Merge pull request #3366 from splunk/remove_detections

Remove 151 Deprecated detections, stories, baselines, investigations - Github

Author: patel-bhavin

baselines/deprecated/.gitkeep

@@ -4,7 +4,7 @@ version: 1
 date: '2020-08-15'
 author: Rico Valdez, Splunk
 type: Baseline
-status: production
+status: deprecated
 description: This search looks for **AssumeRole** events where the requesting account
   differs from the requested account, then writes these relationships to a lookup
   file.

baselines/previously_seen_aws_cross_account_activity___initial.yml renamed to baselines/deprecated/previously_seen_aws_cross_account_activity___initial.yml

@@ -4,7 +4,7 @@ version: 1
 date: '2020-08-15'
 author: Rico Valdez, Splunk
 type: Baseline
-status: production
+status: deprecated
 description: This search looks for **AssumeRole** events where the requesting account
   differs from the requested account, then writes these relationships to a lookup
   file.

baselines/previously_seen_aws_cross_account_activity___update.yml renamed to baselines/deprecated/previously_seen_aws_cross_account_activity___update.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.1.1
+  version: 5.2.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU

contentctl.yml

@@ -1,7 +1,7 @@
 name: Attacker Tools On Endpoint
 id: a51bfe1a-94f0-48cc-b4e4-16a110145893
-version: 8
-date: '2025-02-10'
+version: 9
+date: '2025-02-27'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -66,7 +66,6 @@ rba:
 tags:
   analytic_story:
   - XMRig
-  - Monitor for Unauthorized Software
   - Unusual Processes
   - SamSam Ransomware
   - CISA AA22-264A

detections/deprecated/.gitkeep

@@ -0,0 +1,9 @@
+name: deprecation_info
+date: 2025-03-14
+version: 1
+id: d83dad4f-7bce-4979-bf07-a88c610da5f6
+author: Splunk Threat Research Team
+lookup_type: csv
+default_match: false
+description: A lookup file for deprecation information
+min_matches: 1

detections/endpoint/attacker_tools_on_endpoint.yml

@@ -4,7 +4,7 @@ version: 1
 date: '2017-09-15'
 author: David Dorsey, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search takes the existing interesting process table from ES, filters
   out any existing additions added by ESCU and then updates the table with processes
   identified by ESCU that should be prohibited on your endpoints.

lookups/deprecation_info.csv

@@ -4,7 +4,7 @@ version: 1
 date: '2018-04-09'
 author: David Dorsey, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search establishes, on a per-hour basis, the average and the standard
   deviation of the number of API calls made by each user. Also recorded is the number
   of data points for each user. This table is then outputted to a lookup file to allow