index 2e3287107b..ba4c138b59 100644
--- a/detections/endpoint/windows_pua_named_pipe.yml
+++ b/detections/endpoint/windows_pua_named_pipe.yml
@@ -1,7 +1,7 @@
name: Windows PUA Named Pipe
id: 95b11d20-e2c6-46a5-b526-8629f5f0860a
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -58,9 +58,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ located in $process_path$ was identified on endpoint $dest$ accessing known named pipe $pipe_name$ from a potentially unwanted application in your environment.
risk_objects:
diff --git a/detections/endpoint/windows_query_registry_browser_list_application.yml b/detections/endpoint/windows_query_registry_browser_list_application.yml
index 8bdde603b4..8b50b87c55 100644
--- a/detections/endpoint/windows_query_registry_browser_list_application.yml
+++ b/detections/endpoint/windows_query_registry_browser_list_application.yml
@@ -1,7 +1,7 @@
name: Windows Query Registry Browser List Application
id: 45ebd21c-f4bf-4ced-bd49-d25b6526cebb
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious process accessing installed default browser registry on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_query_registry_uninstall_program_list.yml b/detections/endpoint/windows_query_registry_uninstall_program_list.yml
index 78a5112b81..5e580d7635 100644
--- a/detections/endpoint/windows_query_registry_uninstall_program_list.yml
+++ b/detections/endpoint/windows_query_registry_uninstall_program_list.yml
@@ -1,7 +1,7 @@
name: Windows Query Registry UnInstall Program List
id: 535fd4fc-7151-4062-9d7e-e896bea77bf6
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious process $process_name$ accessing uninstall registry on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml
index dcb3d50c79..0e5c97596d 100644
--- a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml
+++ b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml
@@ -1,7 +1,7 @@
name: Windows Raccine Scheduled Task Deletion
id: c9f010da-57ab-11ec-82bd-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to disable Raccines scheduled task.
risk_objects:
diff --git a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml
index ae0a9cbfbd..a2da7e36f2 100644
--- a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml
+++ b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml
@@ -1,7 +1,7 @@
name: Windows Rapid Authentication On Multiple Hosts
id: 62606c77-d53d-4182-9371-b02cdbbbcef7
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: TTP
status: production
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$host_targets$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host_targets$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The source computer with ip address $IpAddress$ authenticated to a large number of remote endpoints within 5 minutes.
risk_objects:
diff --git a/detections/endpoint/windows_rasautou_dll_execution.yml b/detections/endpoint/windows_rasautou_dll_execution.yml
index 3a4e34b279..94aad54bce 100644
--- a/detections/endpoint/windows_rasautou_dll_execution.yml
+++ b/detections/endpoint/windows_rasautou_dll_execution.yml
@@ -1,7 +1,7 @@
name: Windows Rasautou DLL Execution
id: 6f42b8be-8e96-11ec-ad5a-acde48001122
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to load a DLL in a suspicious manner.
risk_objects:
diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml
index afc6672a28..3480d92c66 100644
--- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml
+++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml
@@ -1,7 +1,7 @@
name: Windows Raw Access To Disk Volume Partition
id: a85aa37e-9647-11ec-90c5-acde48001122
-version: 11
-date: '2026-03-16'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process accessing disk partition $Device$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml
index 1a89a163a5..934cd39f06 100644
--- a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml
+++ b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml
@@ -1,7 +1,7 @@
name: Windows Raw Access To Master Boot Record Drive
id: 7b83f666-900c-11ec-a2d9-acde48001122
-version: 11
-date: '2026-03-16'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process accessing MBR $Device$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_rdp_automaticdestinations_deletion.yml b/detections/endpoint/windows_rdp_automaticdestinations_deletion.yml
index c078ad9196..7c9ecc0ec8 100644
--- a/detections/endpoint/windows_rdp_automaticdestinations_deletion.yml
+++ b/detections/endpoint/windows_rdp_automaticdestinations_deletion.yml
@@ -1,7 +1,7 @@
name: Windows Rdp AutomaticDestinations Deletion
id: e40a40a1-9fea-4554-abdf-b164422f0627
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file related to rdp automatic destination folder has been deleted on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_rdp_bitmap_cache_file_creation.yml b/detections/endpoint/windows_rdp_bitmap_cache_file_creation.yml
index 59617345dc..b34b0d98af 100644
--- a/detections/endpoint/windows_rdp_bitmap_cache_file_creation.yml
+++ b/detections/endpoint/windows_rdp_bitmap_cache_file_creation.yml
@@ -1,7 +1,7 @@
name: Windows RDP Bitmap Cache File Creation
id: 5f8671b6-07a7-425d-b3da-c39a53f2a6ae
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A rdp bitmap cache has been identified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_rdp_cache_file_deletion.yml b/detections/endpoint/windows_rdp_cache_file_deletion.yml
index 4829e85f2a..362c18163d 100644
--- a/detections/endpoint/windows_rdp_cache_file_deletion.yml
+++ b/detections/endpoint/windows_rdp_cache_file_deletion.yml
@@ -1,7 +1,7 @@
name: Windows RDP Cache File Deletion
id: f3e86ff3-b1f9-4382-8924-6913385f1019
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a file related to rdp connection cached has been deleted on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_rdp_client_launched_with_admin_session.yml b/detections/endpoint/windows_rdp_client_launched_with_admin_session.yml
index 579e617fa4..c4c6029bfe 100644
--- a/detections/endpoint/windows_rdp_client_launched_with_admin_session.yml
+++ b/detections/endpoint/windows_rdp_client_launched_with_admin_session.yml
@@ -1,7 +1,7 @@
name: Windows RDP Client Launched with Admin Session
id: 1af84ac8-05ea-4f11-8541-b2d1e45a7744
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a rdp client launched with admin session on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_rdp_file_execution.yml b/detections/endpoint/windows_rdp_file_execution.yml
index 2af82f9fc1..7859310667 100644
--- a/detections/endpoint/windows_rdp_file_execution.yml
+++ b/detections/endpoint/windows_rdp_file_execution.yml
@@ -1,7 +1,7 @@
name: Windows RDP File Execution
id: 0b6b12b9-8ba9-48fe-b3b8-b4e3e1cd22b4
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
type: TTP
status: production
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Windows RDP client attempted to execute an RDP file from a temporary directory, downloads directory, or Outlook directories on the endpoint $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_rdp_login_session_was_established.yml b/detections/endpoint/windows_rdp_login_session_was_established.yml
index 78f8febc36..cdf7842f38 100644
--- a/detections/endpoint/windows_rdp_login_session_was_established.yml
+++ b/detections/endpoint/windows_rdp_login_session_was_established.yml
@@ -1,7 +1,7 @@
name: Windows RDP Login Session Was Established
id: 00ca7f9e-88ab-4841-a6c2-83979ab1ed29
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: RDP Login Session was established on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_rdp_server_registry_deletion.yml b/detections/endpoint/windows_rdp_server_registry_deletion.yml
index f1bf229b4b..36e746c9af 100644
--- a/detections/endpoint/windows_rdp_server_registry_deletion.yml
+++ b/detections/endpoint/windows_rdp_server_registry_deletion.yml
@@ -1,7 +1,7 @@
name: Windows RDP Server Registry Deletion
id: 1a058296-7c68-4d66-9560-464764d6e26c
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The registry was deleted on dest $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_rdp_server_registry_entry_created.yml b/detections/endpoint/windows_rdp_server_registry_entry_created.yml
index 53ebd80a8d..b3043cd197 100644
--- a/detections/endpoint/windows_rdp_server_registry_entry_created.yml
+++ b/detections/endpoint/windows_rdp_server_registry_entry_created.yml
@@ -1,7 +1,7 @@
name: Windows RDP Server Registry Entry Created
id: 61f10919-c360-4e56-9cda-f1f34500cfda
-version: 2
-date: '2026-03-12'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: RDP related registry key $registry_key_name$ created on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_rdpclient_connection_sequence_events.yml b/detections/endpoint/windows_rdpclient_connection_sequence_events.yml
index f96c41414b..8691f5e608 100644
--- a/detections/endpoint/windows_rdpclient_connection_sequence_events.yml
+++ b/detections/endpoint/windows_rdpclient_connection_sequence_events.yml
@@ -1,7 +1,7 @@
name: Windows RDPClient Connection Sequence Events
id: 67340df1-3f1d-4470-93c8-9ac7249d11b0
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
type: Anomaly
status: production
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Windows RDP client initiated a connection sequence event (EventCode 1024) on host $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml
index e3e3271443..458dc7e111 100644
--- a/detections/endpoint/windows_registry_bootexecute_modification.yml
+++ b/detections/endpoint/windows_registry_bootexecute_modification.yml
@@ -1,7 +1,7 @@
name: Windows Registry BootExecute Modification
id: eabbac3a-45aa-4659-920f-6b8cff383fb8
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Registry BootExecute value was modified on $dest$ and should be reviewed immediately.
risk_objects:
diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml
index 06541d3568..36924de944 100644
--- a/detections/endpoint/windows_registry_certificate_added.yml
+++ b/detections/endpoint/windows_registry_certificate_added.yml
@@ -1,7 +1,7 @@
name: Windows Registry Certificate Added
id: 5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Teodeerick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A root certificate was added on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml
index be9b0577be..d26683ad38 100644
--- a/detections/endpoint/windows_registry_delete_task_sd.yml
+++ b/detections/endpoint/windows_registry_delete_task_sd.yml
@@ -1,7 +1,7 @@
name: Windows Registry Delete Task SD
id: ffeb7893-ff06-446f-815b-33ca73224e92
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -52,9 +52,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A scheduled task security descriptor $registry_path$ was deleted from the registry on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml
index 6d4b1f606d..9cdc14ef30 100644
--- a/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml
+++ b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml
@@ -1,7 +1,7 @@
name: Windows Registry Dotnet ETW Disabled Via ENV Variable
id: 55502381-5cce-491b-9277-7cb1d10bc0df
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Modified registry entry $registry_path$ in $dest$
risk_objects:
diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
index 275de377f1..feaa1e488f 100644
--- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
+++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
@@ -1,7 +1,7 @@
name: Windows Registry Modification for Safe Mode Persistence
id: c6149154-c9d8-11eb-9da7-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Michael Haag, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Safeboot registry $registry_path$ was added or modified with a new value $registry_value_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_registry_payload_injection.yml b/detections/endpoint/windows_registry_payload_injection.yml
index 56ebd82b35..e792bd4208 100644
--- a/detections/endpoint/windows_registry_payload_injection.yml
+++ b/detections/endpoint/windows_registry_payload_injection.yml
@@ -1,7 +1,7 @@
name: Windows Registry Payload Injection
id: c6b2d80f-179a-41a1-b95e-ce5601d7427a
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process added a suspicious length of registry data on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_registry_sip_provider_modification.yml b/detections/endpoint/windows_registry_sip_provider_modification.yml
index 96f82712df..20a6325e52 100644
--- a/detections/endpoint/windows_registry_sip_provider_modification.yml
+++ b/detections/endpoint/windows_registry_sip_provider_modification.yml
@@ -1,7 +1,7 @@
name: Windows Registry SIP Provider Modification
id: 3b4e18cb-497f-4073-85ad-1ada7c2107ab
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows Registry SIP Provider Modification detected on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_regsvr32_renamed_binary.yml b/detections/endpoint/windows_regsvr32_renamed_binary.yml
index 05c3046ddc..9009c9e662 100644
--- a/detections/endpoint/windows_regsvr32_renamed_binary.yml
+++ b/detections/endpoint/windows_regsvr32_renamed_binary.yml
@@ -1,7 +1,7 @@
name: Windows Regsvr32 Renamed Binary
id: 7349a9e9-3cf6-4171-bb0c-75607a8dcd1a
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: regsvr32 was renamed as $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml
index bd2e997ffd..c42ee89d20 100644
--- a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml
+++ b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml
@@ -1,7 +1,7 @@
name: Windows Remote Access Software BRC4 Loaded Dll
id: 73cf5dcb-cf36-4167-8bbe-384fe5384d05
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process $Image$ loaded several modules $ImageLoaded$ that might related to credential access on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_remote_access_software_rms_registry.yml b/detections/endpoint/windows_remote_access_software_rms_registry.yml
index 9220da5dd3..93d40ddd9c 100644
--- a/detections/endpoint/windows_remote_access_software_rms_registry.yml
+++ b/detections/endpoint/windows_remote_access_software_rms_registry.yml
@@ -1,7 +1,7 @@
name: Windows Remote Access Software RMS Registry
id: e5b7b5a9-e471-4be8-8c5d-4083983ba329
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry related to RMS tool is created on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_remote_assistance_spawning_process.yml b/detections/endpoint/windows_remote_assistance_spawning_process.yml
index b76e3ac87f..607a0e44e2 100644
--- a/detections/endpoint/windows_remote_assistance_spawning_process.yml
+++ b/detections/endpoint/windows_remote_assistance_spawning_process.yml
@@ -1,7 +1,7 @@
name: Windows Remote Assistance Spawning Process
id: ced50492-8849-11ec-9f68-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, generating behavior not common with msra.exe.
risk_objects:
diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml
index aceb557416..660406bcce 100644
--- a/detections/endpoint/windows_remote_create_service.yml
+++ b/detections/endpoint/windows_remote_create_service.yml
@@ -1,7 +1,7 @@
name: Windows Remote Create Service
id: 0dc44d03-8c00-482d-ba7c-796ba7ab18c9
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to create a remote service.
risk_objects:
diff --git a/detections/endpoint/windows_remote_host_computer_management_access.yml b/detections/endpoint/windows_remote_host_computer_management_access.yml
index 6a779a4c34..3c80c4eea5 100644
--- a/detections/endpoint/windows_remote_host_computer_management_access.yml
+++ b/detections/endpoint/windows_remote_host_computer_management_access.yml
@@ -1,7 +1,7 @@
name: Windows Remote Host Computer Management Access
id: 455da527-0047-4610-a3ca-b4a005c2d346
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a computer management process command $process$ executed on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_remote_management_execute_shell.yml b/detections/endpoint/windows_remote_management_execute_shell.yml
index 65eced8c04..63f8182d5f 100644
--- a/detections/endpoint/windows_remote_management_execute_shell.yml
+++ b/detections/endpoint/windows_remote_management_execute_shell.yml
@@ -1,7 +1,7 @@
name: Windows Remote Management Execute Shell
id: 28b80028-851d-4b8d-88a5-375ba115418a
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 1
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a winrm remote proces [$parent_process_name$] execute [$process_name$] shell on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml
index 9fd087dc41..e73b196591 100644
--- a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml
+++ b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml
@@ -1,7 +1,7 @@
name: Windows Remote Service Rdpwinst Tool Execution
id: c8127f87-c7c9-4036-89ed-8fe4b30e678c
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Rdpwinst.exe executed on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml
index d16471bc9f..5ae3e2f600 100644
--- a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml
+++ b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml
@@ -1,7 +1,7 @@
name: Windows Remote Services Allow Rdp In Firewall
id: 9170cb54-ea15-41e1-9dfc-9f3363ce9b02
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: new firewall rules was added to allow rdp connection to $dest$
risk_objects:
diff --git a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml
index a9e5e129b0..33e58579b7 100644
--- a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml
+++ b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml
@@ -1,7 +1,7 @@
name: Windows Remote Services Allow Remote Assistance
id: 9bce3a97-bc97-4e89-a1aa-ead151c82fbb
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry for rdp protocol was modified to enable on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml
index 44e79b8609..fce280b08b 100644
--- a/detections/endpoint/windows_remote_services_rdp_enable.yml
+++ b/detections/endpoint/windows_remote_services_rdp_enable.yml
@@ -1,7 +1,7 @@
name: Windows Remote Services Rdp Enable
id: 8fbd2e88-4ea5-40b9-9217-fd0855e08cc0
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: the registry for rdp protocol was modified to enable on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_renamed_powershell_execution.yml b/detections/endpoint/windows_renamed_powershell_execution.yml
index 4e2a139dfb..d390b1f409 100644
--- a/detections/endpoint/windows_renamed_powershell_execution.yml
+++ b/detections/endpoint/windows_renamed_powershell_execution.yml
@@ -1,7 +1,7 @@
name: Windows Renamed Powershell Execution
id: c08014de-cc5a-42de-9775-76ecd5b37bbd
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -51,9 +51,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: powershell was renamed as $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml
index 40b0dc3cc3..b553aa6f51 100644
--- a/detections/endpoint/windows_replication_through_removable_media.yml
+++ b/detections/endpoint/windows_replication_through_removable_media.yml
@@ -1,7 +1,7 @@
name: Windows Replication Through Removable Media
id: 60df805d-4605-41c8-bbba-57baa6a4eb97
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: executable or script $file_path$ was dropped in root drive $root_drive$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_rmm_named_pipe.yml b/detections/endpoint/windows_rmm_named_pipe.yml
index a20f62a3da..6c0d31805f 100644
--- a/detections/endpoint/windows_rmm_named_pipe.yml
+++ b/detections/endpoint/windows_rmm_named_pipe.yml
@@ -1,7 +1,7 @@
name: Windows RMM Named Pipe
id: c07c7138-edf5-4a16-8b24-3842599235bf
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -57,9 +57,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ located in $process_path$ was identified on endpoint $dest$ accessing known RMM named pipe $pipe_name$.
risk_objects:
diff --git a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml
index 11510ebd27..b70d58772f 100644
--- a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml
+++ b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Root Domain linked policies Discovery
id: 80ffaede-1f12-49d5-a86e-b4b599b68b3c
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows PowerShell [Adsisearcher] was used user enumeration on endpoint $dest$
risk_objects:
diff --git a/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml
index dceaedc702..3b27870a36 100644
--- a/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml
+++ b/detections/endpoint/windows_routing_and_remote_access_service_registry_key_change.yml
@@ -1,7 +1,7 @@
name: Windows Routing and Remote Access Service Registry Key Change
id: a93df51e-e612-40b7-a105-33e288160575
-version: 1
-date: '2026-03-24'
+version: 2
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -48,9 +48,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Routing and Remote Access Service registry key [$registry_path$] was modified with the value [$registry_value_data$] by [$user$] on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml
index 76a324215b..80b834c329 100644
--- a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml
+++ b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml
@@ -1,7 +1,7 @@
name: Windows Rundll32 Apply User Settings Changes
id: b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -48,9 +48,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process $process_name$ with cmdline $process$ in host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_rundll32_execution_with_log_dll.yml b/detections/endpoint/windows_rundll32_execution_with_log_dll.yml
index 2ef702b2ac..d07d8898f5 100644
--- a/detections/endpoint/windows_rundll32_execution_with_log_dll.yml
+++ b/detections/endpoint/windows_rundll32_execution_with_log_dll.yml
@@ -1,7 +1,7 @@
name: Windows Rundll32 Execution With Log.DLL
id: f9593331-804c-4268-8b4c-2693c5ae786c
-version: 1
-date: '2026-03-13'
+version: 2
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Rundll32 loaded log.dll on $dest$ by user $user$, indicating potential Lotus Blossom-style DLL side loading abuse.
risk_objects:
diff --git a/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml b/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml
index c7fc1b0069..d21f8e097f 100644
--- a/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml
+++ b/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml
@@ -1,7 +1,7 @@
name: Windows Rundll32 Load DLL in Temp Dir
id: 520da6fa-7d5d-4a3b-9c61-1087517b8d0f
-version: 4
-date: '2026-03-12'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $parent_process_name$ spawned $process_name$ with a DLL from a temporary directory
risk_objects:
diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml
index a5eefa9afc..28de12829f 100644
--- a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml
+++ b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml
@@ -1,7 +1,7 @@
name: Windows Rundll32 WebDav With Network Connection
id: f03355e0-28b5-4e9b-815a-6adffc63b38c
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
type: TTP
status: production
@@ -69,9 +69,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to contact a remote WebDav server.
risk_objects:
diff --git a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml
index 9c006d063c..dd2bc83a37 100644
--- a/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml
+++ b/detections/endpoint/windows_rundll32_with_non_standard_file_extension.yml
@@ -1,7 +1,7 @@
name: Windows Rundll32 with Non-Standard File Extension
id: f52b55ce-41ad-4802-9909-fbd7cc8410a5
-version: 1
-date: '2026-03-27'
+version: 2
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -111,9 +111,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of [$parent_process_path] launched [$process_name$] loading a non-standard DLL extension [$process$] in host [$dest$]
risk_objects:
diff --git a/detections/endpoint/windows_runmru_command_execution.yml b/detections/endpoint/windows_runmru_command_execution.yml
index 1a583110f3..b3cfc403ce 100644
--- a/detections/endpoint/windows_runmru_command_execution.yml
+++ b/detections/endpoint/windows_runmru_command_execution.yml
@@ -1,7 +1,7 @@
name: Windows RunMRU Command Execution
id: a15aa1ab-2b79-467f-8201-65e0f32d5b1a
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Nasreddine Bencherchali, Michael Haag, Splunk
status: production
type: Anomaly
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $registry_value_data$ was identified on endpoint $dest$ by user $user$ attempting to execute a command through the Run dialog box.
risk_objects:
diff --git a/detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml b/detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml
index 26441a890e..226b2a5944 100644
--- a/detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml
+++ b/detections/endpoint/windows_runmru_registry_key_or_value_deleted.yml
@@ -1,7 +1,7 @@
name: Windows RunMRU Registry Key or Value Deleted
id: e651795f-b2c9-4a84-a18a-b901018a3bfa
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A most recent used entry was deleted on $dest$ within the Windows registry.
risk_objects:
diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml
index a839112c1d..d3f80b89e9 100644
--- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml
+++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml
@@ -1,7 +1,7 @@
name: Windows Scheduled Task Created Via XML
id: 7e03b682-3965-4598-8e91-a60a40a3f7e4
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -45,9 +45,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A scheduled task was created via $process$, based on an XML file by user $user$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml
index 2c6dfde7f6..21200273cf 100644
--- a/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml
+++ b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml
@@ -1,7 +1,7 @@
name: Windows Scheduled Task DLL Module Loaded
id: bc5b2304-f241-419b-874a-e927f667b7b6
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 7
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A taskschd.dll was loaded by a process - [$Image$] on [$dest$]
risk_objects:
diff --git a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml
index 7c4ff4e7b7..515a038054 100644
--- a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml
+++ b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml
@@ -1,7 +1,7 @@
name: Windows Scheduled Task Service Spawned Shell
id: d8120352-3b62-4e3c-8cb6-7b47584dd5e8
-version: 10
-date: '2026-03-18'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -67,9 +67,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A windows scheduled task spawned the shell application $process_name$ on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml
index 1790900458..7c529eacb8 100644
--- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml
+++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml
@@ -1,7 +1,7 @@
name: Windows Scheduled Task with Highest Privileges
id: 2f15e1a4-0fc2-49dd-919e-cbbe60699218
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A $process_name$ process created a scheduled task $process$ with highest run level privilege on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml
index 9be0efc8b5..55673814fa 100644
--- a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml
+++ b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml
@@ -1,7 +1,7 @@
name: Windows Scheduled Task with Suspicious Command
id: 1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate schedule tasks on $dest$
search: '`wineventlog_security` EventCode IN (4698,4700,4702) Computer="$dest$" Caller_User_Name="$user$"'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml
index f1e05608e2..32430275a9 100644
--- a/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml
+++ b/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml
@@ -1,7 +1,7 @@
name: Windows Scheduled Task with Suspicious Name
id: 9e9ab4e3-c9d0-4967-a197-6d755e8a7e6e
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate schedule tasks on $dest$
search: '`wineventlog_security` EventCode IN (4698,4700,4702) | xmlkv TaskContent | search dest="$dest$" AND TaskName = "$TaskName$"'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml
index 69f7cae852..4a7d1fd115 100644
--- a/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml
+++ b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml
@@ -1,7 +1,7 @@
name: Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
id: feb43b86-8c38-46cd-865e-20ce8a96c26c
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Windows Event Log Security 4698
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A schedule task created for CompMgmtLauncher or Eventvwr on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml
index f65c9eead0..40e28ff749 100644
--- a/detections/endpoint/windows_schtasks_create_run_as_system.yml
+++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml
@@ -1,7 +1,7 @@
name: Windows Schtasks Create Run As System
id: 41a0e58e-884c-11ec-9976-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM.
risk_objects:
diff --git a/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml b/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml
index ad4bf294d9..d4d5132640 100644
--- a/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml
+++ b/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml
@@ -1,7 +1,7 @@
name: Windows ScManager Security Descriptor Tampering Via Sc.EXE
id: 04023928-0381-4935-82cb-03372b2ef644
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Nasreddine Bencherchali, Michael Haag, Splunk
status: production
type: TTP
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml
index 0ede20529b..ae9ab0256b 100644
--- a/detections/endpoint/windows_screen_capture_in_temp_folder.yml
+++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml
@@ -1,7 +1,7 @@
name: Windows Screen Capture in TEMP folder
id: 00524d1f-a032-46f5-9108-e7d9f01bfb3c
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 11
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A screen capture named as $file_name$ was created on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml
index 4f6958fa59..2a27361907 100644
--- a/detections/endpoint/windows_screen_capture_via_powershell.yml
+++ b/detections/endpoint/windows_screen_capture_via_powershell.yml
@@ -1,7 +1,7 @@
name: Windows Screen Capture Via Powershell
id: 5e0b1936-8f99-4399-8ee2-9edc5b32e170
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A PowerShell script was identified possibly performing screen captures on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_security_account_manager_stopped.yml b/detections/endpoint/windows_security_account_manager_stopped.yml
index 0ed3ae9d79..b4e1156dd2 100644
--- a/detections/endpoint/windows_security_account_manager_stopped.yml
+++ b/detections/endpoint/windows_security_account_manager_stopped.yml
@@ -1,7 +1,7 @@
name: Windows Security Account Manager Stopped
id: 69c12d59-d951-431e-ab77-ec426b8d65e6
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Rod Soto, Jose Hernandez, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: 'The Windows Security Account Manager (SAM) was stopped via cli by $user$ on $dest$ by this command: $process$'
risk_objects:
diff --git a/detections/endpoint/windows_security_and_backup_services_stop.yml b/detections/endpoint/windows_security_and_backup_services_stop.yml
index 2fa4aebba7..aab3616b8b 100644
--- a/detections/endpoint/windows_security_and_backup_services_stop.yml
+++ b/detections/endpoint/windows_security_and_backup_services_stop.yml
@@ -1,7 +1,7 @@
name: Windows Security And Backup Services Stop
id: 9c24aef6-cad9-4931-acce-74318aa5663b
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Known services $display_name$ terminated by a potential ransomware on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml
index 4f5f7cb668..496dedd862 100644
--- a/detections/endpoint/windows_security_support_provider_reg_query.yml
+++ b/detections/endpoint/windows_security_support_provider_reg_query.yml
@@ -1,7 +1,7 @@
name: Windows Security Support Provider Reg Query
id: 31302468-93c9-4eca-9ae3-2d41f53a4e2b
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process with reg query command line $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_sensitive_group_discovery_with_net.yml b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml
index 316ccb29cd..49e3820359 100644
--- a/detections/endpoint/windows_sensitive_group_discovery_with_net.yml
+++ b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml
@@ -1,7 +1,7 @@
name: Windows Sensitive Group Discovery With Net
id: d9eb7cda-5622-4722-bc88-7f2442f4b5af
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Elevated domain group discovery enumeration on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml
index 3a9a72cca9..d6f638940d 100644
--- a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml
+++ b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml
@@ -1,7 +1,7 @@
name: Windows Sensitive Registry Hive Dump Via CommandLine
id: 5aaff29d-0cce-405b-9ee8-5d06b49d045e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Patrick Bareiss, Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -54,9 +54,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious use of `reg.exe` exporting Windows Registry hives containing credentials executed on $dest$ by user $user$, with a parent process of $parent_process_id$
risk_objects:
diff --git a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml
index 67fd95ab6e..ab8b71b845 100644
--- a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml
+++ b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml
@@ -1,7 +1,7 @@
name: Windows Server Software Component GACUtil Install to GAC
id: 7c025ef0-9e65-4c57-be39-1c13dbb1613e
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to add a module to the global assembly cache.
risk_objects:
diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml
index 5546d476f4..8965917d89 100644
--- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml
+++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml
@@ -1,7 +1,7 @@
name: Windows Service Create Kernel Mode Driver
id: 0b4e3b06-1b2b-4885-b752-cf06d12a90cb
-version: 11
-date: '2026-03-26'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Teoderick Contreras Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Service control, $process_name$, loaded a new kernel mode driver on $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/windows_service_create_remcomsvc.yml b/detections/endpoint/windows_service_create_remcomsvc.yml
index d2cd3a69a0..e355727961 100644
--- a/detections/endpoint/windows_service_create_remcomsvc.yml
+++ b/detections/endpoint/windows_service_create_remcomsvc.yml
@@ -1,7 +1,7 @@
name: Windows Service Create RemComSvc
id: 0be4b5d6-c449-4084-b945-2392b519c33b
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
type: Anomaly
status: production
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A new service was created related to RemCom on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_service_create_sliverc2.yml b/detections/endpoint/windows_service_create_sliverc2.yml
index feee7fabdf..1b7bc9f778 100644
--- a/detections/endpoint/windows_service_create_sliverc2.yml
+++ b/detections/endpoint/windows_service_create_sliverc2.yml
@@ -1,7 +1,7 @@
name: Windows Service Create SliverC2
id: 89dad3ee-57ec-43dc-9044-131c4edd663f
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
type: TTP
status: production
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A user mode service was created on $dest$ related to SliverC2.
risk_objects:
diff --git a/detections/endpoint/windows_service_create_with_tscon.yml b/detections/endpoint/windows_service_create_with_tscon.yml
index 41200d45aa..098fc07547 100644
--- a/detections/endpoint/windows_service_create_with_tscon.yml
+++ b/detections/endpoint/windows_service_create_with_tscon.yml
@@ -1,7 +1,7 @@
name: Windows Service Create with Tscon
id: c13b3d74-6b63-4db5-a841-4206f0370077
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
type: TTP
status: production
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to hijack a RDP session.
risk_objects:
diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml
index 900b25ab59..6bcfe72cab 100644
--- a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml
+++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml
@@ -1,7 +1,7 @@
name: Windows Service Created with Suspicious Service Name
id: 35eb6d19-a497-400c-93c5-645562804b11
-version: 7
-date: '2026-03-26'
+version: 8
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate service events on $dest$
search: '`wineventlog_system` EventCode=7045 ServiceName = "$object_name$" dest = "$dest$"'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
index 023a631983..b58b216381 100644
--- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
+++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml
@@ -1,7 +1,7 @@
name: Windows Service Created with Suspicious Service Path
id: 429141be-8311-11eb-adb6-acde48001122
-version: 18
-date: '2026-03-26'
+version: 19
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A service $ImagePath$ was created from a non-standard path using $ServiceName$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml
index abdfa6a5d5..c7b232b22d 100644
--- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml
+++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml
@@ -1,7 +1,7 @@
name: Windows Service Creation on Remote Endpoint
id: e0eea4fa-4274-11ec-882b-3e22fbd008af
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Windows Service was created on a remote endpoint from $dest$
risk_objects:
diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml
index 524a44871e..1b164e1f6b 100644
--- a/detections/endpoint/windows_service_creation_using_registry_entry.yml
+++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml
@@ -1,7 +1,7 @@
name: Windows Service Creation Using Registry Entry
id: 25212358-948e-11ec-ad47-acde48001122
-version: 18
-date: '2026-03-26'
+version: 19
+date: '2026-03-31'
author: Teoderick Contreras, Splunk, Steven Dick
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Windows Service was created on a endpoint from $dest$ using a registry entry
risk_objects:
diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml
index 85f3ee4a76..5b6765433a 100644
--- a/detections/endpoint/windows_service_deletion_in_registry.yml
+++ b/detections/endpoint/windows_service_deletion_in_registry.yml
@@ -1,7 +1,7 @@
name: Windows Service Deletion In Registry
id: daed6823-b51c-4843-a6ad-169708f1323e
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A service was deleted on $dest$ within the Windows registry.
risk_objects:
diff --git a/detections/endpoint/windows_service_execution_remcom.yml b/detections/endpoint/windows_service_execution_remcom.yml
index 46e6a33054..0c40edfcff 100644
--- a/detections/endpoint/windows_service_execution_remcom.yml
+++ b/detections/endpoint/windows_service_execution_remcom.yml
@@ -1,7 +1,7 @@
name: Windows Service Execution RemCom
id: 7e3d68db-ea4d-419b-adbd-e14a525ecf09
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Michael Haag, Splunk
type: TTP
status: production
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to move laterally.
risk_objects:
diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml
index 6a1c0b8636..2bab345682 100644
--- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml
+++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml
@@ -1,7 +1,7 @@
name: Windows Service Initiation on Remote Endpoint
id: 3f519894-4276-11ec-ab02-3e22fbd008af
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Windows Service was started on a remote endpoint from $dest$
risk_objects:
diff --git a/detections/endpoint/windows_service_stop_attempt.yml b/detections/endpoint/windows_service_stop_attempt.yml
index d2e06921e1..7e4d3ec254 100644
--- a/detections/endpoint/windows_service_stop_attempt.yml
+++ b/detections/endpoint/windows_service_stop_attempt.yml
@@ -1,7 +1,7 @@
name: Windows Service Stop Attempt
id: dd0f07ea-f08f-4d88-96e5-cb58156e82b6
-version: 6
-date: '2026-03-26'
+version: 7
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Hunting
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Prestige Ransomware
diff --git a/detections/endpoint/windows_service_stop_win_updates.yml b/detections/endpoint/windows_service_stop_win_updates.yml
index b6781aaab0..55bb0f07d1 100644
--- a/detections/endpoint/windows_service_stop_win_updates.yml
+++ b/detections/endpoint/windows_service_stop_win_updates.yml
@@ -1,7 +1,7 @@
name: Windows Service Stop Win Updates
id: 0dc25c24-6fcf-456f-b08b-dd55a183e4de
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Windows update services $service_name$ was being disabled on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml b/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml
index 219c36a304..1b2aec35c5 100644
--- a/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml
+++ b/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml
@@ -1,7 +1,7 @@
name: Windows Set Account Password Policy To Unlimited Via Net
id: 11f93009-8083-43fd-82a7-821fcbdc8342
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ attempting to make non-expiring password on host user accounts.
risk_objects:
diff --git a/detections/endpoint/windows_set_network_profile_category_to_private_via_registry.yml b/detections/endpoint/windows_set_network_profile_category_to_private_via_registry.yml
index 4345622b90..c431eff709 100644
--- a/detections/endpoint/windows_set_network_profile_category_to_private_via_registry.yml
+++ b/detections/endpoint/windows_set_network_profile_category_to_private_via_registry.yml
@@ -1,7 +1,7 @@
name: Windows Set Network Profile Category to Private via Registry
id: b11bb510-97e1-4b7a-b673-887ab228c280
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification that set network profile to private on [$dest$]
risk_objects:
diff --git a/detections/endpoint/windows_sharepoint_spinstall0_webshell_file_creation.yml b/detections/endpoint/windows_sharepoint_spinstall0_webshell_file_creation.yml
index 0f022a8f9c..0bc3776189 100644
--- a/detections/endpoint/windows_sharepoint_spinstall0_webshell_file_creation.yml
+++ b/detections/endpoint/windows_sharepoint_spinstall0_webshell_file_creation.yml
@@ -1,7 +1,7 @@
name: Windows SharePoint Spinstall0 Webshell File Creation
id: 7a0dda67-4cc7-4113-b3bd-b3f1489a98bf
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential SharePoint webshell (spinstall0.aspx) detected on $dest$ related to CVE-2025-53770.
risk_objects:
diff --git a/detections/endpoint/windows_shell_process_from_crushftp.yml b/detections/endpoint/windows_shell_process_from_crushftp.yml
index 46e08a3bc0..f9e1e45545 100644
--- a/detections/endpoint/windows_shell_process_from_crushftp.yml
+++ b/detections/endpoint/windows_shell_process_from_crushftp.yml
@@ -1,7 +1,7 @@
name: Windows Shell Process from CrushFTP
id: 459628e3-1b00-4e9b-9e5b-7da8961aea35
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible CrushFTP exploitation detected on $dest$ related to CVE-2025-31161.
risk_objects:
diff --git a/detections/endpoint/windows_short_lived_dns_record.yml b/detections/endpoint/windows_short_lived_dns_record.yml
index f1c5cd0da0..aba20c6dff 100644
--- a/detections/endpoint/windows_short_lived_dns_record.yml
+++ b/detections/endpoint/windows_short_lived_dns_record.yml
@@ -1,7 +1,7 @@
name: Windows Short Lived DNS Record
id: d585e253-1859-4170-977d-09376c731f74
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A short-lived DNS object was created and deleted on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml
index ed9e83320e..23393eab2f 100644
--- a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml
+++ b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml
@@ -1,7 +1,7 @@
name: Windows SIP WinVerifyTrust Failed Trust Validation
id: 6ffc7f88-415b-4278-a80d-b957d6539e1a
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Failed trust validation via the CryptoAPI 2 on $dest$ for a binary.
risk_objects:
diff --git a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml
index ac6f1d6c6c..a3cb9825fd 100644
--- a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml
+++ b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml
@@ -1,7 +1,7 @@
name: Windows Snake Malware File Modification Crmlog
id: 27187e0e-c221-471d-a7bd-04f698985ff6
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A file related to Snake Malware has been identified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml
index b2016841d9..4df2ea4bae 100644
--- a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml
+++ b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml
@@ -1,7 +1,7 @@
name: Windows Snake Malware Kernel Driver Comadmin
id: 628d9c7c-3242-43b5-9620-7234c080a726
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A kernel driver comadmin.dat related to Snake Malware was written to disk on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml
index 4214bfe695..89d12affb3 100644
--- a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml
+++ b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml
@@ -1,7 +1,7 @@
name: Windows Snake Malware Registry Modification wav OpenWithProgIds
id: 13cf8b79-805d-443c-bf52-f55bd7610dfd
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A registry modification related to Snake Malware has been identified on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_snake_malware_service_create.yml b/detections/endpoint/windows_snake_malware_service_create.yml
index 8b9ec31e4d..274ffd3cc0 100644
--- a/detections/endpoint/windows_snake_malware_service_create.yml
+++ b/detections/endpoint/windows_snake_malware_service_create.yml
@@ -1,7 +1,7 @@
name: Windows Snake Malware Service Create
id: 64eb091f-8cab-4b41-9b09-8fb4942377df
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A service, WerFaultSvc, was created on $dest$ and is related to Snake Malware.
risk_objects:
diff --git a/detections/endpoint/windows_snappybee_create_test_registry.yml b/detections/endpoint/windows_snappybee_create_test_registry.yml
index 8061196da8..145561db7c 100644
--- a/detections/endpoint/windows_snappybee_create_test_registry.yml
+++ b/detections/endpoint/windows_snappybee_create_test_registry.yml
@@ -1,7 +1,7 @@
name: Windows SnappyBee Create Test Registry
id: 80402396-d78a-4c6e-ade5-7697ea670adf
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a Test registry Entry [$registry_path$] was created on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_soaphound_binary_execution.yml b/detections/endpoint/windows_soaphound_binary_execution.yml
index 35fb6f3490..329e64bb48 100644
--- a/detections/endpoint/windows_soaphound_binary_execution.yml
+++ b/detections/endpoint/windows_soaphound_binary_execution.yml
@@ -1,7 +1,7 @@
name: Windows SOAPHound Binary Execution
id: 8e53f839-e127-4d6d-a54d-a2f67044a57f
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The process $process_name$ was executed on $dest$ related to SOAPHound.
risk_objects:
diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
index 37883fde90..e4c382f885 100644
--- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
+++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml
@@ -1,7 +1,7 @@
name: Windows Spearphishing Attachment Onenote Spawn Mshta
id: 35aeb0e7-7de5-444a-ac45-24d6788796ec
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Office process $parent_process_name$ observed executing a suspicious child process $process_name$ with process ID $process_id$ on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml
index afd0aeb683..2ab32e3deb 100644
--- a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml
+++ b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml
@@ -1,7 +1,7 @@
name: Windows Special Privileged Logon On Multiple Hosts
id: 4c461f5a-c2cc-4e86-b132-c262fc9edca7
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
type: TTP
status: production
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: 'A user $user$ obtained special privileges on a large number of endpoints (Count: $unique_targets$) within 5 minutes.'
risk_objects:
diff --git a/detections/endpoint/windows_speechruntime_com_hijacking_dll_load.yml b/detections/endpoint/windows_speechruntime_com_hijacking_dll_load.yml
index 8395253d46..6311d7b2b8 100644
--- a/detections/endpoint/windows_speechruntime_com_hijacking_dll_load.yml
+++ b/detections/endpoint/windows_speechruntime_com_hijacking_dll_load.yml
@@ -1,7 +1,7 @@
name: Windows SpeechRuntime COM Hijacking DLL Load
id: bd35738c-e93a-4e4f-be24-f6a3680b950a
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible Lateral Movement abusing Speech Runtime on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_speechruntime_suspicious_child_process.yml b/detections/endpoint/windows_speechruntime_suspicious_child_process.yml
index 34d34caf04..05716529b6 100644
--- a/detections/endpoint/windows_speechruntime_suspicious_child_process.yml
+++ b/detections/endpoint/windows_speechruntime_suspicious_child_process.yml
@@ -1,7 +1,7 @@
name: Windows SpeechRuntime Suspicious Child Process
id: f7bb956f-b956-42a5-8c2c-ff9cdbbf7526
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible Lateral Movement on $dest$ by abusing SpeechRuntime.
risk_objects:
diff --git a/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml b/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml
index ff093197b4..49a7160e22 100644
--- a/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml
+++ b/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml
@@ -1,7 +1,7 @@
name: Windows SQL Server Critical Procedures Enabled
id: d0434864-b043-41e3-8c08-30e53605e9cb
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Michael Haag, Splunk, sidoyle from Splunk Community
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: SQL Server critical procedure "$config_name$" was $change_type$ on host $dest$, which could indicate an attempt to gain code execution or perform reconnaissance
risk_objects:
diff --git a/detections/endpoint/windows_sql_server_startup_procedure.yml b/detections/endpoint/windows_sql_server_startup_procedure.yml
index 798741294e..b760e6a731 100644
--- a/detections/endpoint/windows_sql_server_startup_procedure.yml
+++ b/detections/endpoint/windows_sql_server_startup_procedure.yml
@@ -1,7 +1,7 @@
name: Windows SQL Server Startup Procedure
id: 7bec7c5c-2262-4adb-ba56-c8028512bc58
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A SQL Server startup procedure "$startup_procedure$" was executed on host $dest$, which could indicate an attempt to establish persistence
risk_objects:
diff --git a/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml b/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml
index ce4fd7337f..d8ad7893b9 100644
--- a/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml
+++ b/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml
@@ -1,7 +1,7 @@
name: Windows SQL Server xp_cmdshell Config Change
id: 5eb76fe2-a869-4865-8c4c-8cff424b18b1
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk, sidoyle from Splunk Community
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: View all SQL Server configuration changes on this host in the last 7 days
search: '`wineventlog_application` EventCode=15457 host="$dest$" | rex field=EventData_Xml "(?[^<]+)(?[^<]+)(?[^<]+)" | stats count values(config_name) as "Changed Settings" values(new_value) as "New Values" by _time dest'
earliest_offset: -7d
diff --git a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml
index 0d8ba6d4e9..0ec5a47093 100644
--- a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml
+++ b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml
@@ -1,7 +1,7 @@
name: Windows SqlWriter SQLDumper DLL Sideload
id: 2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 7
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $Image$ loading $ImageLoaded$ was detected on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_ssh_proxy_command.yml b/detections/endpoint/windows_ssh_proxy_command.yml
index ca4480b6a3..8433c5f8ce 100644
--- a/detections/endpoint/windows_ssh_proxy_command.yml
+++ b/detections/endpoint/windows_ssh_proxy_command.yml
@@ -1,7 +1,7 @@
name: Windows SSH Proxy Command
id: ac520039-21f1-4567-b528-5b7133dba76f
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Michael Haag, AJ King, Nasreddine Bencherchali, Splunk, Jesse Hunter, Splunk Community Contributor
status: production
type: Anomaly
@@ -66,9 +66,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious process execution $process$ detected through SSH $parent_process$ on $dest$ by user $user$
risk_objects:
diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml
index cd44690629..d8b5f9c635 100644
--- a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml
@@ -1,7 +1,7 @@
name: Windows Steal Authentication Certificates - ESC1 Abuse
id: cbe761fc-d945-4c8c-a71d-e26d12255d32
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible AD CS ESC1 activity by $src_user$ - $flavor_text$
risk_objects:
diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml
index 69851736df..8eccc4bcf8 100644
--- a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml
@@ -1,7 +1,7 @@
name: Windows Steal Authentication Certificates - ESC1 Authentication
id: f0306acf-a6ab-437a-bbc6-8628f8d5c97e
-version: 8
-date: '2026-03-17'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -69,9 +69,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$", "$src_user$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$", "$src_user$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible AD CS ESC1 authentication on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml
index fec4ed144a..94d5d02c3b 100644
--- a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml
@@ -1,7 +1,7 @@
name: Windows Steal Authentication Certificates Certificate Issued
id: 9b1a5385-0c31-4c39-9753-dc26b8ce64c2
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A certificate was issued to $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml
index c96ec36d9c..b503bc3053 100644
--- a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml
@@ -1,7 +1,7 @@
name: Windows Steal Authentication Certificates Certificate Request
id: 747d7800-2eaa-422d-b994-04d8bb9e06d0
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A certificate was requested by $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml
index 8ca26eeeab..d9299fcc46 100644
--- a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml
@@ -1,7 +1,7 @@
name: Windows Steal Authentication Certificates CertUtil Backup
id: bac85b56-0b65-4ce5-aad5-d94880df0967
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to backup the Certificate Store.
risk_objects:
diff --git a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml
index 285089e2ff..d2e5b8f831 100644
--- a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml
@@ -1,7 +1,7 @@
name: Windows Steal Authentication Certificates CryptoAPI
id: 905d5692-6d7c-432f-bc7e-a6b4f464d40e
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Certificates were exported via the CryptoAPI 2 on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml
index 27f8da922b..8a095b510b 100644
--- a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml
@@ -1,7 +1,7 @@
name: Windows Steal Authentication Certificates CS Backup
id: a2f4cc7f-6503-4078-b206-f83a29f408a7
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Active Directory Certiciate Services was backed up on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml
index 4eaa8dda24..e00d9e2259 100644
--- a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml
@@ -1,7 +1,7 @@
name: Windows Steal Authentication Certificates Export Certificate
id: e39dc429-c2a5-4f1f-9c3c-6b211af6b332
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.
risk_objects:
diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml
index 79da6eed26..cc71c23848 100644
--- a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml
+++ b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml
@@ -1,7 +1,7 @@
name: Windows Steal Authentication Certificates Export PfxCertificate
id: 391329f3-c14b-4b8d-8b37-ac5012637360
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to export a certificate from the local Windows Certificate Store.
risk_objects:
diff --git a/detections/endpoint/windows_subinacl_execution.yml b/detections/endpoint/windows_subinacl_execution.yml
index ea13f5e42e..75e4cc6fa9 100644
--- a/detections/endpoint/windows_subinacl_execution.yml
+++ b/detections/endpoint/windows_subinacl_execution.yml
@@ -1,7 +1,7 @@
name: Windows SubInAcl Execution
id: 12491419-1a6f-4af4-afc3-4e2052f0610e
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Nasreddine Bencherchali, Michael Haag, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified attempting to disable security services on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml
index 2ae5a7d2fa..acfbdeddd6 100644
--- a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml
+++ b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml
@@ -1,7 +1,7 @@
name: Windows Suspect Process With Authentication Traffic
id: 953322db-128a-4ce9-8e89-56e039e33d98
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$.
risk_objects:
diff --git a/detections/endpoint/windows_suspicious_c2_named_pipe.yml b/detections/endpoint/windows_suspicious_c2_named_pipe.yml
index cedd6feee3..e0ab0ba7f9 100644
--- a/detections/endpoint/windows_suspicious_c2_named_pipe.yml
+++ b/detections/endpoint/windows_suspicious_c2_named_pipe.yml
@@ -1,7 +1,7 @@
name: Windows Suspicious C2 Named Pipe
id: 90599d85-dc2a-4d4c-8c59-9485c3665828
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ located in $process_path$ was identified on endpoint $dest$ accessing known suspicious C2 named pipe $pipe_name$.
risk_objects:
diff --git a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml
index c2d2965018..2928ca4460 100644
--- a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml
+++ b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml
@@ -1,7 +1,7 @@
name: Windows Suspicious Child Process Spawned From WebServer
id: 2d4470ef-7158-4b47-b68b-1f7f16382156
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Webshell Exploit Behavior - $parent_process_name$ spawned $process_name$ on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_suspicious_driver_loaded_path.yml b/detections/endpoint/windows_suspicious_driver_loaded_path.yml
index 0419bcfc89..200fe4d4a7 100644
--- a/detections/endpoint/windows_suspicious_driver_loaded_path.yml
+++ b/detections/endpoint/windows_suspicious_driver_loaded_path.yml
@@ -1,7 +1,7 @@
name: Windows Suspicious Driver Loaded Path
id: 2ca1c4a1-8342-4750-9363-905650e0c933
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious driver $ImageLoaded$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_suspicious_named_pipe.yml b/detections/endpoint/windows_suspicious_named_pipe.yml
index a3b8f36e27..d9b23c54ba 100644
--- a/detections/endpoint/windows_suspicious_named_pipe.yml
+++ b/detections/endpoint/windows_suspicious_named_pipe.yml
@@ -1,7 +1,7 @@
name: Windows Suspicious Named Pipe
id: 3a76d52f-a007-4a65-a37d-f313c2c83f31
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -57,9 +57,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $process_name$ located in $process_path$ was identified on endpoint $dest$ accessing known suspicious named pipe $pipe_name$.
risk_objects:
diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml
index 3f2fb93a08..f936466010 100644
--- a/detections/endpoint/windows_suspicious_process_file_path.yml
+++ b/detections/endpoint/windows_suspicious_process_file_path.yml
@@ -1,7 +1,7 @@
name: Windows Suspicious Process File Path
id: ecddae4e-3d4b-41e2-b3df-e46a88b38521
-version: 21
-date: '2026-03-16'
+version: 22
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -25,9 +25,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious process $process_name$ running from a suspicious process path- $process_path$ on host- $dest$
risk_objects:
diff --git a/detections/endpoint/windows_suspicious_react_or_next_js_child_process.yml b/detections/endpoint/windows_suspicious_react_or_next_js_child_process.yml
index bd9e432837..3dcb230494 100644
--- a/detections/endpoint/windows_suspicious_react_or_next_js_child_process.yml
+++ b/detections/endpoint/windows_suspicious_react_or_next_js_child_process.yml
@@ -1,7 +1,7 @@
name: Windows Suspicious React or Next.js Child Process
id: baa80bc8-7c9c-4395-b458-b69feb92830a
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -115,9 +115,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Node-based server process ($parent_process_name$) spawned the child process $process_name$ with command-line $process$ on host $dest$ by user $user$, which may indicate remote code execution via React Server Components (CVE-2025-55182 / React2Shell) or abuse of a similar Node.js RCE vector.
risk_objects:
diff --git a/detections/endpoint/windows_suspicious_vmware_tools_child_process.yml b/detections/endpoint/windows_suspicious_vmware_tools_child_process.yml
index 68a3290b64..4c9b31eeb4 100644
--- a/detections/endpoint/windows_suspicious_vmware_tools_child_process.yml
+++ b/detections/endpoint/windows_suspicious_vmware_tools_child_process.yml
@@ -1,7 +1,7 @@
name: Windows Suspicious VMWare Tools Child Process
id: 1f77661a-0fe3-4b8d-a62c-7dff06906d26
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious process spawned by vmtoolsd.exe on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml
index 464dfc12c0..325084f75c 100644
--- a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml
+++ b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml
@@ -1,7 +1,7 @@
name: Windows Svchost.exe Parent Process Anomaly
id: 1d38e5e9-2ff8-4c47-872c-bf1657cefab5
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An svchost.exe process was spawned by an unexpected parent process [$parent_process_name$] instead of services.exe on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_symlink_evaluation_change_via_fsutil.yml b/detections/endpoint/windows_symlink_evaluation_change_via_fsutil.yml
index afa59ba74b..8b166c41a1 100644
--- a/detections/endpoint/windows_symlink_evaluation_change_via_fsutil.yml
+++ b/detections/endpoint/windows_symlink_evaluation_change_via_fsutil.yml
@@ -1,7 +1,7 @@
name: Windows Symlink Evaluation Change via Fsutil
id: 9777e7e3-2499-4a16-a519-ebe33630c1e8
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -61,9 +61,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process $process_name$ with command line "$process$" modified SymlinkEvaluation on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
index 1a74341274..70c907f89e 100644
--- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
+++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml
@@ -1,7 +1,7 @@
name: Windows System Binary Proxy Execution Compiled HTML File Decompile
id: 2acf0e19-4149-451c-a3f3-39cd3c77e37d
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $process_name$ has been identified using decompile against a CHM on $dest$ under user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml
index 675988f353..420f5bcf19 100644
--- a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml
+++ b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml
@@ -1,7 +1,7 @@
name: Windows System Discovery Using ldap Nslookup
id: 2418780f-7c3e-4c45-b8b4-996ea850cd49
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: System nslookup domain discovery on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml
index 0e3fe41831..ce2050714b 100644
--- a/detections/endpoint/windows_system_logoff_commandline.yml
+++ b/detections/endpoint/windows_system_logoff_commandline.yml
@@ -1,7 +1,7 @@
name: Windows System LogOff Commandline
id: 74a8133f-93e7-4b71-9bd3-13a66124fd57
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process name $process_name$ is seen to execute logoff commandline on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml
index 3b21abab21..4dbbcc6d62 100644
--- a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml
+++ b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml
@@ -1,7 +1,7 @@
name: Windows System Network Config Discovery Display DNS
id: e24f0a0e-41a9-419f-9999-eacab15efc36
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: process $process_name$ with commandline $process$ is executed on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml
index 0c920fb5fb..9bf011eef2 100644
--- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml
+++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml
@@ -1,7 +1,7 @@
name: Windows System Network Connections Discovery Netsh
id: abfb7cc5-c275-4a97-9029-62cd8d4ffeca
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: netsh process with command line $process$ on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml
index 55b7b4a9ff..1af205d7ad 100644
--- a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml
+++ b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml
@@ -1,7 +1,7 @@
name: Windows System Script Proxy Execution Syncappvpublishingserver
id: 8dd73f89-682d-444c-8b41-8e679966ad3c
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download files or evade critical controls.
risk_objects:
diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml
index 9cd3da353d..13e7da2125 100644
--- a/detections/endpoint/windows_system_shutdown_commandline.yml
+++ b/detections/endpoint/windows_system_shutdown_commandline.yml
@@ -1,7 +1,7 @@
name: Windows System Shutdown CommandLine
id: 4fee57b8-d825-4bf3-9ea8-bf405cdb614c
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -22,9 +22,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process $process_name$ seen to execute shutdown via commandline on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml
index b525e1c533..11fbbc2f88 100644
--- a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml
+++ b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml
@@ -1,7 +1,7 @@
name: Windows System Time Discovery W32tm Delay
id: b2cc69e7-11ba-42dc-a269-59c069a48870
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Process name w32tm.exe is using suspcicious command line arguments $process$ on host $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_terminating_lsass_process.yml b/detections/endpoint/windows_terminating_lsass_process.yml
index 2a675b5d08..fb852c3b4e 100644
--- a/detections/endpoint/windows_terminating_lsass_process.yml
+++ b/detections/endpoint/windows_terminating_lsass_process.yml
@@ -1,7 +1,7 @@
name: Windows Terminating Lsass Process
id: 7ab3c319-a4e7-4211-9e8c-40a049d0dba6
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process $SourceImage$ terminates Lsass process on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml
index d86f86a7ac..59976306c5 100644
--- a/detections/endpoint/windows_time_based_evasion.yml
+++ b/detections/endpoint/windows_time_based_evasion.yml
@@ -1,7 +1,7 @@
name: Windows Time Based Evasion
id: 34502357-deb1-499a-8261-ffe144abf561
-version: 12
-date: '2026-03-30'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -62,9 +62,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A $process_name$ did a suspicious ping to invalid IP address on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml
index f58c136d17..523bf22984 100644
--- a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml
+++ b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml
@@ -1,7 +1,7 @@
name: Windows Time Based Evasion via Choice Exec
id: d5f54b38-10bf-4b3a-b6fc-85949862ed50
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A $process_name$ has a choice time delay commandline on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_tinycc_shellcode_execution.yml b/detections/endpoint/windows_tinycc_shellcode_execution.yml
index 0c3620709e..e6a6de12fb 100644
--- a/detections/endpoint/windows_tinycc_shellcode_execution.yml
+++ b/detections/endpoint/windows_tinycc_shellcode_execution.yml
@@ -1,7 +1,7 @@
name: Windows TinyCC Shellcode Execution
id: fdb6774e-e465-4912-86e3-63cf9ab91491
-version: 1
-date: '2026-03-13'
+version: 2
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -56,9 +56,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: TinyCC compiler execution on $dest$ by user $user$ from $process_path$, indicating potential malicious code execution.
risk_objects:
diff --git a/detections/endpoint/windows_tor_client_execution.yml b/detections/endpoint/windows_tor_client_execution.yml
index ab6d0adff8..71fb600d2f 100644
--- a/detections/endpoint/windows_tor_client_execution.yml
+++ b/detections/endpoint/windows_tor_client_execution.yml
@@ -1,7 +1,7 @@
name: Windows TOR Client Execution
id: f164bc6f-ecbe-45e0-aaa6-f5c4d8c84b9a
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Vignesh Subramanian, Splunk
status: production
type: Anomaly
@@ -58,9 +58,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: TOR client process $process_name$ was launched by parent process $parent_process_name$ on host $dest$ by the user $user$ with command line $process$
risk_objects:
diff --git a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml
index 7e1fa4bd98..e8fbe70c44 100644
--- a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml
+++ b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml
@@ -1,7 +1,7 @@
name: Windows UAC Bypass Suspicious Child Process
id: 453a6b0f-b0ea-48fa-9cf4-20537ffdd22c
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A UAC bypass parent process- $parent_process_name$ on host- $dest$ launched a suspicious child process - $process_name$.
risk_objects:
diff --git a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml
index cb88c12397..5bdabea087 100644
--- a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml
+++ b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml
@@ -1,7 +1,7 @@
name: Windows UAC Bypass Suspicious Escalation Behavior
id: 00d050d3-a5b4-4565-a6a5-a31f69681dc3
-version: 12
-date: '2026-03-25'
+version: 13
+date: '2026-03-31'
author: Steven Dick
status: production
type: TTP
@@ -111,9 +111,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A UAC bypass behavior was detected by process $parent_process_name$ on host $dest$ by $user$.
risk_objects:
diff --git a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml
index edfb96e214..9e5bf58877 100644
--- a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml
+++ b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml
@@ -1,7 +1,7 @@
name: Windows Unsecured Outlook Credentials Access In Registry
id: 36334123-077d-47a2-b70c-6c7b3cc85049
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious process $process_name$ accessing outlook credentials registry on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml
index 9b1aec7524..b73c247e02 100644
--- a/detections/endpoint/windows_unsigned_dll_side_loading.yml
+++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml
@@ -1,7 +1,7 @@
name: Windows Unsigned DLL Side-Loading
id: 5a83ce44-8e0f-4786-a775-8249a525c879
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An unsigned dll module was loaded on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml
index 03ca21f4ac..4dd244e3d6 100644
--- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml
+++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml
@@ -1,7 +1,7 @@
name: Windows Unsigned DLL Side-Loading In Same Process Path
id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
type: TTP
status: production
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An unsigned dll module was loaded on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml
index 6ef6a1e2f9..9ecd4fdb87 100644
--- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml
+++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml
@@ -1,7 +1,7 @@
name: Windows Unsigned MS DLL Side-Loading
id: 8d9e0e06-ba71-4dc5-be16-c1a46d58728c
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 7
@@ -49,9 +49,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $Image$ loading Unsigned $ImageLoaded$ was detected on $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml
index 33532500b7..601e02502d 100644
--- a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml
+++ b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml
@@ -1,8 +1,8 @@
name: Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
id: f65aa026-b811-42ab-b4b9-d9088137648f
-date: '2026-03-10'
+date: '2026-03-31'
type: Anomaly
-version: 9
+version: 10
status: production
author: Mauricio Velazco, Splunk
data_source:
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x12
| bucket span=5m _time
diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml
index a7112660d8..5b883e2426 100644
--- a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml
+++ b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml
@@ -1,8 +1,8 @@
name: Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
id: f122cb2e-d773-4f11-8399-62a3572d8dd7
type: Anomaly
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
status: production
author: Mauricio Velazco, Splunk
data_source:
@@ -18,9 +18,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4768 TargetUserName!=*$ Status=0x6
| bucket span=5m _time
diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml
index cbc0323b3e..7c4cecea91 100644
--- a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml
+++ b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml
@@ -1,9 +1,9 @@
name: Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
id: 15603165-147d-4a6e-9778-bd0ff39e668f
type: Anomaly
-version: 10
+version: 11
status: production
-date: '2026-03-10'
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4776
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xc0000064
| bucket span=2m _time
diff --git a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml
index 6148345d04..a822d82820 100644
--- a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml
+++ b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml
@@ -1,9 +1,9 @@
name: Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
id: 14f414cf-3080-4b9b-aaf6-55a4ce947b93
type: Anomaly
-version: 10
+version: 11
status: production
-date: '2026-03-10'
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4648
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4648 Caller_User_Name!=*$ Target_User_Name!=*$
| bucket span=5m _time
diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml
index 8d7c167712..933334da98 100644
--- a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml
+++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml
@@ -1,8 +1,8 @@
name: Windows Unusual Count Of Users Failed To Auth Using Kerberos
id: bc9cb715-08ba-40c3-9758-6e2b26e455cb
-date: '2026-03-10'
+date: '2026-03-31'
type: Anomaly
-version: 9
+version: 10
status: production
author: Mauricio Velazco, Splunk
data_source:
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4771 TargetUserName!="*$" Status=0x18
| bucket span=5m _time
diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml
index 990c563017..c437fb12db 100644
--- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml
+++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml
@@ -1,9 +1,9 @@
name: Windows Unusual Count Of Users Failed To Authenticate From Process
id: 25bdb6cb-2e49-4d34-a93c-d6c567c122fe
type: Anomaly
-version: 10
+version: 11
status: production
-date: '2026-03-10'
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4625
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!="-"
| bucket span=2m _time
diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml
index 17b5281d4f..282cd331a6 100644
--- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml
+++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml
@@ -1,9 +1,9 @@
name: Windows Unusual Count Of Users Failed To Authenticate Using NTLM
id: 6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4
type: Anomaly
-version: 10
+version: 11
status: production
-date: '2026-03-10'
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4776
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Workstation$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Workstation$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4776 TargetUserName!=*$ Status=0xC000006A
| bucket span=2m _time
diff --git a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml
index 3b5d72f8c9..096afb6638 100644
--- a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml
+++ b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml
@@ -1,9 +1,9 @@
name: Windows Unusual Count Of Users Remotely Failed To Auth From Host
id: cf06a0ee-ffa9-4ed3-be77-0670ed9bab52
type: Anomaly
-version: 10
+version: 11
status: production
-date: '2026-03-10'
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
data_source:
- Windows Event Log Security 4625
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$Computer$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
search: |-
`wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!="-"
| bucket span=2m _time
diff --git a/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml b/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml
index 71e43beddb..6af81c3252 100644
--- a/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml
+++ b/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml
@@ -1,7 +1,7 @@
name: Windows Unusual FileZilla XML Config Access
id: 47dc0426-cbe4-4253-8b86-1a983c3f9951
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a non filezilla process $process_name$ with $process_id$ accessed FileZilla XML config files on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml b/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml
index 8ce76a6cbe..8da110b261 100644
--- a/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml
+++ b/detections/endpoint/windows_unusual_intelliform_storage_registry_access.yml
@@ -1,7 +1,7 @@
name: Windows Unusual Intelliform Storage Registry Access
id: 99d69078-7dae-4ffe-9f3d-063242772f5a
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a non Internet Explorer process $process_name$ with $process_id$ accessed Intelliform Storage Registry keys on host $dest$
risk_objects:
diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml
index f7d8b8c8cd..439f134c61 100644
--- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml
+++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml
@@ -1,7 +1,7 @@
name: Windows Unusual NTLM Authentication Destinations By Source
id: ae9b0df5-5fb0-477f-abc9-47faf42aa91d
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -49,9 +49,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The device [$src$] attempted $count$ NTLM authentications against $unique_count$ destinations.
risk_objects:
diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml
index 15a1235479..6d3792a075 100644
--- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml
+++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml
@@ -1,7 +1,7 @@
name: Windows Unusual NTLM Authentication Destinations By User
id: a4d86702-402b-4a4f-8d06-9d61e6c39cad
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -52,9 +52,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The user [$user$] attempted $count$ NTLM authentications against $unique_count$ destinations.
risk_objects:
diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml
index f3a2994ba8..ccef720f69 100644
--- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml
+++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml
@@ -1,7 +1,7 @@
name: Windows Unusual NTLM Authentication Users By Destination
id: 1120a204-8444-428b-8657-6ea4e1f3e840
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -51,9 +51,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The device [$dest$] was the target of $count$ NTLM authentications using $unique_count$ unique user accounts.
risk_objects:
diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml
index 300d8ffd38..70f9fcdc1a 100644
--- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml
+++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml
@@ -1,7 +1,7 @@
name: Windows Unusual NTLM Authentication Users By Source
id: 80fcc4d4-fd90-488e-b55a-4e7190ae6ce2
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -51,9 +51,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The device [$src$] attempted $count$ NTLM authentications using $unique_count$ user accounts.
risk_objects:
diff --git a/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml
index afc5b002ee..e0e122c788 100644
--- a/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml
+++ b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml
@@ -1,7 +1,7 @@
name: Windows Unusual Process Load Mozilla NSS-Mozglue Module
id: 1a7e7650-b81d-492e-99d4-d5ab633afbdd
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a non Firefox or Thunderbird process $process_name$ with $process_id$ loaded the Mozilla NSS-Mozglue libraries on host $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml b/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml
index 5318a33a99..c1d6f54150 100644
--- a/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml
+++ b/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml
@@ -1,7 +1,7 @@
name: Windows Unusual SysWOW64 Process Run System32 Executable
id: e4602172-db86-4315-86df-da66fb40bcde
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a 32 bit process execute 64 bit executable on [$dest$].
risk_objects:
diff --git a/detections/endpoint/windows_usbstor_registry_key_modification.yml b/detections/endpoint/windows_usbstor_registry_key_modification.yml
index fdbf3b9b8a..db24784a17 100644
--- a/detections/endpoint/windows_usbstor_registry_key_modification.yml
+++ b/detections/endpoint/windows_usbstor_registry_key_modification.yml
@@ -1,7 +1,7 @@
name: Windows USBSTOR Registry Key Modification
id: a345980a-417d-4ed3-9fb4-cac30c9405a0
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate USB events on $dest$
search: '| from datamodel:Endpoint.Registry | search dest=$dest$ registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*")'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_user_deletion_via_net.yml b/detections/endpoint/windows_user_deletion_via_net.yml
index 669a010cf4..39d4b9411a 100644
--- a/detections/endpoint/windows_user_deletion_via_net.yml
+++ b/detections/endpoint/windows_user_deletion_via_net.yml
@@ -1,7 +1,7 @@
name: Windows User Deletion Via Net
id: b0b6fd2c-8953-4d1b-8f7b-56075ea6ab3e
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to delete accounts.
risk_objects:
diff --git a/detections/endpoint/windows_user_disabled_via_net.yml b/detections/endpoint/windows_user_disabled_via_net.yml
index bb5dff295a..90c0df0038 100644
--- a/detections/endpoint/windows_user_disabled_via_net.yml
+++ b/detections/endpoint/windows_user_disabled_via_net.yml
@@ -1,7 +1,7 @@
name: Windows User Disabled Via Net
id: b0359e05-c87b-4354-83d8-aee0d890243f
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified disabling a user account on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml
index 561024a59c..8fa45b3c7f 100644
--- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml
+++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml
@@ -1,7 +1,7 @@
name: Windows User Execution Malicious URL Shortcut File
id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A process created a .URL shortcut file in $file_path$ of $dest$
risk_objects:
diff --git a/detections/endpoint/windows_visual_basic_commandline_compiler_dnsquery.yml b/detections/endpoint/windows_visual_basic_commandline_compiler_dnsquery.yml
index 13d0e18ab9..c5610065a9 100644
--- a/detections/endpoint/windows_visual_basic_commandline_compiler_dnsquery.yml
+++ b/detections/endpoint/windows_visual_basic_commandline_compiler_dnsquery.yml
@@ -1,7 +1,7 @@
name: Windows Visual Basic Commandline Compiler DNSQuery
id: 8976744a-ae7a-46a4-8128-690df85c2af4
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: vbc.exe process [$process_name$] made a DNS query for $query$ from host $dest$.
risk_objects:
diff --git a/detections/endpoint/windows_vulnerable_3cx_software.yml b/detections/endpoint/windows_vulnerable_3cx_software.yml
index cdeb3d9819..a8a1bdda45 100644
--- a/detections/endpoint/windows_vulnerable_3cx_software.yml
+++ b/detections/endpoint/windows_vulnerable_3cx_software.yml
@@ -1,7 +1,7 @@
name: Windows Vulnerable 3CX Software
id: f2cc1584-46ee-485b-b905-977c067f36de
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
type: TTP
status: production
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A known vulnerable instance of 3CX Software $process_name$ ran on $dest$, related to a supply chain attack.
risk_objects:
diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml
index 0cae14aedb..cf01f7bdf0 100644
--- a/detections/endpoint/windows_vulnerable_driver_installed.yml
+++ b/detections/endpoint/windows_vulnerable_driver_installed.yml
@@ -1,7 +1,7 @@
name: Windows Vulnerable Driver Installed
id: 1dda7586-57be-4a1b-8de1-a9ad802b9a7f
-version: 8
-date: '2026-03-16'
+version: 9
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potentially vulnerable/malicious driver [$ImagePath$] has been installed on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_wbadmin_file_recovery_from_backup.yml b/detections/endpoint/windows_wbadmin_file_recovery_from_backup.yml
index 99b06e8510..ca5b888159 100644
--- a/detections/endpoint/windows_wbadmin_file_recovery_from_backup.yml
+++ b/detections/endpoint/windows_wbadmin_file_recovery_from_backup.yml
@@ -1,7 +1,7 @@
name: Windows WBAdmin File Recovery From Backup
id: 0175f0b7-728d-4038-bbf1-1c30d6ee3d31
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -58,9 +58,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An attempt to restore a file from a backup via WBAdmin $process$ was observed on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_windbg_spawning_autoit3.yml b/detections/endpoint/windows_windbg_spawning_autoit3.yml
index e33a9d5f8b..40c294d131 100644
--- a/detections/endpoint/windows_windbg_spawning_autoit3.yml
+++ b/detections/endpoint/windows_windbg_spawning_autoit3.yml
@@ -1,7 +1,7 @@
name: Windows WinDBG Spawning AutoIt3
id: 7aec015b-cd69-46c3-85ed-dac152056aa4
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml b/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml
index 3343963a3d..aadad5a3b9 100644
--- a/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml
+++ b/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml
@@ -1,7 +1,7 @@
name: Windows WinRAR Launched Outside Default Installation Directory
id: 3b711292-9793-4a88-8e89-6e016cfbc09c
-version: 1
-date: '2026-03-03'
+version: 2
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A [$process_name$] execution in [$process_path$] was identified on endpoint [$dest$] by user [$user$].
risk_objects:
diff --git a/detections/endpoint/windows_wmi_impersonate_token.yml b/detections/endpoint/windows_wmi_impersonate_token.yml
index a7095efa00..7f23526ffb 100644
--- a/detections/endpoint/windows_wmi_impersonate_token.yml
+++ b/detections/endpoint/windows_wmi_impersonate_token.yml
@@ -1,7 +1,7 @@
name: Windows WMI Impersonate Token
id: cf192860-2d94-40db-9a51-c04a2e8a8f8b
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: wmiprvse.exe process having a duplicate or full Granted Access $GrantedAccess$ to $TargetImage$ process on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_wmi_process_and_service_list.yml b/detections/endpoint/windows_wmi_process_and_service_list.yml
index b956fba88c..d1d5a57d98 100644
--- a/detections/endpoint/windows_wmi_process_and_service_list.yml
+++ b/detections/endpoint/windows_wmi_process_and_service_list.yml
@@ -1,7 +1,7 @@
name: Windows WMI Process And Service List
id: ef3c5ef2-3f6d-4087-aa75-49bf746dc907
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: wmi command $process$ to list processes and services on $dest$
risk_objects:
diff --git a/detections/endpoint/windows_wmi_reconnaissance_class_query.yml b/detections/endpoint/windows_wmi_reconnaissance_class_query.yml
index 988f283eee..7bcc50866e 100644
--- a/detections/endpoint/windows_wmi_reconnaissance_class_query.yml
+++ b/detections/endpoint/windows_wmi_reconnaissance_class_query.yml
@@ -1,7 +1,7 @@
name: Windows WMI Reconnaissance Class Query
id: 5e38bd3e-5da7-483d-aa61-27f7e8c27ad1
-version: 1
-date: '2026-03-03'
+version: 2
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -69,9 +69,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of [$parent_process_name$] spawning [$process_name$] was identified on endpoint [$dest$] by user [$user$] attempting to enumerate system information via WMI classes using the Command [$process$].
risk_objects:
diff --git a/detections/endpoint/windows_wmic_cpu_discovery.yml b/detections/endpoint/windows_wmic_cpu_discovery.yml
index 5d3684e5dc..0abb146141 100644
--- a/detections/endpoint/windows_wmic_cpu_discovery.yml
+++ b/detections/endpoint/windows_wmic_cpu_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Wmic CPU Discovery
id: 6fc46cae-a8c0-4296-b07a-8e52d4322587
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to gather CPU information.
risk_objects:
diff --git a/detections/endpoint/windows_wmic_diskdrive_discovery.yml b/detections/endpoint/windows_wmic_diskdrive_discovery.yml
index 560359fbef..3d6e1c1801 100644
--- a/detections/endpoint/windows_wmic_diskdrive_discovery.yml
+++ b/detections/endpoint/windows_wmic_diskdrive_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Wmic DiskDrive Discovery
id: 85e88c80-e4ee-4c65-b02e-3c54d94c7a51
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to gather disk drive information.
risk_objects:
diff --git a/detections/endpoint/windows_wmic_memory_chip_discovery.yml b/detections/endpoint/windows_wmic_memory_chip_discovery.yml
index 34b4a0f319..963c8b7ba7 100644
--- a/detections/endpoint/windows_wmic_memory_chip_discovery.yml
+++ b/detections/endpoint/windows_wmic_memory_chip_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Wmic Memory Chip Discovery
id: aecaddaa-5885-4e44-a724-1edd5ecbc79f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to gather Memory Chip information.
risk_objects:
diff --git a/detections/endpoint/windows_wmic_network_discovery.yml b/detections/endpoint/windows_wmic_network_discovery.yml
index e3b85fccdc..9dfc2bff31 100644
--- a/detections/endpoint/windows_wmic_network_discovery.yml
+++ b/detections/endpoint/windows_wmic_network_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Wmic Network Discovery
id: cce82b81-c716-4b6c-bac9-33e6a6925cc2
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to gather Network information.
risk_objects:
diff --git a/detections/endpoint/windows_wmic_shadowcopy_delete.yml b/detections/endpoint/windows_wmic_shadowcopy_delete.yml
index 69f0066e52..a1b5049f6e 100644
--- a/detections/endpoint/windows_wmic_shadowcopy_delete.yml
+++ b/detections/endpoint/windows_wmic_shadowcopy_delete.yml
@@ -1,7 +1,7 @@
name: Windows WMIC Shadowcopy Delete
id: 0a8c4b26-a4e2-4ef1-b0d9-62af6d36bdc8
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, AJ King, Splunk
status: production
type: Anomaly
@@ -25,9 +25,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$process_name$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$process_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$process_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A WMIC command, $process_name$, was detected attempting to delete volume shadow copies spawned off of $parent_process_name$ on $dest$. This is a common ransomware technique used to prevent system recovery.
risk_objects:
diff --git a/detections/endpoint/windows_wmic_systeminfo_discovery.yml b/detections/endpoint/windows_wmic_systeminfo_discovery.yml
index a78c544caf..67b9961be8 100644
--- a/detections/endpoint/windows_wmic_systeminfo_discovery.yml
+++ b/detections/endpoint/windows_wmic_systeminfo_discovery.yml
@@ -1,7 +1,7 @@
name: Windows Wmic Systeminfo Discovery
id: 97937ece-cb13-4dbc-9684-c0dc3afd400a
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to gather system information.
risk_objects:
diff --git a/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml
index 826392e7be..d460aec55a 100644
--- a/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml
+++ b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml
@@ -1,7 +1,7 @@
name: Windows WPDBusEnum Registry Key Modification
id: 52b48e8b-eb6e-48b0-b8f1-73273f6b134e
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate USB events on $dest$
search: '| from datamodel:Endpoint.Registry | search dest=$dest$ registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*")'
earliest_offset: $info_min_time$
diff --git a/detections/endpoint/windows_wsus_spawning_shell.yml b/detections/endpoint/windows_wsus_spawning_shell.yml
index 652e2a40d1..f1652a0c93 100644
--- a/detections/endpoint/windows_wsus_spawning_shell.yml
+++ b/detections/endpoint/windows_wsus_spawning_shell.yml
@@ -1,7 +1,7 @@
name: Windows WSUS Spawning Shell
id: 76ea28ac-6f10-43fd-b5fe-340022ad0fd3
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: WSUS service process wsusservice.exe spawned shell process $process_name$ on $dest$ by $user$, indicating possible CVE-2025-59287 exploitation
risk_objects:
diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml
index d338b76cde..10c1f4ea06 100644
--- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml
+++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml
@@ -1,7 +1,7 @@
name: WinEvent Scheduled Task Created to Spawn Shell
id: 203ef0ea-9bd8-11eb-8201-acde48001122
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: 'A Windows Scheduled Task was created (task name=$TaskName$) on $dest$ with the following contents: $TaskContent$'
risk_objects:
diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml
index 8cd7250126..38fdc4b0e1 100644
--- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml
+++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml
@@ -1,7 +1,7 @@
name: WinEvent Scheduled Task Created Within Public Path
id: 5d9c6eee-988c-11eb-8253-acde48001122
-version: 23
-date: '2026-03-10'
+version: 24
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A windows scheduled task was created (task name=$TaskName$) on $dest$
risk_objects:
diff --git a/detections/endpoint/winhlp32_spawning_a_process.yml b/detections/endpoint/winhlp32_spawning_a_process.yml
index 9fdd4819db..f017610d54 100644
--- a/detections/endpoint/winhlp32_spawning_a_process.yml
+++ b/detections/endpoint/winhlp32_spawning_a_process.yml
@@ -1,7 +1,7 @@
name: Winhlp32 Spawning a Process
id: d17dae9e-2618-11ec-b9f5-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$, and is not typical activity for this process.
risk_objects:
diff --git a/detections/endpoint/winrar_spawning_shell_application.yml b/detections/endpoint/winrar_spawning_shell_application.yml
index 491aebbde3..fa2acc965a 100644
--- a/detections/endpoint/winrar_spawning_shell_application.yml
+++ b/detections/endpoint/winrar_spawning_shell_application.yml
@@ -1,7 +1,7 @@
name: WinRAR Spawning Shell Application
id: d2f36034-37fa-4bd4-8801-26807c15540f
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.
risk_objects:
diff --git a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml
index 1600da4454..1fde00a802 100644
--- a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml
+++ b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml
@@ -1,7 +1,7 @@
name: WMI Permanent Event Subscription - Sysmon
id: ad05aae6-3b2a-4f73-af97-57bd26cee3b9
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Rico Valdez, Michael Haag, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: WMI Permanent Event Subscription detected on $dest$ by $user$
risk_objects:
diff --git a/detections/endpoint/wmi_recon_running_process_or_services.yml b/detections/endpoint/wmi_recon_running_process_or_services.yml
index 8d13ecbc78..028412cf94 100644
--- a/detections/endpoint/wmi_recon_running_process_or_services.yml
+++ b/detections/endpoint/wmi_recon_running_process_or_services.yml
@@ -1,7 +1,7 @@
name: WMI Recon Running Process Or Services
id: b5cd5526-cce7-11eb-b3bd-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious powerShell script execution by $user_id$ on $dest$ via EventCode 4104, where WMI is performing an event query looking for running processes or running services
risk_objects:
diff --git a/detections/endpoint/wmic_group_discovery.yml b/detections/endpoint/wmic_group_discovery.yml
index d36a2a5338..66f1635f20 100644
--- a/detections/endpoint/wmic_group_discovery.yml
+++ b/detections/endpoint/wmic_group_discovery.yml
@@ -1,7 +1,7 @@
name: Wmic Group Discovery
id: 83317b08-155b-11ec-8e00-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.
risk_objects:
diff --git a/detections/endpoint/wmic_xsl_execution_via_url.yml b/detections/endpoint/wmic_xsl_execution_via_url.yml
index abdec94122..f4a6bb91da 100644
--- a/detections/endpoint/wmic_xsl_execution_via_url.yml
+++ b/detections/endpoint/wmic_xsl_execution_via_url.yml
@@ -1,7 +1,7 @@
name: WMIC XSL Execution via URL
id: 787e9dd0-4328-11ec-a029-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -58,9 +58,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to download a remote XSL script.
risk_objects:
diff --git a/detections/endpoint/wmiprvse_lolbas_execution_process_spawn.yml b/detections/endpoint/wmiprvse_lolbas_execution_process_spawn.yml
index 9d207c7f83..8019ccd38f 100644
--- a/detections/endpoint/wmiprvse_lolbas_execution_process_spawn.yml
+++ b/detections/endpoint/wmiprvse_lolbas_execution_process_spawn.yml
@@ -1,7 +1,7 @@
name: Wmiprvse LOLBAS Execution Process Spawn
id: b7e11721-08b1-4d8b-9628-813bb2380514
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Wmiprvse.exe spawned a LOLBAS process on $dest$.
risk_objects:
diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
index 70552286ad..8f4b689503 100644
--- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
+++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml
@@ -1,7 +1,7 @@
name: Wscript Or Cscript Suspicious Child Process
id: 1f35e1da-267b-11ec-90a9-acde48001122
-version: 13
-date: '2026-03-24'
+version: 14
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: wscript or cscript parent process spawned $process_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml
index 358e24ebac..d6ad3aea16 100644
--- a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml
+++ b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml
@@ -1,7 +1,7 @@
name: Wsmprovhost LOLBAS Execution Process Spawn
id: 2eed004c-4c0d-11ec-93e8-3e22fbd008af
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Mauricio Velazco, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Wsmprovhost.exe spawned a LOLBAS process on $dest$.
risk_objects:
diff --git a/detections/endpoint/wsreset_uac_bypass.yml b/detections/endpoint/wsreset_uac_bypass.yml
index 10886840d4..ebb4f9cb3e 100644
--- a/detections/endpoint/wsreset_uac_bypass.yml
+++ b/detections/endpoint/wsreset_uac_bypass.yml
@@ -1,7 +1,7 @@
name: WSReset UAC Bypass
id: 8b5901bc-da63-11eb-be43-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious modification of registry $registry_path$ with possible payload path $registry_value_name$ on $dest$
risk_objects:
diff --git a/detections/endpoint/xmrig_driver_loaded.yml b/detections/endpoint/xmrig_driver_loaded.yml
index 491f0c3bf5..31c0b72d8d 100644
--- a/detections/endpoint/xmrig_driver_loaded.yml
+++ b/detections/endpoint/xmrig_driver_loaded.yml
@@ -1,7 +1,7 @@
name: XMRIG Driver Loaded
id: 90080fa6-a8df-11eb-91e4-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -19,9 +19,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A driver $ImageLoaded$ related to xmrig crytominer loaded in host $dest$
risk_objects:
diff --git a/detections/endpoint/xsl_script_execution_with_wmic.yml b/detections/endpoint/xsl_script_execution_with_wmic.yml
index a18a189a3a..676f7514e7 100644
--- a/detections/endpoint/xsl_script_execution_with_wmic.yml
+++ b/detections/endpoint/xsl_script_execution_with_wmic.yml
@@ -1,7 +1,7 @@
name: XSL Script Execution With WMIC
id: 004e32e2-146d-11ec-a83f-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing wmic to load a XSL script.
risk_objects:
diff --git a/detections/network/3cx_supply_chain_attack_network_indicators.yml b/detections/network/3cx_supply_chain_attack_network_indicators.yml
index 7938a4c6b8..20cd98b839 100644
--- a/detections/network/3cx_supply_chain_attack_network_indicators.yml
+++ b/detections/network/3cx_supply_chain_attack_network_indicators.yml
@@ -1,7 +1,7 @@
name: 3CX Supply Chain Attack Network Indicators
id: 791b727c-deec-4fbe-a732-756131b3c5a1
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Indicators related to 3CX supply chain attack have been identified on $src$.
risk_objects:
diff --git a/detections/network/cisco_configuration_archive_logging_analysis.yml b/detections/network/cisco_configuration_archive_logging_analysis.yml
index 7db0da04ed..de93bab20c 100644
--- a/detections/network/cisco_configuration_archive_logging_analysis.yml
+++ b/detections/network/cisco_configuration_archive_logging_analysis.yml
@@ -1,7 +1,7 @@
name: Cisco Configuration Archive Logging Analysis
id: f52d5c0b-d45d-4304-b300-a4f6a1130dec
-version: 2
-date: '2026-02-25'
+version: 3
+date: '2026-03-31'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: Hunting
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Cisco Smart Install Remote Code Execution CVE-2018-0171
diff --git a/detections/network/cisco_ios_suspicious_privileged_account_creation.yml b/detections/network/cisco_ios_suspicious_privileged_account_creation.yml
index dd4753a920..c6f5fc9d59 100644
--- a/detections/network/cisco_ios_suspicious_privileged_account_creation.yml
+++ b/detections/network/cisco_ios_suspicious_privileged_account_creation.yml
@@ -1,7 +1,7 @@
name: Cisco IOS Suspicious Privileged Account Creation
id: 63e3aff9-45d7-4d41-bcdb-9da561fb4533
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious privileged account was created or modified on Cisco IOS device $dest$ by user $user$
risk_objects:
diff --git a/detections/network/cisco_network_interface_modifications.yml b/detections/network/cisco_network_interface_modifications.yml
index 9100b128bb..fbf886c2ec 100644
--- a/detections/network/cisco_network_interface_modifications.yml
+++ b/detections/network/cisco_network_interface_modifications.yml
@@ -1,7 +1,7 @@
name: Cisco Network Interface Modifications
id: 61ae09c2-079e-44b1-8be0-74e35c5a679e
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious network interface modifications detected on Cisco device $dest$ by user $user$, which may indicate persistence establishment
risk_objects:
diff --git a/detections/network/cisco_privileged_account_creation_with_http_command_execution.yml b/detections/network/cisco_privileged_account_creation_with_http_command_execution.yml
index 12401c80b0..333f959297 100644
--- a/detections/network/cisco_privileged_account_creation_with_http_command_execution.yml
+++ b/detections/network/cisco_privileged_account_creation_with_http_command_execution.yml
@@ -1,7 +1,7 @@
name: Cisco Privileged Account Creation with HTTP Command Execution
id: 2c9d4f5a-8b6e-4c7f-9d8e-1a2b3c4d5e6f
-version: 2
-date: '2026-01-22'
+version: 3
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Correlation
@@ -57,9 +57,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Cisco Secure Firewall Threat Defense Analytics
diff --git a/detections/network/cisco_privileged_account_creation_with_suspicious_ssh_activity.yml b/detections/network/cisco_privileged_account_creation_with_suspicious_ssh_activity.yml
index c289529767..9a29aa468e 100644
--- a/detections/network/cisco_privileged_account_creation_with_suspicious_ssh_activity.yml
+++ b/detections/network/cisco_privileged_account_creation_with_suspicious_ssh_activity.yml
@@ -1,7 +1,7 @@
name: Cisco Privileged Account Creation with Suspicious SSH Activity
id: 7f8e2b4c-9a3d-4e1f-8c5b-6d7e8f9a0b1c
-version: 3
-date: '2026-02-25'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Correlation
@@ -69,9 +69,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$normalized_risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$normalized_risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$normalized_risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- Cisco Secure Firewall Threat Defense Analytics
diff --git a/detections/network/cisco_sd_wan___arbitrary_file_overwrite_exploitation_activity.yml b/detections/network/cisco_sd_wan___arbitrary_file_overwrite_exploitation_activity.yml
index 061a03b664..928084a559 100644
--- a/detections/network/cisco_sd_wan___arbitrary_file_overwrite_exploitation_activity.yml
+++ b/detections/network/cisco_sd_wan___arbitrary_file_overwrite_exploitation_activity.yml
@@ -1,7 +1,7 @@
name: Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
id: 2f3862c6-45ff-4a02-9bd4-7e25c209fcd9
-version: 1
-date: '2026-03-09'
+version: 2
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -74,9 +74,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Cisco SD-WAN Manager exploitation activity from $src$ has been identified targeting host $dest$.
risk_objects:
diff --git a/detections/network/cisco_sd_wan___low_frequency_rogue_peer.yml b/detections/network/cisco_sd_wan___low_frequency_rogue_peer.yml
index 0d1324b483..3755fd6912 100644
--- a/detections/network/cisco_sd_wan___low_frequency_rogue_peer.yml
+++ b/detections/network/cisco_sd_wan___low_frequency_rogue_peer.yml
@@ -1,7 +1,7 @@
name: Cisco SD-WAN - Low Frequency Rogue Peer
id: 0fe052a5-07b8-48e7-9fc8-d6a3957eb914
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -71,9 +71,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The SD-WAN device $dest$ established a rare control connection to peer-system-ip $peer_system_ip$ with peer-type $peer_type$ (observed $count$ times).
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___binary_file_type_download.yml b/detections/network/cisco_secure_firewall___binary_file_type_download.yml
index 34fba6bdd9..d2b313b9ab 100644
--- a/detections/network/cisco_secure_firewall___binary_file_type_download.yml
+++ b/detections/network/cisco_secure_firewall___binary_file_type_download.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Binary File Type Download
id: 24b2c2e3-2ff7-4a23-b814-87f8a62028cd
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The host $src$ downloaded a file $file_name$ of type $FileType$ from $dest$.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___bits_network_activity.yml b/detections/network/cisco_secure_firewall___bits_network_activity.yml
index a401035483..8a6352b16f 100644
--- a/detections/network/cisco_secure_firewall___bits_network_activity.yml
+++ b/detections/network/cisco_secure_firewall___bits_network_activity.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Bits Network Activity
id: b08e69d4-b42d-494c-bd30-abaaa3571ba4
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src$ downloaded a file from $url$ via BITS Service
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___blacklisted_ssl_certificate_fingerprint.yml b/detections/network/cisco_secure_firewall___blacklisted_ssl_certificate_fingerprint.yml
index 32877f4d52..72acc26785 100644
--- a/detections/network/cisco_secure_firewall___blacklisted_ssl_certificate_fingerprint.yml
+++ b/detections/network/cisco_secure_firewall___blacklisted_ssl_certificate_fingerprint.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
id: c43f7b49-2dab-4e76-892e-7f971c2f20f1
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious SSL certificate fingerprint - [$SSL_CertFingerprint$] used in connections [ListingReason - $Reasons$] from $src$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___blocked_connection.yml b/detections/network/cisco_secure_firewall___blocked_connection.yml
index 2215ec0a39..052a93beef 100644
--- a/detections/network/cisco_secure_firewall___blocked_connection.yml
+++ b/detections/network/cisco_secure_firewall___blocked_connection.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Blocked Connection
id: 17e9b764-3a2b-4d36-9751-32d13ce4718b
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A connection request from $src$ to $dest$ has been blocked according to the configured firewall rule $rule$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml b/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml
index a95d88976d..33f1c6f8f5 100644
--- a/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml
+++ b/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
id: 93db24a0-fd21-45d7-9daf-84afd5a8cca2
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Michael Haag, Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: TTP
@@ -59,9 +59,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential exploitation of CVE-2025-5777 from $src$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml b/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml
index d04018c2ca..e52c6983f9 100644
--- a/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml
+++ b/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Communication Over Suspicious Ports
id: d85c05c8-42c0-4e4a-87e7-4e1bb3e844e3
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious communication detected from $src$ to $dest$ over port $dest_port$.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml b/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml
index 62b20c34f8..e149137394 100644
--- a/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml
+++ b/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Connection to File Sharing Domain
id: f7e5e792-d907-46c1-a58e-4ff974dc462a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -43,9 +43,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The host $src$ initiated a connection to the file sharing or pastebin domain $url$.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml
index 04a97aaa91..77200c2f0f 100644
--- a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml
+++ b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - File Download Over Uncommon Port
id: f26445a8-a6a2-4855-bec0-0c39e52e5b8f
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The host $src$ downloaded a file $file_name$ of type $FileType$ from $dest$ over the uncommon port $dest_port$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml b/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml
index 9cc1bfc06f..af5b82816a 100644
--- a/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml
+++ b/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - High EVE Threat Confidence
id: 8c15183e-2e70-4db4-86c3-88f8d9129b66
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: High threat confidence ($EVE_ThreatConfidencePct$%) from $EVE_Process$ on $src$"
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml b/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml
index 75b7dba368..4e637f66d4 100644
--- a/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml
+++ b/detections/network/cisco_secure_firewall___high_priority_intrusion_classification.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - High Priority Intrusion Classification
id: ec99bb81-c31b-4837-8c7d-1b32aa70b337
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: TTP
@@ -56,9 +56,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A high priority intrusion event with classification ($class_desc$) was detected from $src$ to $dest$, indicating potential suspicious activity.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml b/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml
index 8228bf219b..c4f5600add 100644
--- a/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml
+++ b/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - High Volume of Intrusion Events Per Host
id: 9f2295a0-0dcb-4a5f-b013-8a6f2a3c11f6
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A high number [$TotalEvents$] of Snort intrusion detections for [$signature$] were triggered by [$src$] in a 30-minute time window.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml b/detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml
index e1b0a07510..2d145273f3 100644
--- a/detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml
+++ b/detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Intrusion Events by Threat Activity
id: b71e57e8-c571-4ff1-ae13-bc4384a9e891
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Bhavin Patel, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -66,9 +66,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$""
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential $threat$ activity detected on $dest$ originating from $src$.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml
index b340c7f049..7924f4e2c2 100644
--- a/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml
+++ b/detections/network/cisco_secure_firewall___lumma_stealer_activity.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Lumma Stealer Activity
id: 96bce783-c22e-4e48-8cf1-3eb2794c5083
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: TTP
@@ -52,9 +52,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Lumma Stealer Activity on host $dest$ origniating from $src$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml b/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml
index c431591ccb..09bb0c9a0c 100644
--- a/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml
+++ b/detections/network/cisco_secure_firewall___lumma_stealer_download_attempt.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Lumma Stealer Download Attempt
id: 66f22f52-fbae-4be7-a263-561dacb63613
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Lumma Stealer Download Attempt detected on host $dest$ origniating from $src$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml b/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml
index a6bff3efcd..5ad2d7139d 100644
--- a/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml
+++ b/detections/network/cisco_secure_firewall___lumma_stealer_outbound_connection_attempt.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
id: 66f22f52-fbae-4be7-a263-561dacb63612
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Lumma Stealer Outbound Connection Attempt detected on host $dest$ origniating from $src$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml
index 45af0085ae..bec1691ee8 100644
--- a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml
+++ b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Malware File Downloaded
id: 3cc93f52-5aa6-4b7f-83b9-3430b1436813
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: File with Malware disposition downloaded from $dest$ over port $dest_port$ by $src$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___oracle_e_business_suite_correlation.yml b/detections/network/cisco_secure_firewall___oracle_e_business_suite_correlation.yml
index 90c5e18538..2f52ce304e 100644
--- a/detections/network/cisco_secure_firewall___oracle_e_business_suite_correlation.yml
+++ b/detections/network/cisco_secure_firewall___oracle_e_business_suite_correlation.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Oracle E-Business Suite Correlation
id: 9e995d21-6870-43de-acd9-76f372bcf323
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: TTP
@@ -76,9 +76,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Multiple Oracle E-Business Suite exploitation signatures $signature_id$ detected from source IP $src$ to destination IP $dest$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___oracle_e_business_suite_exploitation.yml b/detections/network/cisco_secure_firewall___oracle_e_business_suite_exploitation.yml
index 7da1021c2a..766236cc16 100644
--- a/detections/network/cisco_secure_firewall___oracle_e_business_suite_exploitation.yml
+++ b/detections/network/cisco_secure_firewall___oracle_e_business_suite_exploitation.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Oracle E-Business Suite Exploitation
id: 1c077b8a-95a3-4692-980d-c72fc50e9930
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: TTP
@@ -55,9 +55,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Network activity associated with Oracle E-Business Suite exploitation detected from source IP $src$ to destination IP $dest$.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___possibly_compromised_host.yml b/detections/network/cisco_secure_firewall___possibly_compromised_host.yml
index b632acc213..bba57dd316 100644
--- a/detections/network/cisco_secure_firewall___possibly_compromised_host.yml
+++ b/detections/network/cisco_secure_firewall___possibly_compromised_host.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Possibly Compromised Host
id: 244a77bb-3b2a-46f1-bf2c-b4f7cd29276d
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: experimental
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A high impact IntrusionEvent was detected from $src$ to $dest$.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml b/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml
index a24c009a72..f95a1adb2f 100644
--- a/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml
+++ b/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Potential Data Exfiltration
id: 3d8536b6-52b4-4c3e-b695-3f2e90bb22be
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential data exfiltration from $src$ to $dest$ with $Exfiltrated$ MB of data exfiltrated"
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___privileged_command_execution_via_http.yml b/detections/network/cisco_secure_firewall___privileged_command_execution_via_http.yml
index 09007fb031..9d9d777e48 100644
--- a/detections/network/cisco_secure_firewall___privileged_command_execution_via_http.yml
+++ b/detections/network/cisco_secure_firewall___privileged_command_execution_via_http.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Privileged Command Execution via HTTP
id: 0c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Michael Haag, Splunk
status: production
type: Anomaly
@@ -52,9 +52,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: HTTP request to privileged execution path detected from $src$ to Cisco router $dest$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml b/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml
index 1dcaacdf93..5568f6fffc 100644
--- a/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml
+++ b/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - React Server Components RCE Attempt
id: d36459b1-7901-401a-a67e-44426c15b168
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: TTP
@@ -57,9 +57,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential exploitation of CVE-2025-65554 from $src$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml b/detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml
index c5e56dbfba..b59b112178 100644
--- a/detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml
+++ b/detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Remote Access Software Usage Traffic
id: ac54d39e-a75d-4f42-971d-006db3a0423a
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -52,9 +52,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Traffic to known remote access software [$ClientApplication$] was detected from $src$.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml b/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml
index 954e6c3550..c5267d0a57 100644
--- a/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml
+++ b/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Repeated Blocked Connections
id: 1f57f10e-1dc5-47ea-852c-2e85b2503d79
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -41,9 +41,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Repeated blocked connections detected from $src$ to $dest$ according to the configured firewall rule $rule$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml b/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml
index ec6930c96b..59e4fabf0a 100644
--- a/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml
+++ b/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Repeated Malware Downloads
id: aeff2bb5-3483-48d4-9be8-c8976194be1e
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -47,9 +47,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Repeated malware file downloads detected from $src$ involving $ThreatName$.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml b/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml
index 4ad3f046ce..87cd62c568 100644
--- a/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml
+++ b/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
id: a4c76d0a-56b6-44be-814b-939746c4d406
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$signature_id$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$signature_id$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$signature_id$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The Snort rule $signature$ was triggered by $unique_src_ips$ unique internal hosts within a one-hour window, indicating potential widespread exploitation or coordinated targeting activity.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___ssh_connection_to_non_standard_port.yml b/detections/network/cisco_secure_firewall___ssh_connection_to_non_standard_port.yml
index 7282a9f180..930763db68 100644
--- a/detections/network/cisco_secure_firewall___ssh_connection_to_non_standard_port.yml
+++ b/detections/network/cisco_secure_firewall___ssh_connection_to_non_standard_port.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - SSH Connection to Non-Standard Port
id: 9b0c2d3e-4f5a-6b7c-8d9e-0f1a2b3c4d5e
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Michael Haag, Splunk
status: production
type: Anomaly
@@ -52,9 +52,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Inbound SSH connection to non-standard port $dest_port$ detected from $src$ to network device $dest$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___ssh_connection_to_sshd_operns.yml b/detections/network/cisco_secure_firewall___ssh_connection_to_sshd_operns.yml
index 8ee301f7af..740708c605 100644
--- a/detections/network/cisco_secure_firewall___ssh_connection_to_sshd_operns.yml
+++ b/detections/network/cisco_secure_firewall___ssh_connection_to_sshd_operns.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - SSH Connection to sshd_operns
id: 8a9c1d2e-3f4b-5c6d-7e8f-9a0b1c2d3e4f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Inbound SSH connection to sshd_operns detected from $src$ to network device $dest$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___static_tundra_smart_install_abuse.yml b/detections/network/cisco_secure_firewall___static_tundra_smart_install_abuse.yml
index 232b2e2fd0..46423bf0d3 100644
--- a/detections/network/cisco_secure_firewall___static_tundra_smart_install_abuse.yml
+++ b/detections/network/cisco_secure_firewall___static_tundra_smart_install_abuse.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Static Tundra Smart Install Abuse
id: 7e9a5a2c-2f1a-4b6a-9a4b-9e7d9c8f5a21
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: TTP
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Smart Install exploitation or protocol abuse targeting $dest$ originating from $src$
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml b/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml
index c6576beaad..2ec00de765 100644
--- a/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml
+++ b/detections/network/cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
id: 7b7c2e92-f0b2-48d2-9c9b-b8de52b6b2ae
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: TTP
@@ -54,9 +54,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Exploitation attempt of Veeam CVE-2023-27532 on host $dest$ by $src$.
risk_objects:
diff --git a/detections/network/cisco_secure_firewall___wget_or_curl_download.yml b/detections/network/cisco_secure_firewall___wget_or_curl_download.yml
index fb2a51dbe4..1296259261 100644
--- a/detections/network/cisco_secure_firewall___wget_or_curl_download.yml
+++ b/detections/network/cisco_secure_firewall___wget_or_curl_download.yml
@@ -1,7 +1,7 @@
name: Cisco Secure Firewall - Wget or Curl Download
id: 173a1cb9-1814-4128-a9dc-f29dade89957
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: The process $EVE_Process$ initiated an allowed connection to download content using a command-line utility ($ClientApplication$) from $url$. This behavior may indicate tool staging or payload retrieval via curl or wget.
risk_objects:
diff --git a/detections/network/cisco_smart_install_oversized_packet_detection.yml b/detections/network/cisco_smart_install_oversized_packet_detection.yml
index f0cb6535d4..311d0fb59b 100644
--- a/detections/network/cisco_smart_install_oversized_packet_detection.yml
+++ b/detections/network/cisco_smart_install_oversized_packet_detection.yml
@@ -1,7 +1,7 @@
name: Cisco Smart Install Oversized Packet Detection
id: 3b8d2b4f-4e1e-4a9e-9b43-8a7a3a9c7e21
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Buffer overflow attempt detected in Cisco Smart Install message to $dest_ip$ from $src_ip$
risk_objects:
diff --git a/detections/network/cisco_smart_install_port_discovery_and_status.yml b/detections/network/cisco_smart_install_port_discovery_and_status.yml
index 0afc951163..d9792716b1 100644
--- a/detections/network/cisco_smart_install_port_discovery_and_status.yml
+++ b/detections/network/cisco_smart_install_port_discovery_and_status.yml
@@ -1,7 +1,7 @@
name: Cisco Smart Install Port Discovery and Status
id: ded9f9d7-edb8-48cf-8b72-1b459eee6785
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Detected network traffic to Cisco Smart Install port (4786) on $dest_ip$. Possible access to Cisco Smart Install.
risk_objects:
diff --git a/detections/network/cisco_snmp_community_string_configuration_changes.yml b/detections/network/cisco_snmp_community_string_configuration_changes.yml
index 906848e24d..d7b642cc75 100644
--- a/detections/network/cisco_snmp_community_string_configuration_changes.yml
+++ b/detections/network/cisco_snmp_community_string_configuration_changes.yml
@@ -1,7 +1,7 @@
name: Cisco SNMP Community String Configuration Changes
id: b0ce5521-2533-4f24-b8d5-c2ff977aae08
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious SNMP community string configuration changes detected on Cisco device $dest$ by user $user$, which may indicate persistence establishment
risk_objects:
diff --git a/detections/network/cisco_tftp_server_configuration_for_data_exfiltration.yml b/detections/network/cisco_tftp_server_configuration_for_data_exfiltration.yml
index c27a5081f9..8833cc71e9 100644
--- a/detections/network/cisco_tftp_server_configuration_for_data_exfiltration.yml
+++ b/detections/network/cisco_tftp_server_configuration_for_data_exfiltration.yml
@@ -1,7 +1,7 @@
name: Cisco TFTP Server Configuration for Data Exfiltration
id: 1abce487-f480-4d5f-a551-01de0bece0bd
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Bhavin Patel, Michael Haag, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious TFTP server configuration detected on Cisco device $dest$ by user $user$, potentially exposing sensitive configuration files
risk_objects:
diff --git a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml
index 7467dc6bb9..bcd7303ff9 100644
--- a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml
+++ b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml
@@ -1,7 +1,7 @@
name: Detect hosts connecting to dynamic domain providers
id: a1e761ac-1344-4dbd-88b2-3f34c912d359
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A dns query $query$ from your infra connecting to suspicious domain
risk_objects:
diff --git a/detections/network/detect_large_icmp_traffic.yml b/detections/network/detect_large_icmp_traffic.yml
index 8510fac50b..e72831c176 100644
--- a/detections/network/detect_large_icmp_traffic.yml
+++ b/detections/network/detect_large_icmp_traffic.yml
@@ -1,7 +1,7 @@
name: Detect Large ICMP Traffic
id: 9cd6d066-94d5-4ccd-a8b9-28c03ca91be8
-version: 5
-date: '2026-03-23'
+version: 6
+date: '2026-03-31'
author: Rico Valdez, Dean Luxton, Bhavin Patel, Splunk
status: production
type: TTP
@@ -54,9 +54,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$" and "$dest_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$dest_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Large ICMP traffic greater than a 1000 bytes detected from $src_ip$ to $dest_ip$
risk_objects:
diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml
index 82903c3932..a9aefe92e1 100644
--- a/detections/network/detect_outbound_smb_traffic.yml
+++ b/detections/network/detect_outbound_smb_traffic.yml
@@ -1,7 +1,7 @@
name: Detect Outbound SMB Traffic
id: 1bed7774-304a-4e8f-9d72-d80e45ff492b
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Bhavin Patel, Stuart Hopkins, Patrick Bareiss
status: production
type: TTP
@@ -46,9 +46,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$
risk_objects:
diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml
index da24545c01..e93fe8ab0a 100644
--- a/detections/network/detect_remote_access_software_usage_dns.yml
+++ b/detections/network/detect_remote_access_software_usage_dns.yml
@@ -1,7 +1,7 @@
name: Detect Remote Access Software Usage DNS
id: a16b797d-e309-41bd-8ba0-5067dae2e4be
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate traffic to $query$
search: '| from datamodel:Network_Resolution.DNS | search src=$src$ query=$query$'
earliest_offset: $info_min_time$
diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml
index da84dd669c..4d14a3cd15 100644
--- a/detections/network/detect_remote_access_software_usage_traffic.yml
+++ b/detections/network/detect_remote_access_software_usage_traffic.yml
@@ -1,7 +1,7 @@
name: Detect Remote Access Software Usage Traffic
id: 885ea672-07ee-475a-879e-60d28aa5dd42
-version: 14
-date: '2026-03-23'
+version: 15
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -46,9 +46,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate application traffic for $app$
search: '| from datamodel:Network_Traffic.All_Traffic | search src=$src$ app=$app$'
earliest_offset: $info_min_time$
diff --git a/detections/network/dns_kerberos_coercion.yml b/detections/network/dns_kerberos_coercion.yml
index 3f3dd89731..92d8782c0f 100644
--- a/detections/network/dns_kerberos_coercion.yml
+++ b/detections/network/dns_kerberos_coercion.yml
@@ -1,7 +1,7 @@
name: DNS Kerberos Coercion
id: 8551252d-b5b6-4b6e-8a82-51460aeb29a3
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A dns query $query$ with marshalled CREDENTIAL_TARGET_INFORMATION seen from $src$
risk_objects:
diff --git a/detections/network/dns_query_length_with_high_standard_deviation.yml b/detections/network/dns_query_length_with_high_standard_deviation.yml
index 9d3eb9f7ba..fea92a3232 100644
--- a/detections/network/dns_query_length_with_high_standard_deviation.yml
+++ b/detections/network/dns_query_length_with_high_standard_deviation.yml
@@ -1,7 +1,7 @@
name: DNS Query Length With High Standard Deviation
id: 1a67f15a-f4ff-4170-84e9-08cf6f75d6f5
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-31'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potentially suspicious DNS query [$query$] with high standard deviation from src - [$src$]
risk_objects:
diff --git a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml
index c23d1ceb2e..718ebf0acd 100644
--- a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml
+++ b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml
@@ -1,7 +1,7 @@
name: F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
id: bb1c2c30-107a-4e56-a4b9-1f7022867bfe
-version: 8
-date: '2026-03-23'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An attempt to exploit CVE-2022-1388 against an F5 appliance $dest$ has occurred.
risk_objects:
diff --git a/detections/network/http_c2_framework_user_agent.yml b/detections/network/http_c2_framework_user_agent.yml
index 92ab8712da..68de0d8bdf 100644
--- a/detections/network/http_c2_framework_user_agent.yml
+++ b/detections/network/http_c2_framework_user_agent.yml
@@ -1,7 +1,7 @@
name: HTTP C2 Framework User Agent
id: 229dc225-6abe-4d28-89fd-edf874086162
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Ravent Tait, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A known C2 Framework user agent $http_user_agent$ was performing a request from $src$ to $dest$.
risk_objects:
diff --git a/detections/network/http_malware_user_agent.yml b/detections/network/http_malware_user_agent.yml
index 88f7976176..528d81b7f5 100644
--- a/detections/network/http_malware_user_agent.yml
+++ b/detections/network/http_malware_user_agent.yml
@@ -1,7 +1,7 @@
name: HTTP Malware User Agent
id: 8c4866e4-f488-4253-8537-7dc4f954c292
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A known malware user agent $http_user_agent$ was performing a request from $src$.
risk_objects:
diff --git a/detections/network/http_pua_user_agent.yml b/detections/network/http_pua_user_agent.yml
index 0e0b8281ea..68dfed94fc 100644
--- a/detections/network/http_pua_user_agent.yml
+++ b/detections/network/http_pua_user_agent.yml
@@ -1,7 +1,7 @@
name: HTTP PUA User Agent
id: 21af5447-734f-4549-956b-7a255cb2b032
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A known user agent ($http_user_agent$) associated with unusual programs was performing a request from $src$.
risk_objects:
diff --git a/detections/network/http_rmm_user_agent.yml b/detections/network/http_rmm_user_agent.yml
index cbdadb08e7..471cd4b8bd 100644
--- a/detections/network/http_rmm_user_agent.yml
+++ b/detections/network/http_rmm_user_agent.yml
@@ -1,7 +1,7 @@
name: HTTP RMM User Agent
id: 61884b02-0dcf-44c5-9094-db33bac09fa6
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A known rmm user agent $http_user_agent$ was performing a request from $src$.
risk_objects:
diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml
index 240a2f21c0..ced105c320 100644
--- a/detections/network/internal_horizontal_port_scan.yml
+++ b/detections/network/internal_horizontal_port_scan.yml
@@ -1,7 +1,7 @@
name: Internal Horizontal Port Scan
id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs
risk_objects:
diff --git a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml
index fa88a963e3..05dd022eb7 100644
--- a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml
+++ b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml
@@ -1,7 +1,7 @@
name: Internal Horizontal Port Scan NMAP Top 20
id: 3141a041-4f57-4277-9faa-9305ca1f8e5b
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Dean Luxton
status: production
type: TTP
@@ -67,9 +67,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for $src_ip$
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs
risk_objects:
diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml
index 1faa353112..616c16753b 100644
--- a/detections/network/internal_vertical_port_scan.yml
+++ b/detections/network/internal_vertical_port_scan.yml
@@ -1,7 +1,7 @@
name: Internal Vertical Port Scan
id: 40d2dc41-9bbf-421a-a34b-8611271a6770
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Dean Luxton, Splunk
status: production
type: TTP
@@ -61,9 +61,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $src_ip$ has scanned $totalDestPortCount$ ports on $dest_ip$
risk_objects:
diff --git a/detections/network/ngrok_reverse_proxy_on_network.yml b/detections/network/ngrok_reverse_proxy_on_network.yml
index 84a9bf132e..d6abf6aa92 100644
--- a/detections/network/ngrok_reverse_proxy_on_network.yml
+++ b/detections/network/ngrok_reverse_proxy_on_network.yml
@@ -1,7 +1,7 @@
name: Ngrok Reverse Proxy on Network
id: 5790a766-53b8-40d3-a696-3547b978fcf0
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An endpoint, $src$, is beaconing out to the reverse proxy service of Ngrok.
risk_objects:
diff --git a/detections/network/prohibited_network_traffic_allowed.yml b/detections/network/prohibited_network_traffic_allowed.yml
index 756ecad24e..a3b527d2e7 100644
--- a/detections/network/prohibited_network_traffic_allowed.yml
+++ b/detections/network/prohibited_network_traffic_allowed.yml
@@ -1,7 +1,7 @@
name: Prohibited Network Traffic Allowed
id: ce5a0962-849f-4720-a678-753fe6674479
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Rico Valdez, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potentially Prohibited Network Traffic allowed
risk_objects:
diff --git a/detections/network/protocol_or_port_mismatch.yml b/detections/network/protocol_or_port_mismatch.yml
index 110f4a2023..24cde3f1bf 100644
--- a/detections/network/protocol_or_port_mismatch.yml
+++ b/detections/network/protocol_or_port_mismatch.yml
@@ -1,7 +1,7 @@
name: Protocol or Port Mismatch
id: 54dc1265-2f74-4b6d-b30d-49eb506a31b3
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Rico Valdez, Splunk
status: production
type: Anomaly
@@ -52,9 +52,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Port or Protocol Traffic Mismatch
risk_objects:
diff --git a/detections/network/protocols_passing_authentication_in_cleartext.yml b/detections/network/protocols_passing_authentication_in_cleartext.yml
index 44d975a48e..ecb86c096b 100644
--- a/detections/network/protocols_passing_authentication_in_cleartext.yml
+++ b/detections/network/protocols_passing_authentication_in_cleartext.yml
@@ -1,7 +1,7 @@
name: Protocols passing authentication in cleartext
id: 6923cd64-17a0-453c-b945-81ac2d8c6db9
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Rico Valdez, Splunk
status: production
type: Anomaly
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Allowed Traffic from $src_ip$ to $dest$ over port $dest_port$. Which might indicate a potential authentication attempts over a cleartext protocol.
risk_objects:
diff --git a/detections/network/remote_desktop_network_traffic.yml b/detections/network/remote_desktop_network_traffic.yml
index b776191466..1d1b59b702 100644
--- a/detections/network/remote_desktop_network_traffic.yml
+++ b/detections/network/remote_desktop_network_traffic.yml
@@ -1,7 +1,7 @@
name: Remote Desktop Network Traffic
id: 272b8407-842d-4b3d-bead-a704584003d3
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: David Dorsey, Splunk
status: production
type: Anomaly
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Remote Desktop Network Traffic Anomaly Detected from $src$ to $dest$
risk_objects:
diff --git a/detections/network/rundll32_dnsquery.yml b/detections/network/rundll32_dnsquery.yml
index cea9e620d4..eab1a43cd9 100644
--- a/detections/network/rundll32_dnsquery.yml
+++ b/detections/network/rundll32_dnsquery.yml
@@ -1,7 +1,7 @@
name: Rundll32 DNSQuery
id: f1483f5e-ee29-11eb-9d23-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: rundll32 process $process_name$ made a DNS query for $query$ from host $dvc$
risk_objects:
diff --git a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml
index 07ebb27b43..2c72f71374 100644
--- a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml
+++ b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml
@@ -1,7 +1,7 @@
name: Suspicious Process DNS Query Known Abuse Web Services
id: 3cf0dc36-484d-11ec-a6bc-acde48001122
-version: 15
-date: '2026-03-10'
+version: 16
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -20,9 +20,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious process $process_name$ made a DNS query for $QueryName$ on $dvc$
risk_objects:
diff --git a/detections/network/suspicious_process_with_discord_dns_query.yml b/detections/network/suspicious_process_with_discord_dns_query.yml
index ab60f1821e..cb3c621451 100644
--- a/detections/network/suspicious_process_with_discord_dns_query.yml
+++ b/detections/network/suspicious_process_with_discord_dns_query.yml
@@ -1,7 +1,7 @@
name: Suspicious Process With Discord DNS Query
id: 4d4332ae-792c-11ec-89c1-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: suspicious process $process_name$ has a dns query in $QueryName$ on $dvc$
risk_objects:
diff --git a/detections/network/tor_traffic.yml b/detections/network/tor_traffic.yml
index e8fe1e1669..6949a1035e 100644
--- a/detections/network/tor_traffic.yml
+++ b/detections/network/tor_traffic.yml
@@ -1,7 +1,7 @@
name: TOR Traffic
id: ea688274-9c06-4473-b951-e4cb7a5d7a45
-version: 15
-date: '2026-03-23'
+version: 16
+date: '2026-03-31'
author: David Dorsey, Bhavin Patel, Splunk
status: production
type: TTP
@@ -40,9 +40,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Suspicious network traffic allowed using TOR has been detected from $src_ip$ to $dest_ip$
risk_objects:
diff --git a/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml b/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml
index 61b7a0c7d0..85b17ebc5d 100644
--- a/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml
+++ b/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml
@@ -1,7 +1,7 @@
name: Wermgr Process Connecting To IP Check Web Services
id: ed313326-a0f9-11eb-a89c-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-31'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Wermgr.exe process connecting IP location web services on $dvc$
risk_objects:
diff --git a/detections/network/windows_abused_web_services.yml b/detections/network/windows_abused_web_services.yml
index 222ded7cf9..3f77417b0e 100644
--- a/detections/network/windows_abused_web_services.yml
+++ b/detections/network/windows_abused_web_services.yml
@@ -1,7 +1,7 @@
name: Windows Abused Web Services
id: 01f0aef4-8591-4daa-a53d-0ed49823b681
-version: 10
-date: '2026-03-16'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -68,9 +68,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A network connection on known abused web services [$QueryName$] from [$dest$]
risk_objects:
diff --git a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml
index 2599928aaa..76fe6ec5e2 100644
--- a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml
+++ b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml
@@ -1,7 +1,7 @@
name: Windows DNS Query Request by Telegram Bot API
id: 86f66f44-94d9-412d-a71d-5d8ed0fef72e
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
data_source:
- Sysmon EventID 22
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: DNS query by a telegram bot [$query$] on [$dvc$].
risk_objects:
diff --git a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml
index 37afeb1ff2..070a630598 100644
--- a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml
+++ b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml
@@ -1,7 +1,7 @@
name: Windows Gather Victim Network Info Through Ip Check Web Services
id: 70f7c952-0758-46d6-9148-d8969c4481d1
-version: 18
-date: '2026-03-16'
+version: 19
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a network connection on known abused web services from $dvc$
risk_objects:
diff --git a/detections/network/windows_multi_hop_proxy_tor_website_query.yml b/detections/network/windows_multi_hop_proxy_tor_website_query.yml
index 9d37246acb..6dfd87d63c 100644
--- a/detections/network/windows_multi_hop_proxy_tor_website_query.yml
+++ b/detections/network/windows_multi_hop_proxy_tor_website_query.yml
@@ -1,7 +1,7 @@
name: Windows Multi hop Proxy TOR Website Query
id: 4c2d198b-da58-48d7-ba27-9368732d0054
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: a process $process_name$ is having a dns query in a tor domain $QueryName$ in $dvc$
risk_objects:
diff --git a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml
index 87f7729874..d1bf111fc1 100644
--- a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml
+++ b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml
@@ -1,7 +1,7 @@
name: Windows Remote Desktop Network Bruteforce Attempt
id: 908bf0d5-0983-4afd-b6a4-e9eb5d361a7d
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Jose Hernandez, Bhavin Patel, Splunk
status: production
type: Anomaly
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: $dest$ may be the target of an RDP Bruteforce from $src$
risk_objects:
diff --git a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml
index f32381b65d..50f66654ee 100644
--- a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml
+++ b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml
@@ -1,7 +1,7 @@
name: Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
id: 15838756-f425-43fa-9d88-a7f88063e81a
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.
risk_objects:
diff --git a/detections/web/adobe_coldfusion_access_control_bypass.yml b/detections/web/adobe_coldfusion_access_control_bypass.yml
index 0963a64d08..1aca8c637e 100644
--- a/detections/web/adobe_coldfusion_access_control_bypass.yml
+++ b/detections/web/adobe_coldfusion_access_control_bypass.yml
@@ -1,7 +1,7 @@
name: Adobe ColdFusion Access Control Bypass
id: d6821c0b-fcdc-4c95-a77f-e10752fae41a
-version: 8
-date: '2026-03-27'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -51,9 +51,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible exploitation of CVE-2023-29298 against $dest$ via $url$.
risk_objects:
diff --git a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml
index 5e0c09189e..1f208c9867 100644
--- a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml
+++ b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml
@@ -1,7 +1,7 @@
name: Adobe ColdFusion Unauthenticated Arbitrary File Read
id: 695aceae-21db-4e7f-93ac-a52e39d02b93
-version: 8
-date: '2026-03-27'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -49,9 +49,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible exploitation of CVE-2023-26360 against $dest$ via $url$.
risk_objects:
diff --git a/detections/web/cisco_ios_xe_implant_access.yml b/detections/web/cisco_ios_xe_implant_access.yml
index 807b61299b..afaf417a5d 100644
--- a/detections/web/cisco_ios_xe_implant_access.yml
+++ b/detections/web/cisco_ios_xe_implant_access.yml
@@ -1,7 +1,7 @@
name: Cisco IOS XE Implant Access
id: 07c36cda-6567-43c3-bc1a-89dff61e2cd9
-version: 8
-date: '2026-03-27'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible exploitation of CVE-2023-20198 against $dest$ via $url$ by $src$.
risk_objects:
diff --git a/detections/web/citrix_adc_and_gateway_citrixbleed_2_memory_disclosure.yml b/detections/web/citrix_adc_and_gateway_citrixbleed_2_memory_disclosure.yml
index 4543d3672e..2fc558fa32 100644
--- a/detections/web/citrix_adc_and_gateway_citrixbleed_2_memory_disclosure.yml
+++ b/detections/web/citrix_adc_and_gateway_citrixbleed_2_memory_disclosure.yml
@@ -1,7 +1,7 @@
name: Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
id: bef92f3f-7dc8-413a-8989-50581039e250
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential CitrixBleed 2 (CVE-2025-5777) exploitation from $src$ to $dest$ detected. POST requests to /p/u/doAuthentication.do may indicate memory disclosure vulnerability exploitation.
risk_objects:
diff --git a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml
index b2ed428e7a..fedf801124 100644
--- a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml
+++ b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml
@@ -1,7 +1,7 @@
name: Citrix ADC and Gateway Unauthorized Data Disclosure
id: b593cac5-dd20-4358-972a-d945fefdaf17
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible exploitation of Citrix Bleed vulnerability against $dest$ fron $src$.
risk_objects:
diff --git a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml
index 0768f5b84f..cfcca61dca 100644
--- a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml
+++ b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml
@@ -1,7 +1,7 @@
name: Confluence CVE-2023-22515 Trigger Vulnerability
id: 630ea8b2-2800-4f5d-9cbc-d65c567349b0
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -30,9 +30,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.
risk_objects:
diff --git a/detections/web/confluence_data_center_and_server_privilege_escalation.yml b/detections/web/confluence_data_center_and_server_privilege_escalation.yml
index aa2cfc08e2..1b74afe3fc 100644
--- a/detections/web/confluence_data_center_and_server_privilege_escalation.yml
+++ b/detections/web/confluence_data_center_and_server_privilege_escalation.yml
@@ -1,7 +1,7 @@
name: Confluence Data Center and Server Privilege Escalation
id: 115bebac-0976-4f7d-a3ec-d1fb45a39a11
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.
risk_objects:
diff --git a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml
index b874fddfd1..8105a966ae 100644
--- a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml
+++ b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml
@@ -1,7 +1,7 @@
name: Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
id: f56936c0-ae6f-4eeb-91ff-ecc1448c6105
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Exploitation attempts on a known vulnerability in Atlassian Confluence detected. The source IP is $src$ and the destination hostname is $dest$.
risk_objects:
diff --git a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml
index c8b901ae78..126dc50c8b 100644
--- a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml
+++ b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml
@@ -1,7 +1,7 @@
name: Confluence Unauthenticated Remote Code Execution CVE-2022-26134
id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859c
-version: 8
-date: '2026-03-23'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -59,9 +59,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$.
risk_objects:
diff --git a/detections/web/connectwise_screenconnect_authentication_bypass.yml b/detections/web/connectwise_screenconnect_authentication_bypass.yml
index bf416a7d66..ec3cc7083a 100644
--- a/detections/web/connectwise_screenconnect_authentication_bypass.yml
+++ b/detections/web/connectwise_screenconnect_authentication_bypass.yml
@@ -1,7 +1,7 @@
name: ConnectWise ScreenConnect Authentication Bypass
id: d3f7a803-e802-448b-8eb2-e796b223bfff
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Suricata
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An authentication bypass attempt against ScreenConnect has been detected on $dest$.
risk_objects:
diff --git a/detections/web/crushftp_authentication_bypass_exploitation.yml b/detections/web/crushftp_authentication_bypass_exploitation.yml
index 0e28e201a0..4c0e5001fc 100644
--- a/detections/web/crushftp_authentication_bypass_exploitation.yml
+++ b/detections/web/crushftp_authentication_bypass_exploitation.yml
@@ -1,7 +1,7 @@
name: CrushFTP Authentication Bypass Exploitation
id: 82eb7f64-d219-4e21-acfe-956de84c1a35
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential CrushFTP authentication bypass exploitation from IP $src_ip$ as user $user$
risk_objects:
diff --git a/detections/web/crushftp_max_simultaneous_users_from_ip.yml b/detections/web/crushftp_max_simultaneous_users_from_ip.yml
index 967c68d2e8..33855844ff 100644
--- a/detections/web/crushftp_max_simultaneous_users_from_ip.yml
+++ b/detections/web/crushftp_max_simultaneous_users_from_ip.yml
@@ -1,7 +1,7 @@
name: CrushFTP Max Simultaneous Users From IP
id: 75dfd9f4-ca64-45d0-9422-4bde6d26a59e
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -21,9 +21,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential brute force or automated attack against CrushFTP detected from IP $src_ip$
risk_objects:
diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml
index 4ac7152602..329eaca8f7 100644
--- a/detections/web/detect_remote_access_software_usage_url.yml
+++ b/detections/web/detect_remote_access_software_usage_url.yml
@@ -1,7 +1,7 @@
name: Detect Remote Access Software Usage URL
id: 9296f515-073c-43a5-88ec-eda5a4626654
-version: 14
-date: '2026-03-23'
+version: 15
+date: '2026-03-31'
author: Steven Dick
status: production
type: Anomaly
@@ -53,9 +53,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: Investigate traffic to $url_domain$
search: '| from datamodel:Web | search src=$src$ url_domain=$url_domain$'
earliest_offset: $info_min_time$
diff --git a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml
index 48df6e6701..49e1f29c3b 100644
--- a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml
+++ b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml
@@ -1,7 +1,7 @@
name: Exploit Public Facing Application via Apache Commons Text
id: 19a481e0-c97c-4d14-b1db-75a708eb592e
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A URL was requested related to Text4Shell on $dest$ by $src$.
risk_objects:
diff --git a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml
index 350d5dcb5b..2dda4d74a5 100644
--- a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml
+++ b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml
@@ -1,7 +1,7 @@
name: Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
id: 2038f5c6-5aba-4221-8ae2-ca76e2ca8b97
-version: 9
-date: '2026-03-23'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -42,9 +42,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$.
risk_objects:
diff --git a/detections/web/f5_tmui_authentication_bypass.yml b/detections/web/f5_tmui_authentication_bypass.yml
index 6f9b360679..2ba5664bb7 100644
--- a/detections/web/f5_tmui_authentication_bypass.yml
+++ b/detections/web/f5_tmui_authentication_bypass.yml
@@ -1,7 +1,7 @@
name: F5 TMUI Authentication Bypass
id: 88bf127c-613e-4579-99e4-c4d4b02f3840
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential CVE-2023-46747 F5 TMUI Authentication Bypass may be occurring against $dest$ from $src$.
risk_objects:
diff --git a/detections/web/fortinet_appliance_auth_bypass.yml b/detections/web/fortinet_appliance_auth_bypass.yml
index e0b1992a0b..5145e71eee 100644
--- a/detections/web/fortinet_appliance_auth_bypass.yml
+++ b/detections/web/fortinet_appliance_auth_bypass.yml
@@ -1,7 +1,7 @@
name: Fortinet Appliance Auth bypass
id: a83122f2-fa09-4868-a230-544dbc54bc1c
-version: 8
-date: '2026-03-23'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -49,9 +49,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.
risk_objects:
diff --git a/detections/web/high_volume_of_bytes_out_to_url.yml b/detections/web/high_volume_of_bytes_out_to_url.yml
index f6ba2f2f53..f94ea61363 100644
--- a/detections/web/high_volume_of_bytes_out_to_url.yml
+++ b/detections/web/high_volume_of_bytes_out_to_url.yml
@@ -1,7 +1,7 @@
name: High Volume of Bytes Out to Url
id: c8a6b56d-16dd-4e9c-b4bd-527742ead98d
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Bhavin Patel, Splunk
data_source:
- Nginx Access
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A high volume of bytes out to a URL $url$ was detected from src $src$ to dest $dest$.
risk_objects:
diff --git a/detections/web/http_duplicated_header.yml b/detections/web/http_duplicated_header.yml
index 695ae8f93d..12bfb76555 100644
--- a/detections/web/http_duplicated_header.yml
+++ b/detections/web/http_duplicated_header.yml
@@ -1,7 +1,7 @@
name: HTTP Duplicated Header
id: 1606cc5b-fd5f-4865-9fe3-0ed1eaec2df6
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -35,9 +35,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Duplicated headers within a web request was detected. The source IP is $src_ip$ and the destination is $dest$.
risk_objects:
diff --git a/detections/web/http_possible_request_smuggling.yml b/detections/web/http_possible_request_smuggling.yml
index cbc9b83dd2..6d8e216782 100644
--- a/detections/web/http_possible_request_smuggling.yml
+++ b/detections/web/http_possible_request_smuggling.yml
@@ -1,7 +1,7 @@
name: HTTP Possible Request Smuggling
id: 97d85f98-9d15-41a0-8682-7030454875e7
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible request smuggling against a web request was detected. The source IP is $src_ip$ and the destination is $dest$.
risk_objects:
diff --git a/detections/web/http_rapid_post_with_mixed_status_codes.yml b/detections/web/http_rapid_post_with_mixed_status_codes.yml
index 0f1d30066d..07b66db7ff 100644
--- a/detections/web/http_rapid_post_with_mixed_status_codes.yml
+++ b/detections/web/http_rapid_post_with_mixed_status_codes.yml
@@ -1,7 +1,7 @@
name: HTTP Rapid POST with Mixed Status Codes
id: c8c987d6-3a1a-4555-9a52-eea0741b6113
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A potential attempt to perform request smuggling against a web server was detected. The source IP is $src_ip$ and the destination is $dest$.
risk_objects:
diff --git a/detections/web/http_request_to_reserved_name_on_iis_server.yml b/detections/web/http_request_to_reserved_name_on_iis_server.yml
index 5b6c7ef2b4..34beb4045a 100644
--- a/detections/web/http_request_to_reserved_name_on_iis_server.yml
+++ b/detections/web/http_request_to_reserved_name_on_iis_server.yml
@@ -1,7 +1,7 @@
name: HTTP Request to Reserved Name on IIS Server
id: 1e45e6a8-110b-4886-b815-8d69cf35bf0a
-version: 4
-date: '2026-03-27'
+version: 5
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: TTP
@@ -71,9 +71,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Known scripting tool was used against a web request. The source IP is $src$ and the destination is $dest$.
risk_objects:
diff --git a/detections/web/http_scripting_tool_user_agent.yml b/detections/web/http_scripting_tool_user_agent.yml
index 070eac7784..d59c35084e 100644
--- a/detections/web/http_scripting_tool_user_agent.yml
+++ b/detections/web/http_scripting_tool_user_agent.yml
@@ -1,7 +1,7 @@
name: HTTP Scripting Tool User Agent
id: 04430b4e-5ca8-4e88-98b5-d6bcf54f8393
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Raven Tait, Splunk
status: production
type: Anomaly
@@ -36,9 +36,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Known scripting tool was used against a web request. The source IP is $src_ip$ and the destination is $dest$.
risk_objects:
diff --git a/detections/web/ivanti_connect_secure_command_injection_attempts.yml b/detections/web/ivanti_connect_secure_command_injection_attempts.yml
index a8d1598053..15e5424e57 100644
--- a/detections/web/ivanti_connect_secure_command_injection_attempts.yml
+++ b/detections/web/ivanti_connect_secure_command_injection_attempts.yml
@@ -1,7 +1,7 @@
name: Ivanti Connect Secure Command Injection Attempts
id: 1f32a7e0-a060-4545-b7de-73fcf9ad536e
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.
risk_objects:
diff --git a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml
index c293e8d812..175f2f6e26 100644
--- a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml
+++ b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml
@@ -1,7 +1,7 @@
name: Ivanti Connect Secure SSRF in SAML Component
id: 8e6ca490-7af3-4299-9a24-39fb69759925
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible exploitation of CVE-2024-21893 against $dest$ from $src$.
risk_objects:
diff --git a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml
index 235bb3dd19..c60e1d6b0e 100644
--- a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml
+++ b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml
@@ -1,7 +1,7 @@
name: Ivanti Connect Secure System Information Access via Auth Bypass
id: d51c13dd-a232-4c83-a2bb-72ab36233c5d
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible exploitation of CVE-2023-46805 and CVE-2024-21887 against $dest$.
risk_objects:
diff --git a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml
index ff5e59aac2..7d89a31ab2 100644
--- a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml
+++ b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml
@@ -1,7 +1,7 @@
name: Ivanti EPM SQL Injection Remote Code Execution
id: e20564ca-c86c-4e30-acdb-a8486673426f
-version: 9
-date: '2026-03-27'
+version: 10
+date: '2026-03-31'
author: Michael Haag
type: TTP
status: production
@@ -46,9 +46,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential exploitation of a critical SQL injection vulnerability in Ivanti Endpoint Manager (EPM), identified as CVE-2024-29824 against $dest$.
risk_objects:
diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml
index 42042cda6b..4bb48c6458 100644
--- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml
+++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml
@@ -1,7 +1,7 @@
name: Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
id: 66b9c9ba-7fb2-4e80-a3a2-496e5e078167
-version: 8
-date: '2026-03-27'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -45,9 +45,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential CVE-2023-35078 against an Ivanti EPMM appliance on $dest$.
risk_objects:
diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml
index 95bb3990e9..2b4ed231e6 100644
--- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml
+++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml
@@ -1,7 +1,7 @@
name: Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
id: e03edeba-4942-470c-a664-27253f3ad351
-version: 8
-date: '2026-03-27'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -46,9 +46,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$.
risk_objects:
diff --git a/detections/web/java_class_file_download_by_java_user_agent.yml b/detections/web/java_class_file_download_by_java_user_agent.yml
index 98b6e6d5b3..7241925c1e 100644
--- a/detections/web/java_class_file_download_by_java_user_agent.yml
+++ b/detections/web/java_class_file_download_by_java_user_agent.yml
@@ -1,7 +1,7 @@
name: Java Class File download by Java User Agent
id: 8281ce42-5c50-11ec-82d2-acde48001122
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A Java user agent $http_user_agent$ was performing a $http_method$ to retrieve a remote class file.
risk_objects:
diff --git a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml
index efabdfdc88..8c31537230 100644
--- a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml
+++ b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml
@@ -1,7 +1,7 @@
name: Jenkins Arbitrary File Read CVE-2024-23897
id: c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Jenkins Arbitrary File Read CVE-2024-23897 against $dest$ by $src$.
risk_objects:
diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml
index 4aa5923dfb..5317df689f 100644
--- a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml
+++ b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml
@@ -1,7 +1,7 @@
name: JetBrains TeamCity Authentication Bypass CVE-2024-27198
id: fbcc04c7-8a79-453c-b3a9-c232c423bdd4
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Suricata
@@ -37,9 +37,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible JetBrains TeamCity Authentication Bypass CVE-2024-27198 Attempt against $dest$ from $src$.
risk_objects:
diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml
index 302bfc2361..0d016d14b1 100644
--- a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml
+++ b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml
@@ -1,7 +1,7 @@
name: JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
id: fbcc04c7-8a79-453c-b3a9-c232c423bdd3
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Suricata
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible JetBrains TeamCity Authentication Bypass Attempt against $dest$ from $src$.
risk_objects:
diff --git a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml
index 08d262a1ea..d8f6bc2a09 100644
--- a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml
+++ b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml
@@ -1,7 +1,7 @@
name: JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
id: a1e68dcd-2e24-4434-bd0e-b3d4de139d58
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Suricata
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible JetBrains TeamCity Limited Authentication Bypass Attempt against $dest$ from $src$.
risk_objects:
diff --git a/detections/web/jetbrains_teamcity_rce_attempt.yml b/detections/web/jetbrains_teamcity_rce_attempt.yml
index d4844d85a5..aa47873a0d 100644
--- a/detections/web/jetbrains_teamcity_rce_attempt.yml
+++ b/detections/web/jetbrains_teamcity_rce_attempt.yml
@@ -1,7 +1,7 @@
name: JetBrains TeamCity RCE Attempt
id: 89a58e5f-1365-4793-b45c-770abbb32b6c
-version: 9
-date: '2026-03-27'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -45,9 +45,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential JetBrains TeamCity RCE Attempt detected against URL $url$ on $dest$.
risk_objects:
diff --git a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml
index 9c6bf51a3f..59058b03fd 100644
--- a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml
+++ b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml
@@ -1,7 +1,7 @@
name: Juniper Networks Remote Code Execution Exploit Detection
id: 6cc4cc3d-b10a-4fac-be1e-55d384fc690e
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.
risk_objects:
diff --git a/detections/web/log4shell_jndi_payload_injection_attempt.yml b/detections/web/log4shell_jndi_payload_injection_attempt.yml
index a274ae9ed7..11f4734c63 100644
--- a/detections/web/log4shell_jndi_payload_injection_attempt.yml
+++ b/detections/web/log4shell_jndi_payload_injection_attempt.yml
@@ -1,7 +1,7 @@
name: Log4Shell JNDI Payload Injection Attempt
id: c184f12e-5c90-11ec-bf1f-497c9a704a72
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Jose Hernandez
status: production
type: Anomaly
@@ -24,9 +24,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: CVE-2021-44228 Log4Shell triggered for host $dest$
risk_objects:
diff --git a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml
index effdde9194..3b612c25a4 100644
--- a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml
+++ b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml
@@ -1,7 +1,7 @@
name: Log4Shell JNDI Payload Injection with Outbound Connection
id: 69afee44-5c91-11ec-bf1f-497c9a704a72
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Jose Hernandez
status: production
type: Anomaly
@@ -23,9 +23,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: CVE-2021-44228 Log4Shell triggered for host $dest$
risk_objects:
diff --git a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml
index 77e90853b7..c7f9efb3c3 100644
--- a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml
+++ b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml
@@ -1,7 +1,7 @@
name: Microsoft SharePoint Server Elevation of Privilege
id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859d
-version: 8
-date: '2026-03-27'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -44,9 +44,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Possible exploitation of CVE-2023-29357 against $dest$ from $src$.
risk_objects:
diff --git a/detections/web/multiple_archive_files_http_post_traffic.yml b/detections/web/multiple_archive_files_http_post_traffic.yml
index 16df2bb35a..ccca16b936 100644
--- a/detections/web/multiple_archive_files_http_post_traffic.yml
+++ b/detections/web/multiple_archive_files_http_post_traffic.yml
@@ -1,7 +1,7 @@
name: Multiple Archive Files Http Post Traffic
id: 4477f3ea-a28f-11eb-b762-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -33,9 +33,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A http post $http_method$ sending packet with possible archive bytes header in uri path $uri_path$
risk_objects:
diff --git a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml
index 53f58a664c..15de3dc33f 100644
--- a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml
+++ b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml
@@ -1,7 +1,7 @@
name: Nginx ConnectWise ScreenConnect Authentication Bypass
id: b3f7a803-e802-448b-8eb2-e796b223bccc
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Nginx Access
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An authentication bypass attempt against ScreenConnect has been detected on $dest$.
risk_objects:
diff --git a/detections/web/papercut_ng_remote_web_access_attempt.yml b/detections/web/papercut_ng_remote_web_access_attempt.yml
index 34156bd5ab..52d2da016f 100644
--- a/detections/web/papercut_ng_remote_web_access_attempt.yml
+++ b/detections/web/papercut_ng_remote_web_access_attempt.yml
@@ -1,7 +1,7 @@
name: PaperCut NG Remote Web Access Attempt
id: 9fcb214a-dc42-4ce7-a650-f1d2cab16a6a
-version: 8
-date: '2026-03-27'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -76,9 +76,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: URIs specific to PaperCut NG have been access by a public IP $src$ against $dest$.
risk_objects:
diff --git a/detections/web/plain_http_post_exfiltrated_data.yml b/detections/web/plain_http_post_exfiltrated_data.yml
index 057bade51c..e503107a26 100644
--- a/detections/web/plain_http_post_exfiltrated_data.yml
+++ b/detections/web/plain_http_post_exfiltrated_data.yml
@@ -1,7 +1,7 @@
name: Plain HTTP POST Exfiltrated Data
id: e2b36208-a364-11eb-8909-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-31'
author: Teoderick Contreras, Splunk
status: production
type: TTP
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A http post $http_method$ sending packet with plain text of information in uri path $uri_path$
risk_objects:
diff --git a/detections/web/proxyshell_proxynotshell_behavior_detected.yml b/detections/web/proxyshell_proxynotshell_behavior_detected.yml
index 2bdc684553..5c0b029c37 100644
--- a/detections/web/proxyshell_proxynotshell_behavior_detected.yml
+++ b/detections/web/proxyshell_proxynotshell_behavior_detected.yml
@@ -1,7 +1,7 @@
name: ProxyShell ProxyNotShell Behavior Detected
id: c32fab32-6aaf-492d-bfaf-acbed8e50cdf
-version: 8
-date: '2026-02-25'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Correlation
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$risk_object$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
tags:
analytic_story:
- ProxyShell
diff --git a/detections/web/spring4shell_payload_url_request.yml b/detections/web/spring4shell_payload_url_request.yml
index c45b33db65..ea4017e4c0 100644
--- a/detections/web/spring4shell_payload_url_request.yml
+++ b/detections/web/spring4shell_payload_url_request.yml
@@ -1,7 +1,7 @@
name: Spring4Shell Payload URL Request
id: 9d44d649-7d67-4559-95c1-8022ff49420b
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A URL was requested related to Spring4Shell POC code on $dest$ by $src$.
risk_objects:
diff --git a/detections/web/tomcat_session_deserialization_attempt.yml b/detections/web/tomcat_session_deserialization_attempt.yml
index 2b65c729a6..a54ae33d3c 100644
--- a/detections/web/tomcat_session_deserialization_attempt.yml
+++ b/detections/web/tomcat_session_deserialization_attempt.yml
@@ -1,7 +1,7 @@
name: Tomcat Session Deserialization Attempt
id: e28b4fd4-8f5a-41cd-8222-2f1ccca53ef1
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -38,9 +38,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: View suspicious JSESSIONID cookies
search: '| from datamodel Web.Web | search http_method=GET AND cookie="*JSESSIONID=.*" src=$src$ | table src dest http_method uri_path http_user_agent status'
earliest_offset: $info_min_time$
diff --git a/detections/web/tomcat_session_file_upload_attempt.yml b/detections/web/tomcat_session_file_upload_attempt.yml
index 62da33660c..a024ad0e83 100644
--- a/detections/web/tomcat_session_file_upload_attempt.yml
+++ b/detections/web/tomcat_session_file_upload_attempt.yml
@@ -1,7 +1,7 @@
name: Tomcat Session File Upload Attempt
id: a1d8f5c3-9b7e-4f2d-8c51-3bca5e672410
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -39,9 +39,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
- name: View all PUT requests to .session files
search: '| from datamodel Web.Web | search http_method = PUT uri_path="*.session" src=$src$ | table src dest http_method uri_path http_user_agent status'
earliest_offset: $info_min_time$
diff --git a/detections/web/vmware_aria_operations_exploit_attempt.yml b/detections/web/vmware_aria_operations_exploit_attempt.yml
index 990ed6c6f6..cf937f3e82 100644
--- a/detections/web/vmware_aria_operations_exploit_attempt.yml
+++ b/detections/web/vmware_aria_operations_exploit_attempt.yml
@@ -1,7 +1,7 @@
name: VMWare Aria Operations Exploit Attempt
id: d5d865e4-03e6-43da-98f4-28a4f42d4df7
-version: 8
-date: '2026-03-23'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -47,9 +47,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An exploitation attempt has occurred against $dest$ from $src$ related to CVE-2023-20887
risk_objects:
diff --git a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml
index 7db3f29418..9433926176 100644
--- a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml
+++ b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml
@@ -1,7 +1,7 @@
name: VMware Workspace ONE Freemarker Server-side Template Injection
id: 9e5726fe-8fde-460e-bd74-cddcf6c86113
-version: 8
-date: '2026-03-23'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: Anomaly
@@ -45,9 +45,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An attempt to exploit a VMware Server Side Injection CVE-2022-22954 on $dest$ has occurred.
risk_objects:
diff --git a/detections/web/web_jsp_request_via_url.yml b/detections/web/web_jsp_request_via_url.yml
index 519a693121..320e9c8c58 100644
--- a/detections/web/web_jsp_request_via_url.yml
+++ b/detections/web/web_jsp_request_via_url.yml
@@ -1,7 +1,7 @@
name: Web JSP Request via URL
id: 2850c734-2d44-4431-8139-1a56f6f54c01
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious URL has been requested against $dest$ by $src$, related to web shell activity.
risk_objects:
diff --git a/detections/web/web_remote_shellservlet_access.yml b/detections/web/web_remote_shellservlet_access.yml
index d13986da91..0c00431f33 100644
--- a/detections/web/web_remote_shellservlet_access.yml
+++ b/detections/web/web_remote_shellservlet_access.yml
@@ -1,7 +1,7 @@
name: Web Remote ShellServlet Access
id: c2a332c3-24a2-4e24-9455-0e80332e6746
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: An attempt to access the Remote ShellServlet on a web server was detected. The source IP is $src$ and the destination hostname is $dest$.
risk_objects:
diff --git a/detections/web/web_spring4shell_http_request_class_module.yml b/detections/web/web_spring4shell_http_request_class_module.yml
index 06b917c456..5d1b7808be 100644
--- a/detections/web/web_spring4shell_http_request_class_module.yml
+++ b/detections/web/web_spring4shell_http_request_class_module.yml
@@ -1,7 +1,7 @@
name: Web Spring4Shell HTTP Request Class Module
id: fcdfd69d-0ca3-4476-920e-9b633cb4593e
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -28,9 +28,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A http body request related to Spring4Shell has been sent to $dest$ by $src$.
risk_objects:
diff --git a/detections/web/web_spring_cloud_function_functionrouter.yml b/detections/web/web_spring_cloud_function_functionrouter.yml
index c193a05731..0316b39118 100644
--- a/detections/web/web_spring_cloud_function_functionrouter.yml
+++ b/detections/web/web_spring_cloud_function_functionrouter.yml
@@ -1,7 +1,7 @@
name: Web Spring Cloud Function FunctionRouter
id: 89dddbad-369a-4f8a-ace2-2439218735bc
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -29,9 +29,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: A suspicious URL has been requested against $dest$ by $src$, related to a vulnerability in Spring Cloud.
risk_objects:
diff --git a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml
index 5f3bd47958..e15a37ba5f 100644
--- a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml
+++ b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml
@@ -1,7 +1,7 @@
name: Windows Exchange Autodiscover SSRF Abuse
id: d436f9e7-0ee7-4a47-864b-6dea2c4e2752
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Nathaniel Stearns, Splunk
status: production
type: TTP
@@ -47,9 +47,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Activity related to ProxyShell or ProxyNotShell has been identified on $dest$. Review events and take action accordingly.
risk_objects:
diff --git a/detections/web/windows_sharepoint_spinstall0_get_request.yml b/detections/web/windows_sharepoint_spinstall0_get_request.yml
index 915e2b3573..3201867442 100644
--- a/detections/web/windows_sharepoint_spinstall0_get_request.yml
+++ b/detections/web/windows_sharepoint_spinstall0_get_request.yml
@@ -1,7 +1,7 @@
name: Windows SharePoint Spinstall0 GET Request
id: ac490de2-ee39-421c-b61b-1c4005dde427
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -31,9 +31,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential access to SharePoint webshell (spinstall0.aspx) detected from $src$ targeting $dest$
risk_objects:
diff --git a/detections/web/windows_sharepoint_toolpane_endpoint_exploitation_attempt.yml b/detections/web/windows_sharepoint_toolpane_endpoint_exploitation_attempt.yml
index a73a3ae694..bc55f0f45e 100644
--- a/detections/web/windows_sharepoint_toolpane_endpoint_exploitation_attempt.yml
+++ b/detections/web/windows_sharepoint_toolpane_endpoint_exploitation_attempt.yml
@@ -1,7 +1,7 @@
name: Windows SharePoint ToolPane Endpoint Exploitation Attempt
id: 508b2649-3a1e-4a4c-ba9d-3cc05e1a1b70
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -34,9 +34,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential SharePoint ToolPane exploitation (CVE-2025-53770) detected from $src$ targeting $dest$
risk_objects:
diff --git a/detections/web/wordpress_bricks_builder_plugin_rce.yml b/detections/web/wordpress_bricks_builder_plugin_rce.yml
index 3861531381..b623d97aa3 100644
--- a/detections/web/wordpress_bricks_builder_plugin_rce.yml
+++ b/detections/web/wordpress_bricks_builder_plugin_rce.yml
@@ -1,7 +1,7 @@
name: WordPress Bricks Builder plugin RCE
id: 56a8771a-3fda-4959-b81d-2f266e2f679f
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Michael Haag, Splunk
data_source:
- Nginx Access
@@ -32,9 +32,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability on $dest$ by $src$.
risk_objects:
diff --git a/detections/web/ws_ftp_remote_code_execution.yml b/detections/web/ws_ftp_remote_code_execution.yml
index 952621c0c6..20b99d200d 100644
--- a/detections/web/ws_ftp_remote_code_execution.yml
+++ b/detections/web/ws_ftp_remote_code_execution.yml
@@ -1,7 +1,7 @@
name: WS FTP Remote Code Execution
id: b84e8f39-4e7b-4d4f-9e7c-fcd29a227845
-version: 9
-date: '2026-03-27'
+version: 10
+date: '2026-03-31'
author: Michael Haag, Splunk
status: production
type: TTP
@@ -45,9 +45,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential WS FTP Remote Code Execution detected against URL $url$ on $dest$ from $src$
risk_objects:
diff --git a/detections/web/zscaler_adware_activities_threat_blocked.yml b/detections/web/zscaler_adware_activities_threat_blocked.yml
index 7a2da6d8b1..ec5b57cbee 100644
--- a/detections/web/zscaler_adware_activities_threat_blocked.yml
+++ b/detections/web/zscaler_adware_activities_threat_blocked.yml
@@ -1,7 +1,7 @@
name: Zscaler Adware Activities Threat Blocked
id: 3407b250-345a-4d71-80db-c91e555a3ece
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Adware Activity blocked from dest -[$dest$] on $src$ for user-[$user$].
risk_objects:
diff --git a/detections/web/zscaler_behavior_analysis_threat_blocked.yml b/detections/web/zscaler_behavior_analysis_threat_blocked.yml
index 8d1d6d1079..63dea167ad 100644
--- a/detections/web/zscaler_behavior_analysis_threat_blocked.yml
+++ b/detections/web/zscaler_behavior_analysis_threat_blocked.yml
@@ -1,7 +1,7 @@
name: Zscaler Behavior Analysis Threat Blocked
id: 289ad59f-8939-4331-b805-f2bd51d36fb8
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Rod Soto, Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Adware Behavior Analysis Threat from dest -[$dest$] on $src$ for user-[$user$].
risk_objects:
diff --git a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml
index 0f8da0d06b..63010fe647 100644
--- a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml
+++ b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml
@@ -1,7 +1,7 @@
name: Zscaler CryptoMiner Downloaded Threat Blocked
id: ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Rod Soto, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential CryptoMiner Downloaded Threat from dest -[$dest$] on $src$ for user-[$user$].
risk_objects:
diff --git a/detections/web/zscaler_employment_search_web_activity.yml b/detections/web/zscaler_employment_search_web_activity.yml
index fcca2cbaaa..24bf857296 100644
--- a/detections/web/zscaler_employment_search_web_activity.yml
+++ b/detections/web/zscaler_employment_search_web_activity.yml
@@ -1,7 +1,7 @@
name: Zscaler Employment Search Web Activity
id: 5456bdef-d765-4565-8e1f-61ca027bc50e
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Rod Soto, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Employment Search Web Activity from dest -[$dest$] on $src$ for user-[$user$].
risk_objects:
diff --git a/detections/web/zscaler_exploit_threat_blocked.yml b/detections/web/zscaler_exploit_threat_blocked.yml
index 815a689c60..bcec3a939f 100644
--- a/detections/web/zscaler_exploit_threat_blocked.yml
+++ b/detections/web/zscaler_exploit_threat_blocked.yml
@@ -1,7 +1,7 @@
name: Zscaler Exploit Threat Blocked
id: 94665d8c-b841-4ff4-acb4-34d613e2cbfe
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Rod Soto, Gowthamaraj Rajendran, Splunk
status: production
type: TTP
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Exploit Threat from dest -[$dest$] on $src$ for user-[$user$].
risk_objects:
diff --git a/detections/web/zscaler_legal_liability_threat_blocked.yml b/detections/web/zscaler_legal_liability_threat_blocked.yml
index 65feb93e40..ee4ebb7fc1 100644
--- a/detections/web/zscaler_legal_liability_threat_blocked.yml
+++ b/detections/web/zscaler_legal_liability_threat_blocked.yml
@@ -1,7 +1,7 @@
name: Zscaler Legal Liability Threat Blocked
id: bbf55ebf-c416-4f62-94d9-4064f2a28014
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-31'
author: Rod Soto, Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Legal Liability Threat from dest -[$dest$] on $src$ for user-[$user$].
risk_objects:
diff --git a/detections/web/zscaler_malware_activity_threat_blocked.yml b/detections/web/zscaler_malware_activity_threat_blocked.yml
index ad1df9027f..9b4b213b57 100644
--- a/detections/web/zscaler_malware_activity_threat_blocked.yml
+++ b/detections/web/zscaler_malware_activity_threat_blocked.yml
@@ -1,7 +1,7 @@
name: Zscaler Malware Activity Threat Blocked
id: ae874ad8-e353-40a7-87d4-420cdfb27d1a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Rod Soto, Gowthamaraj Rajendran, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Malware Activity from dest -[$dest$] on $src$ for user-[$user$].
risk_objects:
diff --git a/detections/web/zscaler_phishing_activity_threat_blocked.yml b/detections/web/zscaler_phishing_activity_threat_blocked.yml
index 8a6353532d..c917e0c26e 100644
--- a/detections/web/zscaler_phishing_activity_threat_blocked.yml
+++ b/detections/web/zscaler_phishing_activity_threat_blocked.yml
@@ -1,7 +1,7 @@
name: Zscaler Phishing Activity Threat Blocked
id: 68d3e2c1-e97f-4310-b080-dea180b48aa9
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Rod Soto, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Phishing Activity from dest -[$dest$] on $src$ for user-[$user$].
risk_objects:
diff --git a/detections/web/zscaler_potentially_abused_file_download.yml b/detections/web/zscaler_potentially_abused_file_download.yml
index f58c1fec52..8f434c0224 100644
--- a/detections/web/zscaler_potentially_abused_file_download.yml
+++ b/detections/web/zscaler_potentially_abused_file_download.yml
@@ -1,7 +1,7 @@
name: Zscaler Potentially Abused File Download
id: b0c21379-f4ba-4bac-a958-897e260f964a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Rod Soto, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Abused File Download from dest -[$dest$] on $src$ for user-[$user$].
risk_objects:
diff --git a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml
index 804c6353ca..751826147b 100644
--- a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml
+++ b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml
@@ -1,7 +1,7 @@
name: Zscaler Privacy Risk Destinations Threat Blocked
id: 5456bdef-d765-4565-8e1f-61ca027bc50d
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Rod Soto, Splunk
status: production
type: Anomaly
@@ -27,9 +27,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Privacy Risk Destinations from dest -[$dest$] on $src$ for user-[$user$].
risk_objects:
diff --git a/detections/web/zscaler_scam_destinations_threat_blocked.yml b/detections/web/zscaler_scam_destinations_threat_blocked.yml
index 8ad200b22f..8bc1354cf8 100644
--- a/detections/web/zscaler_scam_destinations_threat_blocked.yml
+++ b/detections/web/zscaler_scam_destinations_threat_blocked.yml
@@ -1,7 +1,7 @@
name: Zscaler Scam Destinations Threat Blocked
id: a0c21379-f4ba-4bac-a958-897e260f964a
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Rod Soto, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Scam Threat from dest -[$dest$] on $src$ for user-[$user$].
risk_objects:
diff --git a/detections/web/zscaler_virus_download_threat_blocked.yml b/detections/web/zscaler_virus_download_threat_blocked.yml
index e0315cccf6..196f0c4de3 100644
--- a/detections/web/zscaler_virus_download_threat_blocked.yml
+++ b/detections/web/zscaler_virus_download_threat_blocked.yml
@@ -1,7 +1,7 @@
name: Zscaler Virus Download threat blocked
id: aa19e627-d448-4a31-85cd-82068dec5691
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-03-31'
author: Gowthamaraj Rajendran, Rod Soto, Splunk
status: production
type: Anomaly
@@ -26,9 +26,9 @@ drilldown_searches:
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
- search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
- earliest_offset: $info_min_time$
- latest_offset: $info_max_time$
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: 7d
+ latest_offset: 0
rba:
message: Potential Virus Download Threat from dest -[$dest$] on $src$ for user-[$user$].
risk_objects: