splunk · pyth0n1c · Dec 17, 2025 · Dec 17, 2025 · Dec 22, 2025 · Dec 22, 2025
@@ -37,7 +37,7 @@ search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR
 | eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy")
 | eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting")
 | table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
-| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`'
+| outputlookup append=true decommissioned_buckets'
 how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public.
 known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
 references:
@@ -61,4 +61,4 @@ deployment:
     cron_schedule: 0 2 * * 0
     earliest_time: -30d@d
     latest_time: -1d@d
-    schedule_window: auto
+    schedule_window: auto
@@ -1,7 +1,7 @@
 name: Cisco ASA - AAA Policy Tampering
 id: 8f2c4e9a-5d3b-4c7e-9a1f-6e8d5b2c3a9f
-version: 1
-date: '2025-11-18'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -74,6 +74,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco ASA - Device File Copy Activity
 id: 4d7e8f3a-9c2b-4e6f-8a1d-5b9c7e2f4a8c
-version: 1
-date: '2025-11-18'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -78,6 +78,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco ASA - Device File Copy to Remote Location
 id: 8a9e5f2b-6d4c-4e7f-9b3a-1c8d7f5e2a9b
-version: 1
-date: '2025-11-18'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -103,6 +103,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco ASA - Logging Disabled via CLI
 id: 7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201
-version: 3
-date: '2025-10-17'
+version: 4
+date: '2026-01-28'
 author: Bhavin Patel, Micheal Haag, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -76,6 +76,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco ASA - Logging Filters Configuration Tampering
 id: b87b48a8-6d1a-4280-9cf1-16a950dbf901
-version: 1
-date: '2025-11-18'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -87,6 +87,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco ASA - Logging Message Suppression
 id: 4e6c9d2a-8f3b-4c7e-9a5f-2d8b6e1c4a9f
-version: 1
-date: '2025-11-18'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -74,6 +74,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco ASA - New Local User Account Created
 id: 9c8e4f2a-7d3b-4e5c-8a9f-1b6d4e8c3f5a
-version: 1
-date: '2025-11-18'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -66,6 +66,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco ASA - Packet Capture Activity
 id: 7e9c3f8a-4b2d-4c5e-9a1f-6d8e5b3c2a9f
-version: 1
-date: '2025-11-18'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -74,6 +74,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco ASA - Reconnaissance Command Activity
 id: 6e9d4f7a-3c8b-4a9e-8d2f-7b5c9e1a6f3d
-version: 1
-date: '2025-11-18'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -130,6 +130,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco ASA - User Account Deleted From Local Database
 id: 2d4b9e7f-5c3a-4d8e-9b1f-8a6c5e2d4f7a
-version: 1
-date: '2025-11-18'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -66,6 +66,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco ASA - User Account Lockout Threshold Exceeded
 id: 3e8f9c2a-6d4b-4a7e-9c5f-1b8d7e3a9f2c
-version: 1
-date: '2025-11-18'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -66,6 +66,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco ASA - User Privilege Level Change
 id: 5f7d8c3e-9a2b-4d6f-8e1c-3b5a9d7f2c4e
-version: 1
-date: '2025-11-18'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -67,6 +67,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -1,7 +1,7 @@
 name: Cisco NVM - Curl Execution With Insecure Flags
 id: cc695238-3117-4e60-aa83-4beac2a42c69
-version: 4
-date: '2025-10-24'
+version: 5
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -92,6 +92,7 @@ tags:
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
+  - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -1,7 +1,7 @@
 name: Cisco NVM - Installation of Typosquatted Python Package
 id: 5e3f6b44-42cb-4f8a-99f0-59e78a52ea1d
-version: 1
-date: '2025-07-03'
+version: 2
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -89,6 +89,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -1,7 +1,7 @@
 name: Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
 id: f2a9df84-9b01-4a21-9e3a-7aa1a217f69e
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -95,6 +95,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -1,7 +1,7 @@
 name: Cisco NVM - Non-Network Binary Making Network Connection
 id: c6db35af-8a0e-4b61-88ed-738e66f15715
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -91,6 +91,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -1,7 +1,7 @@
 name: Cisco NVM - Outbound Connection to Suspicious Port
 id: fc32a8d5-bc79-4437-b48f-4646ab7bed9d
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -88,6 +88,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -1,7 +1,7 @@
 name: Cisco NVM - Rclone Execution With Network Activity
 id: 719f8c78-b20d-4bb9-8c33-6d1a762e7a9a
-version: 3
-date: '2025-10-14'
+version: 4
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -99,6 +99,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -1,7 +1,7 @@
 name: Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
 id: 18f0d27d-569e-4bc4-96e1-09b214fa73c0
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -86,6 +86,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -1,7 +1,7 @@
 name: Cisco NVM - Susp Script From Archive Triggering Network Activity
 id: 8b07c2c9-0cde-4c44-9fa6-59dcf2b25777
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2026-01-28'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -87,6 +87,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM