More detections have been updated. there are still a few with extra w…

…hitespace that must be taken care of

detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml

@@ -1,7 +1,7 @@
 name: O365 Multiple Mailboxes Accessed via API
 id: 7cd853e9-d370-412f-965d-a2bcff2a2908
-version: 2
-date: '2024-05-16'
+version: 3
+date: '2024-09-24'
 author: Mauricio Velazco, Splunk
 data_source:
 - O365 MailItemsAccessed
@@ -67,7 +67,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.002/o365_multiple_mailboxes_accessed_via_api/o365_multiple_mailboxes_accessed_via_api.log
     source: o365
     sourcetype: o365:management:activity

detections/cloud/o365_privileged_role_assigned.yml

@@ -1,14 +1,14 @@
 name: O365 Privileged Role Assigned
 id: db435700-4ddc-4c23-892e-49e7525d7d39
-version: 1
-date: '2024-04-11'
+version: 2
+date: '2024-09-24'
 author: Steven Dick
 status: production
 type: TTP
 description: The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment. This detection leverages the O365 Universal Audit Log data source.
 data_source: 
 - Office 365 Universal Audit Log
-search: >
+search: >-
   `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.")
   | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2)
   | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature

detections/cloud/o365_privileged_role_assigned_to_service_principal.yml

@@ -1,14 +1,14 @@
 name: O365 Privileged Role Assigned To Service Principal
 id: 80f3fc1b-705f-4080-bf08-f61bf013b900
-version: 1
-date: '2024-04-11'
+version: 2
+date: '2024-09-24'
 author: Steven Dick
 status: production
 type: TTP
 description: The following analytic detects potential privilege escalation threats in Azure Active Directory (AD). This detection is important because it identifies instances where privileged roles that hold elevated permissions are assigned to service principals. This prevents unauthorized access or malicious activities, which occur when these non-human entities access Azure resources to exploit them. False positives might occur since administrators can legitimately assign privileged roles to service principals. This detection leverages the O365 Universal Audit Log data source.
 data_source: 
 - Office 365 Universal Audit Log
-search: >
+search: >-
   `o365_management_activity` Workload=AzureActiveDirectory Operation IN ("Add member to role.","Add eligible member to role.")
   | eval user = ObjectId, src_user = case(match(mvindex('Actor{}.ID',-1),"User"),mvindex('Actor{}.ID',0),match(mvindex('Actor{}.ID',-1),"ServicePrincipal"),mvindex('Actor{}.ID',3),true(),mvindex('Actor{}.ID',0)), object_name = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.DisplayName")), object_id = mvindex('ModifiedProperties{}.NewValue', mvfind('ModifiedProperties{}.Name',"Role\.TemplateId")), signature = Operation, result = ResultStatus, category = mvindex('Target{}.ID',2)
   | stats count, min(_time) as firstTime, max(_time) as lastTime by src_user, user, category, result, object_name, object_id, signature

detections/deprecated/kubernetes_gcp_detect_sensitive_role_access.yml

@@ -1,7 +1,7 @@
 name: Kubernetes GCP detect sensitive role access
 id: a46923f6-36b9-4806-a681-31f314907c30
-version: 2
-date: '2024-08-15'
+version: 3
+date: '2024-09-24'
 author: Rod Soto, Splunk
 status: deprecated
 type: Hunting
@@ -16,7 +16,7 @@ how_to_implement: You must install splunk add on for GCP. This search works with
   messaging servicelogs.
 known_false_positives: 'Sensitive role resource access is necessary for cluster operation,
   however source IP, user agent, decision and reason may indicate possible malicious
-  use. '
+  use.'
 references: []
 tags:
   analytic_story:

detections/deprecated/windows_connhost_exe_started_forcefully.yml

@@ -1,15 +1,15 @@
 name: Windows connhost exe started forcefully
 id: c114aaca-68ee-41c2-ad8c-32bf21db8769
-version: 2
-date: '2024-08-15'
+version: 3
+date: '2024-09-24'
 author: Rod Soto, Jose Hernandez, Splunk
 status: deprecated
 type: TTP
 description: 'The search looks for the Console Window Host process (connhost.exe)
   executed using the force flag -ForceV1. This is not regular behavior in the Windows
   OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually
   seen in the windows 10 client of attack_range_local. After further testing we realized
-  this is not specific to Ryuk. '
+  this is not specific to Ryuk.'
 data_source:
 - Sysmon EventID 1
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)

detections/endpoint/add_or_set_windows_defender_exclusion.yml

@@ -1,7 +1,7 @@
 name: Add or Set Windows Defender Exclusion
 id: 773b66fe-4dd9-11ec-8289-acde48001122
-version: 2
-date: '2024-05-29'
+version: 3
+date: '2024-09-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -86,7 +86,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog

detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml

@@ -1,7 +1,7 @@
 name: CMLUA Or CMSTPLUA UAC Bypass
 id: f87b5062-b405-11eb-a889-acde48001122
-version: 2
-date: '2024-05-05'
+version: 3
+date: '2024-09-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -64,7 +64,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog

detections/endpoint/eventvwr_uac_bypass.yml

@@ -1,7 +1,7 @@
 name: Eventvwr UAC Bypass
 id: 9cf8fe08-7ad8-11eb-9819-acde48001122
-version: 4
-date: '2024-05-26'
+version: 5
+date: '2024-09-24'
 author: Steven Dick, Michael Haag, Splunk
 status: production
 type: TTP
@@ -93,7 +93,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -1,7 +1,7 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 2
-date: '2024-05-21'
+version: 3
+date: '2024-09-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -108,7 +108,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog

detections/endpoint/fodhelper_uac_bypass.yml

@@ -1,7 +1,7 @@
 name: FodHelper UAC Bypass
 id: 909f8fd8-7ac8-11eb-a1f3-acde48001122
-version: 3
-date: '2024-05-15'
+version: 4
+date: '2024-09-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -84,7 +84,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog

detections/endpoint/suspicious_process_file_path.yml

@@ -1,7 +1,7 @@
 name: Suspicious Process File Path
 id: 9be25988-ad82-11eb-a14f-acde48001122
-version: 2
-date: '2024-05-12'
+version: 3
+date: '2024-09-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -115,7 +115,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog

detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml

@@ -1,7 +1,7 @@
 name: Windows Access Token Manipulation SeDebugPrivilege
 id: 6ece9ed0-5f92-4315-889d-48560472b188
-version: 2
-date: '2024-05-20'
+version: 3
+date: '2024-09-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -73,8 +73,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/brute_ratel/sedebugprivilege_token/security-xml.log
     source: XmlWinEventLog:Security
     sourcetype: XmlWinEventLog
     update_timestamp: true

detections/endpoint/windows_defender_exclusion_registry_entry.yml

@@ -1,7 +1,7 @@
 name: Windows Defender Exclusion Registry Entry
 id: 13395a44-4dd9-11ec-9df7-acde48001122
-version: 4
-date: '2024-05-21'
+version: 5
+date: '2024-09-24'
 author: Steven Dick, Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -71,7 +71,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: xmlwineventlog

detections/endpoint/windows_local_administrator_credential_stuffing.yml

@@ -1,6 +1,6 @@
 name: Windows Local Administrator Credential Stuffing
 id: 09555511-aca6-484a-b6ab-72cd03d73c34
-version: 2
+version: 3
 date: '2024-09-24'
 author: Mauricio Velazco, Splunk
 type: TTP
@@ -69,7 +69,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.004/local_administrator_cred_stuffing/windows-security.log
     source: XmlWinEventLog:Security
     sourcetype: XmlWinEventLog

detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml

@@ -1,7 +1,7 @@
 name: WinEvent Windows Task Scheduler Event Action Started
 id: b3632472-310b-11ec-9aab-acde48001122
-version: 3
-date: '2024-05-20'
+version: 4
+date: '2024-09-24'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -74,7 +74,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log
     source: XmlWinEventLog:Security
     sourcetype: XmlWinEventLog