splunk · patel-bhavin · Mar 13, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
@@ -1,7 +1,7 @@
 name: Detect New Open GCP Storage Buckets
 id: f6ea3466-d6bb-11ea-87d0-0242ac130003
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-12'
 author: Shannon Davis, Splunk
 status: experimental
 type: TTP
@@ -23,7 +23,8 @@ how_to_implement: This search relies on the Splunk Add-on for Google Cloud Platf
 known_false_positives: While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group.
 references: []
 rba:
-    message: New Public GCP Storage Bucket Detected
+    message: |
+        "allUser" member added to $bucketName$ by $user$ making the bucket available to the public
     risk_objects:
         - field: user
           type: user

@@ -1,7 +1,7 @@
 name: Detect Spike in blocked Outbound Traffic from your AWS
 id: d3fffa37-492f-487b-a35d-c60fcb2acf01
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-12'
 author: Bhavin Patel, Splunk
 status: experimental
 type: Anomaly
@@ -32,7 +32,7 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late
 known_false_positives: The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.
 references: []
 rba:
-    message: Blocked outbound traffic from your AWS VPC
+    message: Blocked $numberOfBlockedConnections$ outbound connections from your AWS VPC $src_ip$
     risk_objects:
         - field: src_ip
           type: system

@@ -1,7 +1,7 @@
 name: GCP Detect gcploit framework
 id: a1c5a85e-a162-410c-a5d9-99ff639e5a52
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-12'
 author: Rod Soto, Splunk
 status: experimental
 type: TTP
@@ -17,7 +17,7 @@ references:
     - https://github.com/dxa4481/gcploit
     - https://www.youtube.com/watch?v=Ml09R38jpok
 rba:
-    message: Possible use of gcploit framework
+    message: Possible use of gcploit framework from $src$ by $src_user$
     risk_objects:
         - field: src_user
           type: user

@@ -1,7 +1,7 @@
 name: Excessive Usage Of SC Service Utility
 id: cb6b339e-d4c6-11eb-a026-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -35,7 +35,7 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
 rba:
-    message: Excessive Usage Of SC Service Utility
+    message: Excessive Usage Of SC Service Utility on $dest$ by $user$
     risk_objects:
         - field: dest
           type: system

@@ -1,7 +1,7 @@
 name: Get DomainPolicy with Powershell Script Block
 id: a360d2b2-065a-11ec-b0bf-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -36,7 +36,7 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
 rba:
-    message: Powershell process with command line indicative of querying domain policy.
+    message: Powershell process indicative of querying domain policy, spawned by $user_id$ on $dest$
     risk_objects:
         - field: dest
           type: system

@@ -1,7 +1,7 @@
 name: Windows AdFind Exe
 id: bd3b0187-189b-46c0-be45-f52da2bae67f
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-12'
 author: Jose Hernandez, Bhavin Patel, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -75,7 +75,7 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
 rba:
-    message: Windows AdFind Exe detected with command-line arguments associated with Active Directory queries on machine - [dest]
+    message: $user$ spawned $process$ indicative of Active Directory discovery on machine - [$dest$]
     risk_objects:
         - field: user
           type: user

@@ -1,7 +1,7 @@
 name: Windows Excel ActiveMicrosoftApp Child Process
 id: 4dfd6a58-93b2-4012-bb33-038bb63652b3
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -38,7 +38,7 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
 rba:
-    message: Risk Message goes here
+    message: $parent_process_name$ spawned $process_name$ on $dest$, indicative of ActivateMicrosoftApp() use
     risk_objects:
         - field: dest
           type: system

@@ -1,7 +1,7 @@
 name: Windows RDP Server Registry Entry Created
 id: 61f10919-c360-4e56-9cda-f1f34500cfda
-version: 2
-date: '2026-03-10'
+version: 3
+date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -24,7 +24,7 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
 rba:
-    message: Risk Message goes here
+    message: RDP related registry key $registry_key_name$ created on $dest$
     risk_objects:
         - field: dest
           type: system

@@ -1,7 +1,7 @@
 name: Windows Rundll32 Load DLL in Temp Dir
 id: 520da6fa-7d5d-4a3b-9c61-1087517b8d0f
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -23,7 +23,7 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
 rba:
-    message: Risk Message goes here
+    message: $parent_process_name$ spawned $process_name$ with a DLL from a temporary directory
     risk_objects:
         - field: dest
           type: system