add manual_test tag

Author: nasbench

detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml

@@ -65,6 +65,8 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: network
+  manual_test: This search needs the baseline `Baseline Of Cloud Infrastructure API Calls Per User` to be run first.
+tests:
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml

@@ -65,6 +65,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: network
+  manual_test: This search needs the baseline `Baseline Of Cloud Security Group API Calls Per User` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml

@@ -67,6 +67,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud API Calls Per User Role - Initial` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml

@@ -65,6 +65,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud Compute Creations By User` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml

@@ -69,6 +69,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud Regions - Update` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml

@@ -68,6 +68,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud Compute Images - Initial` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml

@@ -69,6 +69,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud Compute Instance Types - Initial` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml

@@ -63,6 +63,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Cloud Instance Modifications By User - Update` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/cloud/detect_aws_console_login_by_new_user.yml

@@ -45,6 +45,7 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: threat
+  manual_test: This search needs the baseline `Previously Seen Users in CloudTrail - Initial` to be run first.
 tests:
 - name: True Positive Test
   attack_data:

detections/network/detect_outbound_smb_traffic.yml

@@ -16,16 +16,26 @@ description: The following analytic detects outbound SMB (Server Message Block)
 data_source:
 - Zeek Conn
 - Cisco Secure Firewall Threat Defense Connection Event
-search: '| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time)
-  as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app
-  values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed
-  All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
-  AND All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND NOT
-  All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10", 
+search: '
+  | tstats `security_content_summariesonly` 
+  earliest(_time) as start_time 
+  latest(_time) as end_time 
+  values(All_Traffic.action) as action 
+  values(All_Traffic.app) as app
+  values(sourcetype) as sourcetype count 
+  from datamodel=Network_Traffic where
+    All_Traffic.action=allowed AND
+    (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
+  AND All_Traffic.src_ip IN (
+    "10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"
+  ) 
+  AND NOT All_Traffic.dest_ip IN (
+  "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", 
   "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", 
   "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", 
   "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", 
-  "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")
+  "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
+  )
   by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
   All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
   All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port