Updating drilldown configs

detections/application/cisco_ai_defense_security_alerts_by_application_name.yml

@@ -1,7 +1,7 @@
 name: Cisco AI Defense Security Alerts by Application Name
 id: 105e4a69-ec55-49fc-be1f-902467435ea8
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -48,9 +48,9 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
     - name: View risk events for the last 7 days for - "$application_name$"
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$application_name$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$application_name$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: 0
 rba:
     message: Cisco AI Defense Security Alert has been action - [$event_action$] for the application name - [$application_name$]
     risk_objects:

detections/application/cisco_asa___aaa_policy_tampering.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - AAA Policy Tampering
 id: 8f2c4e9a-5d3b-4c7e-9a1f-6e8d5b2c3a9f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -53,9 +53,9 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
     - name: View risk events for the last 7 days for $host$
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: 0
 rba:
     message: User $user$ executed command $command$ to modify AAA configuration on Cisco ASA host $host$.
     risk_objects:

detections/application/cisco_asa___device_file_copy_activity.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Device File Copy Activity
 id: 4d7e8f3a-9c2b-4e6f-8a1d-5b9c7e2f4a8c
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -53,9 +53,9 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
     - name: View risk events for the last 7 days for $host$
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: 0
 rba:
     message: User $user$ executed command $command$ to export device configuration from Cisco ASA host $host$.
     risk_objects:

detections/application/cisco_asa___device_file_copy_to_remote_location.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Device File Copy to Remote Location
 id: 8a9e5f2b-6d4c-4e7f-9b3a-1c8d7f5e2a9b
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -74,9 +74,9 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
     - name: View risk events for the last 7 days for $host$
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: 0
 rba:
     message: User $user$ executed command $command$ to copy file or config from Cisco ASA host $host$ to remote location $dest$ via $remote_protocol$ protocols.
     risk_objects:

detections/application/cisco_asa___logging_disabled_via_cli.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Logging Disabled via CLI
 id: 7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-03-31'
 author: Bhavin Patel, Micheal Haag, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -55,9 +55,9 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
     - name: View risk events for the last 7 days for $host$
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: 0
 rba:
     message: User $user$ executed command $command$ to disable logging on the Cisco ASA host $host$.
     risk_objects:

detections/application/cisco_asa___logging_filters_configuration_tampering.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Logging Filters Configuration Tampering
 id: b87b48a8-6d1a-4280-9cf1-16a950dbf901
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -63,9 +63,9 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
     - name: View risk events for the last 7 days for $host$
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: 0
 rba:
     message: User $user$ executed command $command$ to tamper with logging filter configuration on the Cisco ASA host $host$.
     risk_objects:

detections/application/cisco_asa___logging_message_suppression.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Logging Message Suppression
 id: 4e6c9d2a-8f3b-4c7e-9a5f-2d8b6e1c4a9f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -48,9 +48,9 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
     - name: View risk events for the last 7 days for $host$
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: 0
 rba:
     message: User $user$ executed command $command$ to suppress specific logging message ID on Cisco ASA host $host$.
     risk_objects:

detections/application/cisco_asa___new_local_user_account_created.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - New Local User Account Created
 id: 9c8e4f2a-7d3b-4e5c-8a9f-1b6d4e8c3f5a
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -43,9 +43,9 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
     - name: View risk events for the last 7 days for $host$
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: 0
 rba:
     message: New local user account $user$ with privilege level $privilege_level$ was created on Cisco ASA host $host$.
     risk_objects:

detections/application/cisco_asa___packet_capture_activity.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Packet Capture Activity
 id: 7e9c3f8a-4b2d-4c5e-9a1f-6d8e5b3c2a9f
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -48,9 +48,9 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
     - name: View risk events for the last 7 days for $host$
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: 0
 rba:
     message: User $user$ executed packet capture command $command$ on Cisco ASA host $host$, potentially for network sniffing activity.
     risk_objects:

detections/application/cisco_asa___reconnaissance_command_activity.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - Reconnaissance Command Activity
 id: 6e9d4f7a-3c8b-4a9e-8d2f-7b5c9e1a6f3d
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -104,9 +104,9 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
     - name: View risk events for the last 7 days for $host$
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: 0
 rba:
     message: User $user$ executed $unique_recon_commands$ distinct reconnaissance commands of type $command_types$ within a 5-minute window on Cisco ASA host $host$, indicating potential reconnaissance activity.
     risk_objects:

detections/application/cisco_asa___user_account_deleted_from_local_database.yml

@@ -1,7 +1,7 @@
 name: Cisco ASA - User Account Deleted From Local Database
 id: 2d4b9e7f-5c3a-4d8e-9b1f-8a6c5e2d4f7a
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-31'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -43,9 +43,9 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
     - name: View risk events for the last 7 days for $host$
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($host$) endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: 0
 rba:
     message: Local user account $user$ with privilege level $privilege_level$ was deleted from Cisco ASA host $host$.
     risk_objects: