add status:deprecated to all investigations

pyth0n1c · pyth0n1c · commit 18383600545f · 2025-01-24T17:32:14.000-08:00
diff --git a/investigations/all_backup_logs_for_host.yml b/investigations/all_backup_logs_for_host.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2017-09-12'
 author: Rico Valdez, Splunk
 type: Investigation
+status: deprecated
 description: Retrieve the backup logs for the last 2 weeks for a specific host in
   order to investigate why backups are not completing successfully.
 search: '| search `netbackup` dest=$dest$'
diff --git a/investigations/amazon_eks_kubernetes_activity_by_src_ip.yml b/investigations/amazon_eks_kubernetes_activity_by_src_ip.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2020-04-13'
 author: Rod Soto, Splunk
 type: Investigation
+status: deprecated
 description: This search provides investigation data about requests via user agent,
   authentication request URI, verb and cluster name data against Kubernetes cluster
   from a specific IP address
diff --git a/investigations/aws_investigate_security_hub_alerts_by_dest.yml b/investigations/aws_investigate_security_hub_alerts_by_dest.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2020-06-08'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search retrieves the all the alerts created by AWS Security Hub
   for a specific dest(instance_id).
 search: '`aws_securityhub_firehose` "findings{}.Resources{}.Type"=AWSEC2Instance |
diff --git a/investigations/aws_investigate_user_activities_by_accesskeyid.yml b/investigations/aws_investigate_user_activities_by_accesskeyid.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-06-08'
 author: David Dorsey, Splunk
 type: Investigation
+status: deprecated
 description: This search retrieves the times, ARN, source IPs, AWS regions, event
   names, and the result of the event for specific credentials.
 search: '`cloudtrail` | rename userIdentity.accessKeyId as accessKeyId| search accessKeyId=$accessKeyId$
diff --git a/investigations/aws_investigate_user_activities_by_arn.yml b/investigations/aws_investigate_user_activities_by_arn.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2019-04-30'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search lists all the logged CloudTrail activities by a specific
   user ARN and will create a table containing the source of the user, the region of
   the activity, the name and type of the event, the action taken, and all the user's
diff --git a/investigations/aws_network_acl_details_from_id.yml b/investigations/aws_network_acl_details_from_id.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2017-01-22'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search queries AWS description logs and returns all the information
   about a specific network ACL via network ACL ID
 search: '`aws_description` | rename id as networkAclId | search  networkAclId=$networkAclId$
diff --git a/investigations/aws_network_interface_details_via_resourceid.yml b/investigations/aws_network_interface_details_via_resourceid.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-05-07'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search queries AWS configuration logs and returns the information
   about a specific network interface via network interface ID. The information will
   include the ARN of the network interface, its relationships with other AWS resources,
diff --git a/investigations/aws_s3_bucket_details_via_bucketname.yml b/investigations/aws_s3_bucket_details_via_bucketname.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-06-26'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search queries AWS configuration logs and returns the information
   about a specific S3 bucket. The information returned includes the time the S3 bucket
   was created, the resource ID, the region it belongs to, the value of action performed,
diff --git a/investigations/gcp_kubernetes_activity_by_src_ip.yml b/investigations/gcp_kubernetes_activity_by_src_ip.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2020-04-13'
 author: Rod Soto, Splunk
 type: Investigation
+status: deprecated
 description: This search provides investigation data about requests via user agent,
   authentication request URI, resource path and cluster name data against Kubernetes
   cluster from a specific IP address
diff --git a/investigations/get_all_aws_activity_from_city.yml b/investigations/get_all_aws_activity_from_city.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-03-19'
 author: David Dorsey, Splunk
 type: Investigation
+status: deprecated
 description: This search retrieves all the activity from a specific city and will
   create a table containing the time, city, ARN, username, the type of user, the source
   IP address, the AWS region the activity was in, the API called, and whether or not
diff --git a/investigations/get_all_aws_activity_from_country.yml b/investigations/get_all_aws_activity_from_country.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-03-19'
 author: David Dorsey, Splunk
 type: Investigation
+status: deprecated
 description: This search retrieves all the activity from a specific country and will
   create a table containing the time, country, ARN, username, the type of user, the
   source IP address, the AWS region the activity was in, the API called, and whether
diff --git a/investigations/get_all_aws_activity_from_ip_address.yml b/investigations/get_all_aws_activity_from_ip_address.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-03-19'
 author: David Dorsey, Splunk
 type: Investigation
+status: deprecated
 description: This search retrieves all the activity from a specific IP address and
   will create a table containing the time, ARN, username, the type of user, the IP
   address, the AWS region the activity was in, the API called, and whether or not
diff --git a/investigations/get_all_aws_activity_from_region.yml b/investigations/get_all_aws_activity_from_region.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-03-19'
 author: David Dorsey, Splunk
 type: Investigation
+status: deprecated
 description: This search retrieves all the activity from a specific geographic region
   and will create a table containing the time, geographic region, ARN, username, the
   type of user, the source IP address, the AWS region the activity was in, the API
diff --git a/investigations/get_backup_logs_for_endpoint.yml b/investigations/get_backup_logs_for_endpoint.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2017-09-14'
 author: David Dorsey, Splunk
 type: Investigation
+status: deprecated
 description: This search will tell you the backup status from your netbackup_logs
   of a specific endpoint for the last week.
 search: '`netbackup` COMPUTERNAME=$dest$ | rename COMPUTERNAME as dest, MESSAGE as
diff --git a/investigations/get_certificate_logs_for_a_domain.yml b/investigations/get_certificate_logs_for_a_domain.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2019-04-29'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search queries the Certificates datamodel and give you all the information
   for a specific domain. Please note that the certificates issued by "Let's Encrypt"
   are widely used by attackers.
diff --git a/investigations/get_dns_server_history_for_a_host.yml b/investigations/get_dns_server_history_for_a_host.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2017-11-09'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: While investigating any detections it is important to understand which
   and how many DNS servers a host has connected to in the past. This search uses data
   that is tagged as DNS and gives you a count and list of DNS servers that a particular
diff --git a/investigations/get_dns_traffic_ratio.yml b/investigations/get_dns_traffic_ratio.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2024-09-24'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search calculates the ratio of DNS traffic originating and coming
   from a host to a list of DNS servers over the last 24 hours. A high value of this
   ratio could be very useful to quickly understand if a src_ip (host) is sending a
diff --git a/investigations/get_ec2_instance_details_by_instanceid.yml b/investigations/get_ec2_instance_details_by_instanceid.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-02-12'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search queries AWS description logs and returns all the information
   about a specific instance via the instanceId field
 search: '`aws_description` | dedup id sortby -_time |rename id as instanceId|  search
diff --git a/investigations/get_ec2_launch_details.yml b/investigations/get_ec2_launch_details.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-03-12'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search returns some of the launch details for a EC2 instance.
 search: '`cloudtrail` dest=$dest$ |rename userIdentity.arn as arn, responseElements.instancesSet.items{}.instanceId
   as dest, responseElements.instancesSet.items{}.privateIpAddress as privateIpAddress,
diff --git a/investigations/get_email_info.yml b/investigations/get_email_info.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2017-11-09'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search returns all the information Splunk might have collected a
   specific email message over the last 2 hours.
 search: '| from datamodel Email.All_Email | search message_id=$message_id$'
diff --git a/investigations/get_emails_from_specific_sender.yml b/investigations/get_emails_from_specific_sender.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2017-11-09'
 author: David Dorsey, Splunk
 type: Investigation
+status: deprecated
 description: This search returns all the emails from a specific sender over the last
   24 and next hours.
 search: '| from datamodel Email.All_Email | search src_user=$src_user$'
diff --git a/investigations/get_first_occurrence_and_last_occurrence_of_a_mac_address.yml b/investigations/get_first_occurrence_and_last_occurrence_of_a_mac_address.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2017-09-13'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search allows you to gather more context around a notable which
   has detected a new device connecting to your network. Use this search to determine
   the first and last occurrences of the suspicious device attempting to connect with
diff --git a/investigations/get_history_of_email_sources.yml b/investigations/get_history_of_email_sources.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2019-02-21'
 author: Rico Valdez, Splunk
 type: Investigation
+status: deprecated
 description: This search returns a list of all email sources seen in the 48 hours
   prior to the notable event to 24 hours after, and the number of emails from each
   source.
diff --git a/investigations/get_logon_rights_modifications_for_endpoint.yml b/investigations/get_logon_rights_modifications_for_endpoint.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2017-09-12'
 author: David Dorsey, Splunk
 type: Investigation
+status: deprecated
 description: This search allows you to retrieve any modifications to logon rights
   associated with a specific host.
 search: '`wineventlog_security` (signature_id=4718 OR signature_id=4717) dest=$dest$
diff --git a/investigations/get_logon_rights_modifications_for_user.yml b/investigations/get_logon_rights_modifications_for_user.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2019-02-27'
 author: David Dorsey, Splunk
 type: Investigation
+status: deprecated
 description: This search allows you to retrieve any modifications to logon rights
   for a specific user account.
 search: '`wineventlog_security` (signature_id=4718 OR signature_id=4717) user=$user$
diff --git a/investigations/get_notable_history.yml b/investigations/get_notable_history.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2017-09-20'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search queries the notable index and returns all the Notable Events
   for the particular destination host, giving the analyst an overview of the incidents
   that may have occurred with the host under investigation.
diff --git a/investigations/get_outbound_emails_to_hidden_cobra_threat_actors.yml b/investigations/get_outbound_emails_to_hidden_cobra_threat_actors.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-06-14'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: 'This search returns the information of the users that sent emails to
   the accounts controlled by the Hidden Cobra Threat Actors: specifically to `misswang8107@gmail.com`,
   and from `redhat@gmail.com`.'
diff --git a/investigations/get_parent_process_info.yml b/investigations/get_parent_process_info.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2019-02-28'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search queries the Endpoint data model to give you details about
   the parent process of a process running on a host which is under investigation.
   Enter the values of the process name in question and the dest
diff --git a/investigations/get_process_file_activity.yml b/investigations/get_process_file_activity.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2019-11-06'
 author: David Dorsey, Splunk
 type: Investigation
+status: deprecated
 description: This search returns the file activity for a specific process on a specific
   endpoint
 search: '| tstats `security_content_summariesonly` values(Filesystem.file_name) as
diff --git a/investigations/get_process_info.yml b/investigations/get_process_info.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2019-04-01'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search queries the Endpoint data model to give you details about
   the process running on a host which is under investigation. To gather the process
   info, enter the values for the process name in question and the destination IP address.
diff --git a/investigations/get_process_information_for_port_activity.yml b/investigations/get_process_information_for_port_activity.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2019-04-01'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search will return information about the process associated with
   observed network traffic to a specific destination port from a specific host.
 search: '| tstats `security_content_summariesonly` count min(_time) max(_time) as
diff --git a/investigations/get_process_responsible_for_the_dns_traffic.yml b/investigations/get_process_responsible_for_the_dns_traffic.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2019-04-01'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: While investigating, an analyst will want to know what process and parent_process
   is responsible for generating suspicious DNS traffic. Use the following search and
   enter the value of `dest` in the search to get specific details on the process responsible
diff --git a/investigations/get_sysmon_wmi_activity_for_host.yml b/investigations/get_sysmon_wmi_activity_for_host.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-10-23'
 author: Rico Valdez, Splunk
 type: Investigation
+status: deprecated
 description: This search queries Sysmon WMI events for the host of interest.
 search: '`sysmon` EventCode>18 EventCode<22 | rename host as dest | search dest=$dest$|
   table _time, dest, user, Name, Operation, EventType, Type, Query, Consumer, Filter'
diff --git a/investigations/get_web_session_information_via_session_id.yml b/investigations/get_web_session_information_via_session_id.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-10-08'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search helps an analyst investigate a notable event to find out
   more about a specific web session. The search looks for a specific web session ID
   in the HTTP web traffic and outputs the URL and user agents, grouped by source IP
diff --git a/investigations/investigate_aws_activities_via_region_name.yml b/investigations/investigate_aws_activities_via_region_name.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-02-09'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search lists all the user activities logged by CloudTrail for a
   specific region in question and will create a table of the values of parameters
   requested, the type of the event and the response from the AWS API by each user
diff --git a/investigations/investigate_aws_user_activities_by_user_field.yml b/investigations/investigate_aws_user_activities_by_user_field.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2024-09-24'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search lists all the logged CloudTrail activities by a specific
   user and will create a table containing the source of the user, the region of the
   activity, the name and type of the event, the action taken, and the user's identity
diff --git a/investigations/investigate_failed_logins_for_multiple_destinations.yml b/investigations/investigate_failed_logins_for_multiple_destinations.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2019-12-10'
 author: Patrick Bareiss, Splunk
 type: Investigation
+status: deprecated
 description: This search returns failed logins to multiple destinations by user.
 search: '| tstats count `security_content_summariesonly` earliest(_time) as first_login
   latest(_time) as last_login dc(Authentication.dest) AS distinct_count_dest values(Authentication.dest)
diff --git a/investigations/investigate_network_traffic_from_src_ip.yml b/investigations/investigate_network_traffic_from_src_ip.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2018-06-15'
 author: David Dorsey, Splunk
 type: Investigation
+status: deprecated
 description: This search allows you to find all the network traffic from a specific
   IP address.
 search: '| from datamodel Network_Traffic.All_Traffic | search src_ip=$src_ip$'
diff --git a/investigations/investigate_okta_activity_by_app.yml b/investigations/investigate_okta_activity_by_app.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2020-04-02'
 author: Rico Valdez, Splunk
 type: Investigation
+status: deprecated
 description: This search returns all okta events associated with a specific app
 search: '`okta` app=$app$ | rename client.geographicalContext.country as country,
   client.geographicalContext.state as state, client.geographicalContext.city as city
diff --git a/investigations/investigate_okta_activity_by_ip_address.yml b/investigations/investigate_okta_activity_by_ip_address.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2020-04-02'
 author: Rico Valdez, Splunk
 type: Investigation
+status: deprecated
 description: This search returns all okta events from a specific IP address.
 search: '`okta` src_ip={src_ip} | rename client.geographicalContext.country as country,
   client.geographicalContext.state as state, client.geographicalContext.city as city
diff --git a/investigations/investigate_pass_the_hash_attempts.yml b/investigations/investigate_pass_the_hash_attempts.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2019-12-10'
 author: Patrick Bareiss, Splunk
 type: Investigation
+status: deprecated
 description: This search hunts for dumped NTLM hashes used for pass the hash.
 search: '`wineventlog_security` EventCode=4624 Logon_Type=9 AuthenticationPackageName=Negotiate
   | stats count earliest(_time) as first_login latest(_time) as last_login by src_user
diff --git a/investigations/investigate_pass_the_ticket_attempts.yml b/investigations/investigate_pass_the_ticket_attempts.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2024-09-24'
 author: Patrick Bareiss, Splunk
 type: Investigation
+status: deprecated
 description: This search hunts for dumped kerberos ticket from LSASS memory.
 search: '`wineventlog_security` EventCode=4768 OR EventCode=4769 | rex field=user
   "(?<new_user>[^\@]+)" | stats count BY new_user, dest, EventCode | stats max(count)
diff --git a/investigations/investigate_previous_unseen_user.yml b/investigations/investigate_previous_unseen_user.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2019-12-10'
 author: Patrick Bareiss, Splunk
 type: Investigation
+status: deprecated
 description: This search returns previous unseen user, which didn't log in for 30
   days.
 search: '| tstats count `security_content_summariesonly` earliest(_time) as first_login
diff --git a/investigations/investigate_successful_remote_desktop_authentications.yml b/investigations/investigate_successful_remote_desktop_authentications.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2024-09-24'
 author: Jose Hernandez, Splunk
 type: Investigation
+status: deprecated
 description: This search returns the source, destination, and user for all successful
   remote-desktop authentications. A successful authentication after a brute-force
   attack on a destination machine is suspicious behavior.
diff --git a/investigations/investigate_suspicious_strings_in_http_header.yml b/investigations/investigate_suspicious_strings_in_http_header.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2017-10-20'
 author: Bhavin Patel, Splunk
 type: Investigation
+status: deprecated
 description: This search helps an analyst investigate a notable event related to a
   potential Apache Struts exploitation. To investigate, we will want to isolate and
   analyze the "payload" or the commands that were passed to the vulnerable hosts by
diff --git a/investigations/investigate_user_activities_in_okta.yml b/investigations/investigate_user_activities_in_okta.yml
@@ -4,6 +4,7 @@ version: 1
 date: '2020-04-02'
 author: Rico Valdez, Splunk
 type: Investigation
+status: deprecated
 description: This search returns all okta events by a specific user
 search: '`okta` user=$user$ | rename client.geographicalContext.country as country,
   client.geographicalContext.state as state, client.geographicalContext.city as city
diff --git a/investigations/investigate_web_posts_from_src.yml b/investigations/investigate_web_posts_from_src.yml
@@ -4,6 +4,7 @@ version: 2
 date: '2024-09-24'
 author: Jose Hernandez, Splunk
 type: Investigation
+status: deprecated
 description: This investigative search retrieves POST requests from a specified source
   IP or hostname. Identifying the POST requests, as well as their associated destination
   URLs and user agent(s), may help you scope and characterize the suspicious traffic.
