notable to finding 2

Author: patel-bhavin

detections/application/email_attachments_with_lots_of_spaces.yml

@@ -29,7 +29,7 @@ how_to_implement: "You need to ingest data from emails. Specifically, the sender
   this detection search. To use this integration, install the Phantom App for Splunk
   `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the \"\
   Phantom Instance\" field in the Adaptive Response Actions when configuring this
-  detection search. The notable event will be sent to Phantom and the playbook will
+  detection search. The finding based event will be sent to Phantom and the playbook will
   gather further information about the file attachment and its network behaviors.
   If Phantom finds malicious behavior and an analyst approves of the results, the
   email will be deleted from the user's inbox."

detections/application/okta_risk_threshold_exceeded.yml

@@ -28,9 +28,9 @@ search: '| tstats `security_content_summariesonly` values(All_Risk.analyticstori
   |  search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`'
 how_to_implement: This search leverages the Risk Framework from Enterprise Security.
   Ensure that "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion"
-  analytic stories are enabled. TTPs may be set to Notables for point detections;
-  anomalies should not be notables but rather risk generators. The correlation relies
-  on risk before generating a notable. Modify the value as needed.
+  analytic stories are enabled. TTPs may be set to finding for point detections;
+  anomalies should not be findings but rather intermediate findings. The correlation relies
+  on intermediate findings before generating a findings. Modify the value as needed.
 known_false_positives: False positives will be limited to the number of events generated
   by the analytics tied to the stories. Analytics will need to be tested and tuned,
   and the risk score reduced as needed based on the organization.

detections/application/suspicious_email_attachment_extensions.yml

@@ -26,7 +26,7 @@ how_to_implement: "You need to ingest data from emails. Specifically, the sender
   Delete\" can be configured to run when any results are found by this detection search.
   To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`,
   and add the correct hostname to the \"Phantom Instance\" field in the Adaptive Response
-  Actions when configuring this detection search. The notable event will be sent to
+  Actions when configuring this detection search. The finding event will be sent to
   Phantom and the playbook will gather further information about the file attachment
   and its network behaviors. If Phantom finds malicious behavior and an analyst approves
   of the results, the email will be deleted from the user's inbox.'"

detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml

@@ -34,7 +34,7 @@ how_to_implement: You must install the latest version of Splunk Add-on for Micro
 known_false_positives: "False positives have been minimized by removing attempts that
   result in 'MFA successfully completed messages', which were found to be generated
   when a user opts to use a different MFA method than the default.\nFurther reductions
-  in notable events can be achieved through filtering 'MFA denied; duplicate authentication
+  in finding events can be achieved through filtering 'MFA denied; duplicate authentication
   attempt' messages within the auth_msg field, as they could arguably be considered
   as false positives."
 references:

detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml

@@ -19,13 +19,11 @@ how_to_implement: "This search requires you to be ingesting web-traffic logs. Yo
   which contains a non-exhaustive list of dynamic DNS providers. Consider periodically
   updating this local lookup file with new domains.\nThis search produces fields (`isDynDNS`)
   that are not yet supported by ES Incident Review and therefore cannot be viewed
-  when a notable event is raised. These fields contribute additional context to the
-  notable. To see the additional metadata, add the following fields, if not already
+  when a finding event is raised. These fields contribute additional context to the
+  finding. To see the additional metadata, add the following fields, if not already
   present, to Incident Review - Event Attributes (Configure > Incident Management
   > Incident Review Settings > Add New Entry):\n* **Label:** IsDynamicDNS, **Field:**
-  isDynDNS\nDetailed documentation on how to create a new field within Incident Review
-  may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`
-  Deprecated because duplicate."
+  isDynDNS\n Deprecated because duplicate."
 known_false_positives: It is possible that list of dynamic DNS providers is outdated
   and/or that the URL being requested is legitimate.
 references: []

detections/endpoint/batch_file_write_to_system32.yml

@@ -30,7 +30,7 @@ how_to_implement: To successfully implement this search you need to be ingesting
   your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
   confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
   endpoint product.
-known_false_positives: It is possible for this search to generate a notable event
+known_false_positives: It is possible for this search to generate a finding event
   for a batch file write to a path that includes the string "system32", but is not
   the actual Windows system directory. As such, you should confirm the path of the
   batch file identified by the search. In addition, a false positive may be generated

detections/endpoint/common_ransomware_extensions.yml

@@ -27,8 +27,7 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_
 how_to_implement: 'You must be ingesting data that records the filesystem activity
   from your hosts to populate the Endpoint Filesystem data model node. To see the
   additional metadata, add the following fields, if not already present, please review
-  the detailed documentation on how to create a new field within Incident Review may
-  be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`'
+  the detailed documentation on how to create a new field within Incident Review'
 known_false_positives: It is possible for a legitimate file with these extensions
   to be created. If this is a true ransomware attack, there will be a large number
   of files created with these extensions.

detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml

@@ -29,9 +29,9 @@ search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where
   source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`'
 how_to_implement: Ensure Linux anomaly and TTP analytics are enabled. TTP may be set
-  to Notables for point detections, anomaly should not be notables but risk generators.
+  to finding  for point detections, anomaly should not be findings but risk generators.
   The correlation relies on more than x amount of distict detection names generated
-  before generating a notable. Modify the value as needed. Default value is set to
+  before generating a finding. Modify the value as needed. Default value is set to
   4. This value may need to be increased based on activity in your environment.
 known_false_positives: False positives will be present based on many factors. Tune
   the correlation as needed to reduce too many triggers.

detections/endpoint/powershell_start_or_stop_service.yml

@@ -23,7 +23,7 @@ how_to_implement: To successfully implement this analytic, you will need to enab
   https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
 known_false_positives: This behavior may be noisy, as these cmdlets are commonly used
   by system administrators or other legitimate users to manage services. Therefore,
-  it is recommended not to enable this analytic as a direct notable or TTP. Instead,
+  it is recommended not to enable this analytic as a direct finding Instead,
   it should be used as part of a broader set of security controls to detect and investigate
   potential threats.
 references:

detections/endpoint/windows_drivers_loaded_by_signature.yml

@@ -23,8 +23,8 @@ how_to_implement: To successfully implement this search, you need to be ingestin
   endpoints. If you are using Sysmon, you must have the latest version of the Sysmon
   TA. Most EDR products provide the ability to review driver loads, or module loads,
   and using a query as such help with hunting for malicious drivers.
-known_false_positives: This analytic is meant to assist with identifying drivers loaded
-  in the environment and not to be setup for notables off the bat.
+known_false_positives: This analytic is meant to assist with identifying and hunting drivers loaded
+  in the environment. 
 references:
 - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/
 - https://attack.mitre.org/techniques/T1014/