splunk
diff --git a/‎.github/labeler.yml‎
Lines changed: 5 additions & 0 deletions b/‎.github/labeler.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎detections/application/detect_distributed_password_spray_attempts.yml‎
Lines changed: 2 additions & 3 deletions b/‎detections/application/detect_distributed_password_spray_attempts.yml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎detections/application/detect_password_spray_attempts.yml‎
Lines changed: 2 additions & 3 deletions b/‎detections/application/detect_password_spray_attempts.yml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎detections/application/email_files_written_outside_of_the_outlook_directory.yml‎
Lines changed: 2 additions & 3 deletions b/‎detections/application/email_files_written_outside_of_the_outlook_directory.yml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml‎
Lines changed: 2 additions & 3 deletions b/‎detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎detections/application/okta_authentication_failed_during_mfa_challenge.yml‎
Lines changed: 3 additions & 5 deletions b/‎detections/application/okta_authentication_failed_during_mfa_challenge.yml‎
Lines changed: 3 additions & 5 deletions
diff --git a/‎detections/application/okta_multi_factor_authentication_disabled.yml‎
Lines changed: 2 additions & 3 deletions b/‎detections/application/okta_multi_factor_authentication_disabled.yml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎detections/application/okta_new_api_token_created.yml‎
Lines changed: 2 additions & 3 deletions b/‎detections/application/okta_new_api_token_created.yml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎detections/application/okta_new_device_enrolled_on_account.yml‎
Lines changed: 2 additions & 3 deletions b/‎detections/application/okta_new_device_enrolled_on_account.yml‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎detections/application/okta_phishing_detection_with_fastpass_origin_check.yml‎
Lines changed: 2 additions & 3 deletions b/‎detections/application/okta_phishing_detection_with_fastpass_origin_check.yml‎
Lines changed: 2 additions & 3 deletions
@@ -22,3 +22,8 @@ Lookups:
 Datasource:
 - changed-files:
   - any-glob-to-any-file: data_sources/*
+
+Baselines:
+  - changed-files:
+    - any-glob-to-any-file: baselines/*
+
@@ -1,7 +1,7 @@
 name: Detect Distributed Password Spray Attempts
 id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: Hunting
@@ -65,7 +65,6 @@ tags:
   - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
   mitre_attack_id:
   - T1110.003
-  - T1110
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
 
@@ -1,7 +1,7 @@
 name: Detect Password Spray Attempts
 id: 086ab581-8877-42b3-9aee-4a7ecb0923af
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -83,7 +83,6 @@ tags:
   - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
   mitre_attack_id:
   - T1110.003
-  - T1110
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
 
@@ -1,7 +1,7 @@
 name: Email files written outside of the Outlook directory
 id: 8d52cf03-ba25-4101-aa78-07994aed4f74
-version: 6
-date: '2025-01-21'
+version: 7
+date: '2025-02-10'
 author: Bhavin Patel, Splunk
 status: experimental
 type: TTP
@@ -44,7 +44,6 @@ tags:
   - Collection and Staging
   asset_type: Endpoint
   mitre_attack_id:
-  - T1114
   - T1114.001
   product:
   - Splunk Enterprise
 
@@ -1,7 +1,7 @@
 name: Email servers sending high volume traffic to hosts
 id: 7f5fb3e1-4209-4914-90db-0ec21b556378
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Bhavin Patel, Splunk
 status: experimental
 type: Anomaly
@@ -51,7 +51,6 @@ tags:
   - HAFNIUM Group
   asset_type: Endpoint
   mitre_attack_id:
-  - T1114
   - T1114.002
   product:
   - Splunk Enterprise
 
@@ -1,7 +1,7 @@
 name: Okta Authentication Failed During MFA Challenge
 id: e2b99e7d-d956-411a-a120-2b14adfdde93
-version: 4
-date: '2025-01-21'
+version: 5
+date: '2025-02-10'
 author: Bhavin Patel, Splunk
 data_source:
 - Okta
@@ -59,10 +59,8 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1586
-  - T1586.003
-  - T1078
   - T1078.004
+  - T1586.003
   - T1621
   product:
   - Splunk Enterprise
 
@@ -1,7 +1,7 @@
 name: Okta Multi-Factor Authentication Disabled
 id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Mauricio Velazco, Splunk
 data_source:
 - Okta
@@ -57,7 +57,6 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1556
   - T1556.006
   product:
   - Splunk Enterprise
 
@@ -1,7 +1,7 @@
 name: Okta New API Token Created
 id: c3d22720-35d3-4da4-bd0a-740d37192bd4
-version: 6
-date: '2025-01-21'
+version: 7
+date: '2025-02-10'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -54,7 +54,6 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1078
   - T1078.001
   product:
   - Splunk Enterprise
 
@@ -1,7 +1,7 @@
 name: Okta New Device Enrolled on Account
 id: bb27cbce-d4de-432c-932f-2e206e9130fb
-version: 6
-date: '2025-01-21'
+version: 7
+date: '2025-02-10'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -54,7 +54,6 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1098
   - T1098.005
   product:
   - Splunk Enterprise
 
@@ -1,7 +1,7 @@
 name: Okta Phishing Detection with FastPass Origin Check
 id: f4ca0057-cbf3-44f8-82ea-4e330ee901d3
-version: 4
-date: '2025-01-21'
+version: 5
+date: '2025-02-10'
 author: Okta, Inc, Michael Haag, Splunk
 type: TTP
 status: experimental
@@ -38,7 +38,6 @@ tags:
   - Okta Account Takeover
   asset_type: Infrastructure
   mitre_attack_id:
-  - T1078
   - T1078.001
   - T1556
   product: