From 42eba59c4f9bcf2303903b1b5b3cf17860bcecc4 Mon Sep 17 00:00:00 2001
From: nasbench <8741929+nasbench@users.noreply.github.com>
Date: Fri, 13 Mar 2026 14:30:49 +0100
Subject: [PATCH 1/2] fix links and versions

---
 .pre-commit-config.yaml                                       | 4 ++--
 detections/cloud/detect_new_open_gcp_storage_buckets.yml      | 2 +-
 ...detect_spike_in_blocked_outbound_traffic_from_your_aws.yml | 2 +-
 detections/cloud/gcp_detect_gcploit_framework.yml             | 2 +-
 detections/endpoint/excessive_usage_of_sc_service_utility.yml | 2 +-
 .../get_domainpolicy_with_powershell_script_block.yml         | 2 +-
 detections/endpoint/windows_adfind_exe.yml                    | 2 +-
 .../windows_excel_activemicrosoftapp_child_process.yml        | 2 +-
 .../endpoint/windows_rdp_server_registry_entry_created.yml    | 2 +-
 detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml | 2 +-
 .../network/cisco_sd_wan___low_frequency_rogue_peer.yml       | 4 ++--
 detections/network/cisco_sd_wan___peering_activity.yml        | 4 ++--
 stories/cisco_catalyst_sd_wan_analytics.yml                   | 2 +-
 13 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 384fa5f77a..3b5877a65c 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -16,8 +16,8 @@ repos:
       - id: yamlfmt
         name: yamlfmt (detections only)
         description: Format YAML files in detections/ with yamlfmt
-        entry: python3 .pre-commit-hooks/yamlfmt-hook.py
-        language: system
+        entry: .pre-commit-hooks/yamlfmt-hook.py
+        language: python
         files: ^detections/.*\.(yml|yaml)$
         pass_filenames: true
         # Optional: Specify custom yamlfmt binary path if not in PATH
diff --git a/detections/cloud/detect_new_open_gcp_storage_buckets.yml b/detections/cloud/detect_new_open_gcp_storage_buckets.yml
index 6af80fab39..de6dda72f6 100644
--- a/detections/cloud/detect_new_open_gcp_storage_buckets.yml
+++ b/detections/cloud/detect_new_open_gcp_storage_buckets.yml
@@ -1,6 +1,6 @@
 name: Detect New Open GCP Storage Buckets
 id: f6ea3466-d6bb-11ea-87d0-0242ac130003
-version: 8
+version: 7
 date: '2026-03-12'
 author: Shannon Davis, Splunk
 status: experimental
diff --git a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml
index 4e4621e279..9743f8f8f6 100644
--- a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml
+++ b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml
@@ -1,6 +1,6 @@
 name: Detect Spike in blocked Outbound Traffic from your AWS
 id: d3fffa37-492f-487b-a35d-c60fcb2acf01
-version: 8
+version: 7
 date: '2026-03-12'
 author: Bhavin Patel, Splunk
 status: experimental
diff --git a/detections/cloud/gcp_detect_gcploit_framework.yml b/detections/cloud/gcp_detect_gcploit_framework.yml
index 77bf39919a..537b1d89c8 100644
--- a/detections/cloud/gcp_detect_gcploit_framework.yml
+++ b/detections/cloud/gcp_detect_gcploit_framework.yml
@@ -1,6 +1,6 @@
 name: GCP Detect gcploit framework
 id: a1c5a85e-a162-410c-a5d9-99ff639e5a52
-version: 8
+version: 7
 date: '2026-03-12'
 author: Rod Soto, Splunk
 status: experimental
diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml
index 0bcc64f9e4..ff2df61ec3 100644
--- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml
+++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml
@@ -1,6 +1,6 @@
 name: Excessive Usage Of SC Service Utility
 id: cb6b339e-d4c6-11eb-a026-acde48001122
-version: 10
+version: 9
 date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml
index 1ea426522e..83f9192f44 100644
--- a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml
+++ b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml
@@ -1,6 +1,6 @@
 name: Get DomainPolicy with Powershell Script Block
 id: a360d2b2-065a-11ec-b0bf-acde48001122
-version: 10
+version: 9
 date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml
index 5bd6e839a3..2bc68d6129 100644
--- a/detections/endpoint/windows_adfind_exe.yml
+++ b/detections/endpoint/windows_adfind_exe.yml
@@ -1,6 +1,6 @@
 name: Windows AdFind Exe
 id: bd3b0187-189b-46c0-be45-f52da2bae67f
-version: 13
+version: 12
 date: '2026-03-12'
 author: Jose Hernandez, Bhavin Patel, Nasreddine Bencherchali, Splunk
 status: production
diff --git a/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml b/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml
index d6eb30eeb5..d6c74cdb15 100644
--- a/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml
+++ b/detections/endpoint/windows_excel_activemicrosoftapp_child_process.yml
@@ -1,6 +1,6 @@
 name: Windows Excel ActiveMicrosoftApp Child Process
 id: 4dfd6a58-93b2-4012-bb33-038bb63652b3
-version: 4
+version: 3
 date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/windows_rdp_server_registry_entry_created.yml b/detections/endpoint/windows_rdp_server_registry_entry_created.yml
index b3e9ffd824..53ebd80a8d 100644
--- a/detections/endpoint/windows_rdp_server_registry_entry_created.yml
+++ b/detections/endpoint/windows_rdp_server_registry_entry_created.yml
@@ -1,6 +1,6 @@
 name: Windows RDP Server Registry Entry Created
 id: 61f10919-c360-4e56-9cda-f1f34500cfda
-version: 3
+version: 2
 date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml b/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml
index 3e3a531d86..c7fc1b0069 100644
--- a/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml
+++ b/detections/endpoint/windows_rundll32_load_dll_in_temp_dir.yml
@@ -1,6 +1,6 @@
 name: Windows Rundll32 Load DLL in Temp Dir
 id: 520da6fa-7d5d-4a3b-9c61-1087517b8d0f
-version: 5
+version: 4
 date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production
diff --git a/detections/network/cisco_sd_wan___low_frequency_rogue_peer.yml b/detections/network/cisco_sd_wan___low_frequency_rogue_peer.yml
index d2fef2c277..0d1324b483 100644
--- a/detections/network/cisco_sd_wan___low_frequency_rogue_peer.yml
+++ b/detections/network/cisco_sd_wan___low_frequency_rogue_peer.yml
@@ -53,7 +53,7 @@ how_to_implement: |
     Build a known-good baseline (lookup or macro conditions) for expected `peer-system-ip`, `public-ip`, and `peer-type` relationships, then tune the `cisco_sd_wan_rogue_peer_outlier_filter` macro to suppress approved peers and transport sources.
     The threshold (`<=3`) is a starting point and should be adjusted for your environment size and log
     volume.
-    Follow the documentation https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html to start ingesting these logs.
+    Follow the documentation https://www.cisco.com/c/en/us/td/docs/routers/sdwan/17-x/systems-interfaces/systems-interfaces-guide-17-x/system-logging.html#config-sys-logging to start ingesting these logs.
 known_false_positives: |
     New controller onboarding, topology expansion, controller failover, maintenance windows, and temporary transport.
     Path changes can create rare peer/public-IP combinations.
@@ -62,7 +62,7 @@ references:
     - https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
     - https://blog.talosintelligence.com/uat-8616-sd-wan/
     - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/Monitor-And-Maintain/monitor-maintain-book/m-alarms-events-logs.html
-    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html
+    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/17-x/systems-interfaces/systems-interfaces-guide-17-x/system-logging.html#config-sys-logging
     - https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide
     - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
 drilldown_searches:
diff --git a/detections/network/cisco_sd_wan___peering_activity.yml b/detections/network/cisco_sd_wan___peering_activity.yml
index 6d8efee7fc..a43580ca0a 100644
--- a/detections/network/cisco_sd_wan___peering_activity.yml
+++ b/detections/network/cisco_sd_wan___peering_activity.yml
@@ -43,7 +43,7 @@ search: |-
 how_to_implement: |
     This analytic requires Cisco SD-WAN/vSmart logs in Splunk and assumes control peering status
     messages are searchable via the `cisco_sd_wan_syslog` macro. Update that macro with your environment-specific index and sourcetype settings.
-    Follow the documentation https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html to start ingesting these logs.
+    Follow the documentation https://www.cisco.com/c/en/us/td/docs/routers/sdwan/17-x/systems-interfaces/systems-interfaces-guide-17-x/system-logging.html#config-sys-logging to start ingesting these logs.
 known_false_positives: |
     New controller onboarding, topology expansion, controller failover, maintenance windows, and temporary transport.
     Path changes can create rare peer/public-IP combinations.
@@ -52,7 +52,7 @@ references:
     - https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
     - https://blog.talosintelligence.com/uat-8616-sd-wan/
     - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/Monitor-And-Maintain/monitor-maintain-book/m-alarms-events-logs.html
-    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html
+    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/17-x/systems-interfaces/systems-interfaces-guide-17-x/system-logging.html#config-sys-logging
     - https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide
     - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
 tags:
diff --git a/stories/cisco_catalyst_sd_wan_analytics.yml b/stories/cisco_catalyst_sd_wan_analytics.yml
index 21f3b7d033..a588ca3c05 100644
--- a/stories/cisco_catalyst_sd_wan_analytics.yml
+++ b/stories/cisco_catalyst_sd_wan_analytics.yml
@@ -16,7 +16,7 @@ references:
     - https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
     - https://blog.talosintelligence.com/uat-8616-sd-wan/
     - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/Monitor-And-Maintain/monitor-maintain-book/m-alarms-events-logs.html
-    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html
+    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/17-x/systems-interfaces/systems-interfaces-guide-17-x/system-logging.html#config-sys-logging
     - https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide
     - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
 tags:

From 8849ffb41b7f3b9aae6854a2992e0f56040e2070 Mon Sep 17 00:00:00 2001
From: nasbench <8741929+nasbench@users.noreply.github.com>
Date: Fri, 13 Mar 2026 14:34:54 +0100
Subject: [PATCH 2/2] more versions

---
 detections/cloud/azure_ad_pim_role_assigned.yml        | 2 +-
 detections/network/cisco_sd_wan___peering_activity.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/detections/cloud/azure_ad_pim_role_assigned.yml b/detections/cloud/azure_ad_pim_role_assigned.yml
index 53acc8efed..e780460d45 100644
--- a/detections/cloud/azure_ad_pim_role_assigned.yml
+++ b/detections/cloud/azure_ad_pim_role_assigned.yml
@@ -1,6 +1,6 @@
 name: Azure AD PIM Role Assigned
 id: fcd6dfeb-191c-46a0-a29c-c306382145ab
-version: 13
+version: 12
 date: '2026-03-13'
 author: Mauricio Velazco, Splunk
 status: production
diff --git a/detections/network/cisco_sd_wan___peering_activity.yml b/detections/network/cisco_sd_wan___peering_activity.yml
index a43580ca0a..f6d1816248 100644
--- a/detections/network/cisco_sd_wan___peering_activity.yml
+++ b/detections/network/cisco_sd_wan___peering_activity.yml
@@ -1,6 +1,6 @@
 name: Cisco SD-WAN - Peering Activity
 id: 1d192a47-4bd3-4c06-902d-5dbe2375ec6d
-version: 1
+version: 2
 date: '2026-03-02'
 author: Nasreddine Bencherchali, Splunk
 status: production