tesst locally

detections/application/detect_distributed_password_spray_attempts.yml

@@ -1,7 +1,7 @@
 name: Detect Distributed Password Spray Attempts
 id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
 version: 2
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Dean Luxton
 status: production
 type: Hunting

detections/application/detect_new_login_attempts_to_routers.yml

@@ -1,7 +1,7 @@
 name: Detect New Login Attempts to Routers
 id: bce3ed7c-9b1f-42a0-abdf-d8b123a34836
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Bhavin Patel, Splunk
 status: experimental
 type: TTP

detections/application/email_attachments_with_lots_of_spaces.yml

@@ -1,7 +1,7 @@
 name: Email Attachments With Lots Of Spaces
 id: 56e877a6-1455-4479-ada6-0550dc1e22f8
 version: 4
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly

detections/application/email_files_written_outside_of_the_outlook_directory.yml

@@ -1,7 +1,7 @@
 name: Email files written outside of the Outlook directory
 id: 8d52cf03-ba25-4101-aa78-07994aed4f74
 version: 5
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Bhavin Patel, Splunk
 status: experimental
 type: TTP

detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml

@@ -1,7 +1,7 @@
 name: Email servers sending high volume traffic to hosts
 id: 7f5fb3e1-4209-4914-90db-0ec21b556378
 version: 4
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Bhavin Patel, Splunk
 status: experimental
 type: Anomaly

detections/application/monitor_email_for_brand_abuse.yml

@@ -1,7 +1,7 @@
 name: Monitor Email For Brand Abuse
 id: b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8
 version: 4
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: David Dorsey, Splunk
 status: experimental
 type: TTP

detections/application/no_windows_updates_in_a_time_frame.yml

@@ -1,7 +1,7 @@
 name: No Windows Updates in a time frame
 id: 1a77c08c-2f56-409c-a2d3-7d64617edd4f
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Bhavin Patel, Splunk
 status: experimental
 type: Hunting

detections/application/okta_mfa_exhaustion_hunt.yml

@@ -1,7 +1,7 @@
 name: Okta MFA Exhaustion Hunt
 id: 97e2fe57-3740-402c-988a-76b64ce04b8d
 version: 4
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Michael Haag, Marissa Bower, Mauricio Velazco, Splunk
 status: production
 type: Hunting

detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml

@@ -1,7 +1,7 @@
 name: Okta Mismatch Between Source and Response for Verify Push Request
 id: 8085b79b-9b85-4e67-ad63-351c9e9a5e9a
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: John Murphy and Jordan Ruocco, Okta, Michael Haag, Splunk
 type: TTP
 status: experimental

detections/application/okta_multiple_failed_requests_to_access_applications.yml

@@ -1,7 +1,7 @@
 name: Okta Multiple Failed Requests to Access Applications
 id: 1c21fed1-7000-4a2e-9105-5aaafa437247
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: John Murphy, Okta, Michael Haag, Splunk
 type: Hunting
 status: experimental

detections/application/okta_phishing_detection_with_fastpass_origin_check.yml

@@ -1,7 +1,7 @@
 name: Okta Phishing Detection with FastPass Origin Check
 id: f4ca0057-cbf3-44f8-82ea-4e330ee901d3
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Okta, Inc, Michael Haag, Splunk
 type: TTP
 status: experimental

detections/application/suspicious_email_attachment_extensions.yml

@@ -1,7 +1,7 @@
 name: Suspicious Email Attachment Extensions
 id: 473bd65f-06ca-4dfe-a2b8-ba04ab4a0084
 version: 5
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly

detections/application/suspicious_java_classes.yml

@@ -1,7 +1,7 @@
 name: Suspicious Java Classes
 id: 6ed33786-5e87-4f55-b62c-cb5f1168b831
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Jose Hernandez, Splunk
 status: experimental
 type: Anomaly

detections/application/web_servers_executing_suspicious_processes.yml

@@ -1,7 +1,7 @@
 name: Web Servers Executing Suspicious Processes
 id: ec3b7601-689a-4463-94e0-c9f45638efb9
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: David Dorsey, Splunk
 status: experimental
 type: TTP

detections/application/windows_ad_privileged_group_modification.yml

@@ -1,7 +1,7 @@
 name: Windows AD Privileged Group Modification
 id: 187bf937-c436-4c65-bbcb-7539ffe02da1
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Dean Luxton
 status: experimental
 type: TTP

detections/application/windows_ad_suspicious_gpo_modification.yml

@@ -1,7 +1,7 @@
 name: Windows AD Suspicious GPO Modification
 id: 0a2afc18-a3b5-4452-b60a-2e774214f9bf
 version: 2
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Dean Luxton
 status: experimental
 type: TTP

detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml

@@ -1,7 +1,7 @@
 name: Abnormally High Number Of Cloud Infrastructure API Calls
 id: 0840ddf1-8c89-46ff-b730-c8d6722478c0
 version: 4
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly

detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml

@@ -1,7 +1,7 @@
 name: Abnormally High Number Of Cloud Instances Destroyed
 id: ef629fc9-1583-4590-b62a-f2247fbf7bbf
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly

detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml

@@ -1,7 +1,7 @@
 name: Abnormally High Number Of Cloud Instances Launched
 id: f2361e9f-3928-496c-a556-120cd4223a65
 version: 4
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly

detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml

@@ -1,7 +1,7 @@
 name: Abnormally High Number Of Cloud Security Group API Calls
 id: d4dfb7f3-7a37-498a-b5df-f19334e871af
 version: 4
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly

detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml

@@ -1,7 +1,7 @@
 name: Amazon EKS Kubernetes cluster scan detection
 id: 294c4686-63dd-4fe6-93a2-ca807626704a
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Rod Soto, Splunk
 status: experimental
 type: Hunting

detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml

@@ -1,7 +1,7 @@
 name: Amazon EKS Kubernetes Pod scan detection
 id: dbfca1dd-b8e5-4ba4-be0e-e565e5d62002
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Rod Soto, Splunk
 status: experimental
 type: Hunting

detections/cloud/asl_aws_defense_evasion_impair_security_services.yml

@@ -1,7 +1,7 @@
 name: ASL AWS Defense Evasion Impair Security Services
 id: 5029b681-0462-47b7-82e7-f7e3d37f5a2d
 version: 4
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk
 status: production
 type: Hunting

detections/cloud/asl_aws_iam_delete_policy.yml

@@ -1,7 +1,7 @@
 name: ASL AWS IAM Delete Policy
 id: 609ced68-d420-4ff7-8164-ae98b4b4018c
 version: 4
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Patrick Bareiss, Splunk
 status: production
 type: Hunting

detections/cloud/asl_aws_iam_successful_group_deletion.yml

@@ -1,7 +1,7 @@
 name: ASL AWS IAM Successful Group Deletion
 id: 1bbe54f1-93d7-4764-8a01-ddaa12ece7ac
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Patrick Bareiss, Splunk
 status: production
 type: Hunting

detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml

@@ -1,7 +1,7 @@
 name: ASL AWS New MFA Method Registered For User
 id: 33ae0931-2a03-456b-b1d7-b016c5557fbd
 version: 5
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Patrick Bareiss, Splunk
 status: experimental
 type: TTP

detections/cloud/aws_createaccesskey.yml

@@ -1,7 +1,7 @@
 name: AWS CreateAccessKey
 id: 2a9b80d3-6340-4345-11ad-212bf3d0d111
 version: 5
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Bhavin Patel, Splunk
 status: production
 type: Hunting

detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml

@@ -1,7 +1,7 @@
 name: AWS Cross Account Activity From Previously Unseen Account
 id: 21193641-cb96-4a2c-a707-d9b9a7f7792b
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Rico Valdez, Splunk
 status: experimental
 type: Anomaly

detections/cloud/aws_defense_evasion_impair_security_services.yml

@@ -1,7 +1,7 @@
 name: AWS Defense Evasion Impair Security Services
 id: b28c4957-96a6-47e0-a965-6c767aac1458
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Bhavin Patel, Gowthamaraj Rajendran, Splunk
 status: production
 type: Hunting

detections/cloud/aws_defense_evasion_putbucketlifecycle.yml

@@ -1,7 +1,7 @@
 name: AWS Defense Evasion PutBucketLifecycle
 id: ce1c0e2b-9303-4903-818b-0d9002fc6ea4
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Bhavin Patel
 status: production
 type: Hunting

detections/cloud/aws_detect_attach_to_role_policy.yml

@@ -1,7 +1,7 @@
 name: aws detect attach to role policy
 id: 88fc31dd-f331-448c-9856-d3d51dd5d3a1
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Rod Soto, Splunk
 status: experimental
 type: Hunting

detections/cloud/aws_detect_permanent_key_creation.yml

@@ -1,7 +1,7 @@
 name: aws detect permanent key creation
 id: 12d6d713-3cb4-4ffc-a064-1dca3d1cca01
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Rod Soto, Splunk
 status: experimental
 type: Hunting

detections/cloud/aws_detect_role_creation.yml

@@ -1,7 +1,7 @@
 name: aws detect role creation
 id: 5f04081e-ddee-4353-afe4-504f288de9ad
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Rod Soto, Splunk
 status: experimental
 type: Hunting

detections/cloud/aws_detect_sts_assume_role_abuse.yml

@@ -1,7 +1,7 @@
 name: aws detect sts assume role abuse
 id: 8e565314-b6a2-46d8-9f05-1a34a176a662
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Rod Soto, Splunk
 status: experimental
 type: Hunting

detections/cloud/aws_detect_sts_get_session_token_abuse.yml

@@ -1,7 +1,7 @@
 name: aws detect sts get session token abuse
 id: 85d7b35f-b8b5-4b01-916f-29b81e7a0551
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Rod Soto, Splunk
 status: experimental
 type: Hunting

detections/cloud/aws_iam_delete_policy.yml

@@ -1,7 +1,7 @@
 name: AWS IAM Delete Policy
 id: ec3a9362-92fe-11eb-99d0-acde48001122
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Michael Haag, Splunk
 status: production
 type: Hunting

detections/cloud/aws_iam_successful_group_deletion.yml

@@ -1,7 +1,7 @@
 name: AWS IAM Successful Group Deletion
 id: e776d06c-9267-11eb-819b-acde48001122
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Michael Haag, Splunk
 status: production
 type: Hunting

detections/cloud/aws_lambda_updatefunctioncode.yml

@@ -1,7 +1,7 @@
 name: AWS Lambda UpdateFunctionCode
 id: 211b80d3-6340-4345-11ad-212bf3d0d111
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Bhavin Patel, Splunk
 status: production
 type: Hunting

detections/cloud/aws_password_policy_changes.yml

@@ -1,7 +1,7 @@
 name: AWS Password Policy Changes
 id: aee4a575-7064-4e60-b511-246f9baf9895
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Bhavin Patel, Splunk
 status: production
 type: Hunting

detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml

@@ -1,7 +1,7 @@
 name: Azure AD Multi-Source Failed Authentications Spike
 id: 116e11a9-63ea-41eb-a66a-6a13bdc7d2c7
 version: 5
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Mauricio Velazco, Splunk
 status: production
 type: Hunting

detections/cloud/circle_ci_disable_security_step.yml

@@ -1,7 +1,7 @@
 name: Circle CI Disable Security Step
 id: 72cb9de9-e98b-4ac9-80b2-5331bba6ea97
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Patrick Bareiss, Splunk
 status: experimental
 type: Anomaly

detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml

@@ -1,7 +1,7 @@
 name: Cloud API Calls From Previously Unseen User Roles
 id: 2181ad1f-1e73-4d0c-9780-e8880482a08f
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly

detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml

@@ -1,7 +1,7 @@
 name: Cloud Compute Instance Created By Previously Unseen User
 id: 37a0ec8d-827e-4d6d-8025-cedf31f3a149
 version: 4
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: Rico Valdez, Splunk
 status: experimental
 type: Anomaly

detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml

@@ -1,7 +1,7 @@
 name: Cloud Compute Instance Created In Previously Unused Region
 id: fa4089e2-50e3-40f7-8469-d2cc1564ca59
 version: 3
-date: '2024-10-17 - 10:03:23'
+date: '2024-10-17'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly