Fix more filter name issues. Most of these fixes were just trailing spaces after the name of the filter macro, which does not actually affect anything. But others had the filter macro not at the end for no good reason or actual errors/typos in the filter macro. These should now be fixed. We have a handful of detections, 6, which do not have the filter macro at the end and have meaningful changes after it. The team will chat and determine if these should be changed or not.

Author: pyth0n1c

detections/application/email_files_written_outside_of_the_outlook_directory.yml

@@ -15,7 +15,7 @@ search: '| tstats `security_content_summariesonly` count values(Filesystem.file_
   != "C:\\Users\\*\\My Documents\\Outlook Files\\*"  Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*"
   by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest
   | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
-  `email_files_written_outside_of_the_outlook_directory_filter` '
+  `email_files_written_outside_of_the_outlook_directory_filter`'
 how_to_implement: To successfully implement this search, you must be ingesting data
   that records the file-system activity from your hosts to populate the Endpoint.Filesystem
   data model node. This is typically populated via endpoint detection-and-response

detections/application/splunk_rce_via_user_xslt.yml

@@ -19,7 +19,8 @@ search: '`splunkd_ui` ((uri="*NO_BINARY_CHECK=1*" AND "*input.path=*.xsl*") OR u
   | fillnull value="N/A" 
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
-  | table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field'
+  | table firstTime, lastTime src, useragent, action, count, Country, Region, City, dest_uri, decoded_field
+  | `splunk_rce_via_user_xslt_filter`'
 how_to_implement: This detection does not require you to ingest any new data. The detection does 
   require the ability to search the _internal index.
 known_false_positives: This search will provide information for investigation and hunting possible abuse of user-supplied XSLT. 

detections/application/suspicious_email_attachment_extensions.yml

@@ -12,7 +12,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user,
   All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` |
   `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments`
-  | `suspicious_email_attachment_extensions_filter` '
+  | `suspicious_email_attachment_extensions_filter`'
 how_to_implement: You need to ingest data from emails. Specifically, the sender's
   address and the file names of any attachments must be mapped to the Email data
   model.

detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml

@@ -13,7 +13,7 @@ search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!=
   max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name
   values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI)
   by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`
-  |`amazon_eks_kubernetes_cluster_scan_detection_filter` '
+  |`amazon_eks_kubernetes_cluster_scan_detection_filter`'
 how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
   and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch
   EKS Logs inputs.

detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml

@@ -13,7 +13,7 @@ search: '`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list o
   | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason)
   values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by
   src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)`
-  | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter` '
+  | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`'
 how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
   and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch
   EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection`

detections/cloud/aws_ec2_snapshot_shared_externally.yml

@@ -11,7 +11,7 @@ description: The following analytic utilizes AWS CloudTrail events to identify w
 data_source: 
 - AWS CloudTrail ModifySnapshotAttribute
 search: '`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId
-  as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,"Match","No Match") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = "No Match" | `aws_ec2_snapshot_shared_externally_filter` '
+  as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,"Match","No Match") | table _time user_arn src_ip requestParameters.attributeType requested_account_id aws_account_id match vendor_region user_agent userIdentity.principalId | where match = "No Match" | `aws_ec2_snapshot_shared_externally_filter`'
 how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
   search works with AWS CloudTrail logs.
 known_false_positives: It is possible that an AWS admin has legitimately shared a

detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml

@@ -17,9 +17,10 @@ search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from d
   lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen,
   enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 |
   eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity
-  > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) |
-  table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter`
-  | `security_content_ctime(firstTime)`'
+  > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) 
+  | `security_content_ctime(firstTime)`
+  | table firstTime, src, City, user, object, command 
+  | `cloud_provisioning_activity_from_previously_unseen_city_filter`'
 how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud
   provider.  You should run the baseline search `Previously Seen Cloud Provisioning
   Activity Sources - Initial` to build the initial table of source IP address, geographic

detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml

@@ -17,9 +17,10 @@ search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from d
   | lookup previously_seen_cloud_provisioning_activity_sources Country as Country
   OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data |
   where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry)
-  OR firstTimeSeenCountry > relative_time(now(), "-24h@h") | table firstTime, src,
-  Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter`
-  | `security_content_ctime(firstTime)`'
+  OR firstTimeSeenCountry > relative_time(now(), "-24h@h") 
+  | `security_content_ctime(firstTime)`
+  | table firstTime, src, Country, user, object, command 
+  | `cloud_provisioning_activity_from_previously_unseen_country_filter`'
 how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud
   provider.  You should run the baseline search `Previously Seen Cloud Provisioning
   Activity Sources - Initial` to build the initial table of source IP address, geographic

detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml

@@ -17,8 +17,9 @@ search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime, value
   src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data
   | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc)
   OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`)
-  | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter`
-  | `security_content_ctime(firstTime)`'
+  | `security_content_ctime(firstTime)`
+  | table firstTime, src, user, object_id, command 
+  | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter`'
 how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud
   provider.  You should run the baseline search `Previously Seen Cloud Provisioning
   Activity Sources - Initial` to build the initial table of source IP address, geographic

detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml

@@ -18,8 +18,9 @@ search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from d
   firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where
   enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion)
   OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`)
-  | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter`
-  | `security_content_ctime(firstTime)`'
+  | `security_content_ctime(firstTime)`
+  | table firstTime, src, Region, user, object, command 
+  | `cloud_provisioning_activity_from_previously_unseen_region_filter`'
 how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud
   provider.  You should run the baseline search `Previously Seen Cloud Provisioning
   Activity Sources - Initial` to build the initial table of source IP address, geographic

detections/cloud/detect_new_open_s3_buckets.yml

@@ -17,7 +17,7 @@ search: '`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex
   rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime
   max(_time) as lastTime by user_arn userIdentity.principalId userAgent uri permission
   bucketName | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
-  | `detect_new_open_s3_buckets_filter` '
+  | `detect_new_open_s3_buckets_filter`'
 how_to_implement: You must install the AWS App for Splunk.
 known_false_positives: While this search has no known false positives, it is possible
   that an AWS admin has legitimately created a public bucket for a specific purpose.

detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml

@@ -19,7 +19,7 @@ search: '`cloudtrail` eventSource="s3.amazonaws.com" (userAgent="[aws-cli*" OR u
   by userIdentity.userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read
   requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write
   requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control
-  | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter` '
+  | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter`'
 how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize
   this data. The search requires AWS Cloudtrail logs.
 known_false_positives: While this search has no known false positives, it is possible

detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml

@@ -19,7 +19,7 @@ search: '`kube_audit` objectRef.resource=secrets verb=get
   | search NOT `kube_allowed_locations`
   | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb City Country
   | rename sourceIPs{} as src_ip, user.username as user
-  | `kubernetes_abuse_of_secret_by_unusual_location_filter` '
+  | `kubernetes_abuse_of_secret_by_unusual_location_filter`'
 how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster.
   Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities.
   Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server.

detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml

@@ -18,7 +18,7 @@ search: '`kube_audit` objectRef.resource=secrets verb=get
   | fillnull
   | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb
   | rename sourceIPs{} as src_ip, user.username as user
-  | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter` '
+  | `kubernetes_abuse_of_secret_by_unusual_user_agent_filter`'
 how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster.
   Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities.
   Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server.

detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml

@@ -18,7 +18,7 @@ search: '`kube_audit` objectRef.resource=secrets verb=get
   | fillnull
   | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb
   | rename sourceIPs{} as src_ip, user.username as user
-  | `kubernetes_abuse_of_secret_by_unusual_user_group_filter` '
+  | `kubernetes_abuse_of_secret_by_unusual_user_group_filter`'
 how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster.
   Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities.
   Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server.

detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml

@@ -18,7 +18,7 @@ search: '`kube_audit` objectRef.resource=secrets verb=get
   | fillnull
   | stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb
   | rename sourceIPs{} as src_ip, user.username as user
-  | `kubernetes_abuse_of_secret_by_unusual_user_name_filter` '
+  | `kubernetes_abuse_of_secret_by_unusual_user_name_filter`'
 how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster.
   Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities.
   Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server.

detections/cloud/kubernetes_access_scanning.yml

@@ -18,7 +18,7 @@ search: '`kube_audit` "user.groups{}"="system:unauthenticated" "responseStatus.c
   by sourceIPs{} Country City
   | where count > 5
   | rename sourceIPs{} as src_ip, user.username as user
-  | `kubernetes_access_scanning_filter` '
+  | `kubernetes_access_scanning_filter`'
 how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster.
   Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities.
   Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server.

detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml

@@ -36,7 +36,7 @@ search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metr
   | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name dest.workload.name dest.process.name
   | where count > 5
   | rename k8s.cluster.name as host
-  | `kubernetes_anomalous_inbound_network_activity_from_process_filter` '
+  | `kubernetes_anomalous_inbound_network_activity_from_process_filter`'
 how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and 
   enable Network Performance Monitoring according to instructions found in Splunk Docs 
   https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup 

detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml

@@ -33,7 +33,7 @@ search: '| mstats avg(k8s.pod.network.io) as io where `kubernetes_metrics` by k8
   | rename service as k8s.service  
   | where count > 5
   | rename k8s.node.name as host
-  | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter` '
+  | `kubernetes_anomalous_inbound_to_outbound_network_io_ratio_filter`'
 how_to_implement: 'To implement this detection, follow these steps: 
   
   * Deploy the OpenTelemetry Collector (OTEL) to your Kubernetes cluster.

detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml

@@ -35,7 +35,7 @@ search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metr
   | stats count(anomalies) as count values(anomalies) as anomalies by k8s.cluster.name source.workload.name source.process.name
   | where count > 5
   | rename k8s.cluster.name as host
-  | `kubernetes_anomalous_outbound_network_activity_from_process_filter` '
+  | `kubernetes_anomalous_outbound_network_activity_from_process_filter`'
 how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and 
   enable Network Performance Monitoring according to instructions found in Splunk Docs 
   https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup 

detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml

@@ -31,7 +31,7 @@ search: '| mstats avg(tcp.*) as tcp.* avg(udp.*) as udp.* where `kubernetes_metr
   | rename service as k8s.service 
   | where count > 5
   | rename k8s.cluster.name as host
-  | `kubernetes_anomalous_traffic_on_network_edge_filter` '
+  | `kubernetes_anomalous_traffic_on_network_edge_filter`'
 how_to_implement: 'To gather NPM metrics the Open Telemetry to the Kubernetes Cluster and 
   enable Network Performance Monitoring according to instructions found in Splunk Docs 
   https://docs.splunk.com/observability/en/infrastructure/network-explorer/network-explorer-setup.html#network-explorer-setup 

detections/cloud/kubernetes_create_or_update_privileged_pod.yml

@@ -15,7 +15,7 @@ search: '`kube_audit` objectRef.resource=pods verb=create OR verb=update request
   | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource 
   requestObject.kind responseStatus.code sourceIPs{} stage user.username userAgent verb requestObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration
   | rename sourceIPs{} as src_ip, user.username as user
-  | `kubernetes_create_or_update_privileged_pod_filter` '
+  | `kubernetes_create_or_update_privileged_pod_filter`'
 how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster.
   Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities.
   Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server.

detections/cloud/kubernetes_cron_job_creation.yml

@@ -16,7 +16,7 @@ search: '`kube_audit` verb=create "objectRef.resource"=cronjobs
   | stats count values(user.groups{}) as user_groups by kind objectRef.name objectRef.namespace objectRef.resource 
   requestObject.kind requestObject.spec.schedule requestObject.spec.jobTemplate.spec.template.spec.containers{}.image responseStatus.code sourceIPs{} stage user.username userAgent verb
   | rename sourceIPs{} as src_ip, user.username as user
-  | `kubernetes_cron_job_creation_filter` '
+  | `kubernetes_cron_job_creation_filter`'
 how_to_implement: The detection is based on data that originates from Kubernetes Audit logs. Ensure that audit logging is enabled in your Kubernetes cluster.
   Kubernetes audit logs provide a record of the requests made to the Kubernetes API server, which is crucial for monitoring and detecting suspicious activities.
   Configure the audit policy in Kubernetes to determine what kind of activities are logged. This is done by creating an Audit Policy and providing it to the API server.