splunk · patel-bhavin · Mar 13, 2026 · Mar 13, 2026 · Mar 13, 2026
@@ -16,8 +16,8 @@ repos:
       - id: yamlfmt
         name: yamlfmt (detections only)
         description: Format YAML files in detections/ with yamlfmt
-        entry: python3 .pre-commit-hooks/yamlfmt-hook.py
-        language: system
+        entry: .pre-commit-hooks/yamlfmt-hook.py
+        language: python
         files: ^detections/.*\.(yml|yaml)$
         pass_filenames: true
         # Optional: Specify custom yamlfmt binary path if not in PATH

@@ -1,6 +1,6 @@
 name: Azure AD PIM Role Assigned
 id: fcd6dfeb-191c-46a0-a29c-c306382145ab
-version: 13
+version: 12
 date: '2026-03-13'
 author: Mauricio Velazco, Splunk
 status: production

@@ -1,6 +1,6 @@
 name: Detect New Open GCP Storage Buckets
 id: f6ea3466-d6bb-11ea-87d0-0242ac130003
-version: 8
+version: 7
 date: '2026-03-12'
 author: Shannon Davis, Splunk
 status: experimental

@@ -1,6 +1,6 @@
 name: Detect Spike in blocked Outbound Traffic from your AWS
 id: d3fffa37-492f-487b-a35d-c60fcb2acf01
-version: 8
+version: 7
 date: '2026-03-12'
 author: Bhavin Patel, Splunk
 status: experimental

@@ -1,6 +1,6 @@
 name: GCP Detect gcploit framework
 id: a1c5a85e-a162-410c-a5d9-99ff639e5a52
-version: 8
+version: 7
 date: '2026-03-12'
 author: Rod Soto, Splunk
 status: experimental

@@ -1,6 +1,6 @@
 name: Excessive Usage Of SC Service Utility
 id: cb6b339e-d4c6-11eb-a026-acde48001122
-version: 10
+version: 9
 date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production

@@ -1,6 +1,6 @@
 name: Get DomainPolicy with Powershell Script Block
 id: a360d2b2-065a-11ec-b0bf-acde48001122
-version: 10
+version: 9
 date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production

@@ -1,6 +1,6 @@
 name: Windows AdFind Exe
 id: bd3b0187-189b-46c0-be45-f52da2bae67f
-version: 13
+version: 12
 date: '2026-03-12'
 author: Jose Hernandez, Bhavin Patel, Nasreddine Bencherchali, Splunk
 status: production

@@ -1,6 +1,6 @@
 name: Windows Excel ActiveMicrosoftApp Child Process
 id: 4dfd6a58-93b2-4012-bb33-038bb63652b3
-version: 4
+version: 3
 date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production

@@ -1,6 +1,6 @@
 name: Windows RDP Server Registry Entry Created
 id: 61f10919-c360-4e56-9cda-f1f34500cfda
-version: 3
+version: 2
 date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production

@@ -1,6 +1,6 @@
 name: Windows Rundll32 Load DLL in Temp Dir
 id: 520da6fa-7d5d-4a3b-9c61-1087517b8d0f
-version: 5
+version: 4
 date: '2026-03-12'
 author: Teoderick Contreras, Splunk
 status: production

@@ -53,7 +53,7 @@ how_to_implement: |
     Build a known-good baseline (lookup or macro conditions) for expected `peer-system-ip`, `public-ip`, and `peer-type` relationships, then tune the `cisco_sd_wan_rogue_peer_outlier_filter` macro to suppress approved peers and transport sources.
     The threshold (`<=3`) is a starting point and should be adjusted for your environment size and log
     volume.
-    Follow the documentation https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html to start ingesting these logs.
+    Follow the documentation https://www.cisco.com/c/en/us/td/docs/routers/sdwan/17-x/systems-interfaces/systems-interfaces-guide-17-x/system-logging.html#config-sys-logging to start ingesting these logs.
 known_false_positives: |
     New controller onboarding, topology expansion, controller failover, maintenance windows, and temporary transport.
     Path changes can create rare peer/public-IP combinations.
@@ -62,7 +62,7 @@ references:
     - https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
     - https://blog.talosintelligence.com/uat-8616-sd-wan/
     - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/Monitor-And-Maintain/monitor-maintain-book/m-alarms-events-logs.html
-    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html
+    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/17-x/systems-interfaces/systems-interfaces-guide-17-x/system-logging.html#config-sys-logging
     - https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide
     - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
 drilldown_searches:

@@ -1,6 +1,6 @@
 name: Cisco SD-WAN - Peering Activity
 id: 1d192a47-4bd3-4c06-902d-5dbe2375ec6d
-version: 1
+version: 2
 date: '2026-03-02'
 author: Nasreddine Bencherchali, Splunk
 status: production
@@ -43,7 +43,7 @@ search: |-
 how_to_implement: |
     This analytic requires Cisco SD-WAN/vSmart logs in Splunk and assumes control peering status
     messages are searchable via the `cisco_sd_wan_syslog` macro. Update that macro with your environment-specific index and sourcetype settings.
-    Follow the documentation https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html to start ingesting these logs.
+    Follow the documentation https://www.cisco.com/c/en/us/td/docs/routers/sdwan/17-x/systems-interfaces/systems-interfaces-guide-17-x/system-logging.html#config-sys-logging to start ingesting these logs.
 known_false_positives: |
     New controller onboarding, topology expansion, controller failover, maintenance windows, and temporary transport.
     Path changes can create rare peer/public-IP combinations.
@@ -52,7 +52,7 @@ references:
     - https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
     - https://blog.talosintelligence.com/uat-8616-sd-wan/
     - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/Monitor-And-Maintain/monitor-maintain-book/m-alarms-events-logs.html
-    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html
+    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/17-x/systems-interfaces/systems-interfaces-guide-17-x/system-logging.html#config-sys-logging
     - https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide
     - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
 tags:

@@ -16,7 +16,7 @@ references:
     - https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
     - https://blog.talosintelligence.com/uat-8616-sd-wan/
     - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/Monitor-And-Maintain/monitor-maintain-book/m-alarms-events-logs.html
-    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html
+    - https://www.cisco.com/c/en/us/td/docs/routers/sdwan/17-x/systems-interfaces/systems-interfaces-guide-17-x/system-logging.html#config-sys-logging
     - https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide
     - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
 tags: