splunk
diff --git a/‎baselines/deprecated/.gitkeep b/‎baselines/deprecated/.gitkeep
diff --git a/‎baselines/previously_seen_aws_cross_account_activity___initial.yml renamed to ‎baselines/deprecated/previously_seen_aws_cross_account_activity___initial.yml
+1-1 b/‎baselines/previously_seen_aws_cross_account_activity___initial.yml renamed to ‎baselines/deprecated/previously_seen_aws_cross_account_activity___initial.yml
+1-1
diff --git a/‎baselines/previously_seen_aws_cross_account_activity___update.yml renamed to ‎baselines/deprecated/previously_seen_aws_cross_account_activity___update.yml
+1-1 b/‎baselines/previously_seen_aws_cross_account_activity___update.yml renamed to ‎baselines/deprecated/previously_seen_aws_cross_account_activity___update.yml
+1-1
diff --git a/‎contentctl.yml
+1-1 b/‎contentctl.yml
+1-1
diff --git a/‎detections/deprecated/.gitkeep b/‎detections/deprecated/.gitkeep
diff --git a/‎detections/endpoint/attacker_tools_on_endpoint.yml
+2-3 b/‎detections/endpoint/attacker_tools_on_endpoint.yml
+2-3
diff --git a/‎lookups/deprecation_info.csv
+207 b/‎lookups/deprecation_info.csv
+207
diff --git a/‎lookups/deprecation_info.yml
+9 b/‎lookups/deprecation_info.yml
+9
diff --git a/‎baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml renamed to ‎removed/baselines/add_prohibited_processes_to_enterprise_security.yml
+1-1 b/‎baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml renamed to ‎removed/baselines/add_prohibited_processes_to_enterprise_security.yml
+1-1
diff --git a/‎baselines/deprecated/baseline_of_api_calls_per_user_arn.yml renamed to ‎removed/baselines/baseline_of_api_calls_per_user_arn.yml
+1-1 b/‎baselines/deprecated/baseline_of_api_calls_per_user_arn.yml renamed to ‎removed/baselines/baseline_of_api_calls_per_user_arn.yml
+1-1
diff --git a/‎baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml renamed to ‎removed/baselines/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml
+1-1 b/‎baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml renamed to ‎removed/baselines/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml
+1-1
diff --git a/‎baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml renamed to ‎removed/baselines/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml
+1-1 b/‎baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml renamed to ‎removed/baselines/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml
+1-1
diff --git a/‎baselines/monitor_successful_backups.yml renamed to ‎removed/baselines/monitor_successful_backups.yml
+3-3 b/‎baselines/monitor_successful_backups.yml renamed to ‎removed/baselines/monitor_successful_backups.yml
+3-3
diff --git a/‎baselines/monitor_unsuccessful_backups.yml renamed to ‎removed/baselines/monitor_unsuccessful_backups.yml
+3-3 b/‎baselines/monitor_unsuccessful_backups.yml renamed to ‎removed/baselines/monitor_unsuccessful_backups.yml
+3-3
diff --git a/‎baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml renamed to ‎removed/baselines/previously_seen_api_call_per_user_roles_in_cloudtrail.yml
+1-1 b/‎baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml renamed to ‎removed/baselines/previously_seen_api_call_per_user_roles_in_cloudtrail.yml
+1-1
diff --git a/‎baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml renamed to ‎removed/baselines/previously_seen_aws_provisioning_activity_sources.yml
+1-1 b/‎baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml renamed to ‎removed/baselines/previously_seen_aws_provisioning_activity_sources.yml
+1-1
diff --git a/‎baselines/previously_seen_aws_regions.yml renamed to ‎removed/baselines/previously_seen_aws_regions.yml
+3-3 b/‎baselines/previously_seen_aws_regions.yml renamed to ‎removed/baselines/previously_seen_aws_regions.yml
+3-3
diff --git a/‎baselines/deprecated/previously_seen_ec2_amis.yml renamed to ‎removed/baselines/previously_seen_ec2_amis.yml
+1-1 b/‎baselines/deprecated/previously_seen_ec2_amis.yml renamed to ‎removed/baselines/previously_seen_ec2_amis.yml
+1-1
diff --git a/‎baselines/deprecated/previously_seen_ec2_instance_types.yml renamed to ‎removed/baselines/previously_seen_ec2_instance_types.yml
+1-1 b/‎baselines/deprecated/previously_seen_ec2_instance_types.yml renamed to ‎removed/baselines/previously_seen_ec2_instance_types.yml
+1-1
diff --git a/‎baselines/deprecated/previously_seen_ec2_launches_by_user.yml renamed to ‎removed/baselines/previously_seen_ec2_launches_by_user.yml
+1-1 b/‎baselines/deprecated/previously_seen_ec2_launches_by_user.yml renamed to ‎removed/baselines/previously_seen_ec2_launches_by_user.yml
+1-1
diff --git a/‎baselines/previously_seen_ec2_modifications_by_user.yml renamed to ‎removed/baselines/previously_seen_ec2_modifications_by_user.yml
+3-3 b/‎baselines/previously_seen_ec2_modifications_by_user.yml renamed to ‎removed/baselines/previously_seen_ec2_modifications_by_user.yml
+3-3
diff --git a/‎baselines/deprecated/previously_seen_users_in_cloudtrail.yml renamed to ‎removed/baselines/previously_seen_users_in_cloudtrail.yml
+1-1 b/‎baselines/deprecated/previously_seen_users_in_cloudtrail.yml renamed to ‎removed/baselines/previously_seen_users_in_cloudtrail.yml
+1-1
diff --git a/‎baselines/systems_ready_for_spectre_meltdown_windows_patch.yml renamed to ‎removed/baselines/systems_ready_for_spectre_meltdown_windows_patch.yml
+3-3 b/‎baselines/systems_ready_for_spectre_meltdown_windows_patch.yml renamed to ‎removed/baselines/systems_ready_for_spectre_meltdown_windows_patch.yml
+3-3
diff --git a/‎baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml renamed to ‎removed/baselines/update_previously_seen_users_in_cloudtrail.yml
+1-1 b/‎baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml renamed to ‎removed/baselines/update_previously_seen_users_in_cloudtrail.yml
+1-1
@@ -4,7 +4,7 @@ version: 1
 date: '2020-08-15'
 author: Rico Valdez, Splunk
 type: Baseline
-status: production
+status: deprecated
 description: This search looks for **AssumeRole** events where the requesting account
   differs from the requested account, then writes these relationships to a lookup
   file.
 
@@ -4,7 +4,7 @@ version: 1
 date: '2020-08-15'
 author: Rico Valdez, Splunk
 type: Baseline
-status: production
+status: deprecated
 description: This search looks for **AssumeRole** events where the requesting account
   differs from the requested account, then writes these relationships to a lookup
   file.
 
@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.1.1
+  version: 5.2.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
 
@@ -1,7 +1,7 @@
 name: Attacker Tools On Endpoint
 id: a51bfe1a-94f0-48cc-b4e4-16a110145893
-version: 8
-date: '2025-02-10'
+version: 9
+date: '2025-02-27'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -66,7 +66,6 @@ rba:
 tags:
   analytic_story:
   - XMRig
-  - Monitor for Unauthorized Software
   - Unusual Processes
   - SamSam Ransomware
   - CISA AA22-264A
 
@@ -0,0 +1,9 @@
+name: deprecation_info
+date: 2025-03-14
+version: 1
+id: d83dad4f-7bce-4979-bf07-a88c610da5f6
+author: Splunk Threat Research Team
+lookup_type: csv
+default_match: false
+description: A lookup file for deprecation information
+min_matches: 1
@@ -4,7 +4,7 @@ version: 1
 date: '2017-09-15'
 author: David Dorsey, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search takes the existing interesting process table from ES, filters
   out any existing additions added by ESCU and then updates the table with processes
   identified by ESCU that should be prohibited on your endpoints.
 
@@ -4,7 +4,7 @@ version: 1
 date: '2018-04-09'
 author: David Dorsey, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search establishes, on a per-hour basis, the average and the standard
   deviation of the number of API calls made by each user. Also recorded is the number
   of data points for each user. This table is then outputted to a lookup file to allow
 
@@ -4,7 +4,7 @@ version: 1
 date: '2019-11-14'
 author: Jason Brewer, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many RunInstances users do in the environment. By default, the search uses
   the last 90 days of data to build the model. The model created by this search is
 
@@ -4,7 +4,7 @@ version: 1
 date: '2019-11-14'
 author: Jason Brewer, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many TerminateInstances users do in the environment. By default, the search
   uses the last 90 days of data to build the model. The model created by this search
 
@@ -1,10 +1,10 @@
 name: Monitor Successful Backups
 id: b4d0dfb2-2195-4f6e-93a3-48468ed9734e
-version: 1
-date: '2017-09-12'
+version: 2
+date: '2025-02-27'
 author: David Dorsey, Splunk
 type: Baseline
-status: production
+status: removed
 description: This search is intended to give you a feel for how often successful backups
   are conducted in your environment. Fluctuations in these numbers will allow you
   to determine when you should investigate.
 
@@ -1,10 +1,10 @@
 name: Monitor Unsuccessful Backups
 id: b2178fed-592f-492b-b851-74161678aa56
-version: 1
-date: '2017-09-12'
+version: 2
+date: '2025-02-27'
 author: David Dorsey, Splunk
 type: Baseline
-status: production
+status: removed
 description: This search is intended to give you a feel for how often backup failures
   happen in your environments.  Fluctuations in these numbers will allow you to determine
   when you should investigate.
 
@@ -4,7 +4,7 @@ version: 1
 date: '2018-04-16'
 author: Bhavin Patel, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search looks for successful API calls made by different user roles,
   then creates a baseline of the earliest and latest times we have encountered this
   user role. It also returns the name of the API call in our dataset--grouped by user
 
@@ -4,7 +4,7 @@ version: 1
 date: '2018-03-16'
 author: David Dorsey, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search builds a table of the first and last times seen for every
   IP address (along with its physical location) previously associated with cloud-provisioning
   activity. This is broadly defined as any event that runs or creates something.
 
@@ -1,10 +1,10 @@
 name: Previously Seen AWS Regions
 id: fc0edc95-ff2b-48b0-9f6f-63da3789fd63
-version: 1
-date: '2018-01-08'
+version: 2
+date: '2025-02-27'
 author: Bhavin Patel, Splunk
 type: Baseline
-status: production
+status: removed
 description: This search looks for CloudTrail events where an AWS instance is started
   and creates a baseline of most recent time (latest) and the first time (earliest)
   we've seen this region in our dataset grouped by the value awsRegion for the last
 
@@ -4,7 +4,7 @@ version: 2
 date: '2025-01-16'
 author: David Dorsey, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search builds a table of previously seen AMIs used to launch EC2
   instances
 search: '`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instancesSet.items{}.imageId
 
@@ -4,7 +4,7 @@ version: 2
 date: '2025-01-16'
 author: David Dorsey, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search builds a table of previously seen EC2 instance types
 search: '`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instanceType
   as instanceType | fillnull value="m1.small" instanceType | stats earliest(_time)
 
@@ -4,7 +4,7 @@ version: 2
 date: '2025-01-16'
 author: David Dorsey, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search builds a table of previously seen ARNs that have launched
   a EC2 instance.
 search: '`cloudtrail` eventName=RunInstances errorCode=success | rename userIdentity.arn
 
@@ -1,10 +1,10 @@
 name: Previously Seen EC2 Modifications By User
 id: 4d69091b-d975-4267-85df-888bd41034eb
-version: 1
-date: '2018-04-05'
+version: 2
+date: '2025-02-27'
 author: David Dorsey, Splunk
 type: Baseline
-status: production
+status: removed
 description: This search builds a table of previously seen ARNs that have launched
   a EC2 instance.
 search: '`cloudtrail` `ec2_modification_api_calls` errorCode=success | spath output=arn
 
@@ -4,7 +4,7 @@ version: 1
 date: '2018-04-30'
 author: Jason Brewer, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search looks for CloudTrail events where a user logs into the console,
   then creates a baseline of the latest and earliest times, City, Region, and Country
   we have encountered this user in our dataset, grouped by ARN, within the last 30
 
@@ -1,10 +1,10 @@
 name: Systems Ready for Spectre-Meltdown Windows Patch
 id: fc0edc95-ff2b-48b0-9f6f-63da3789fd61
-version: 1
-date: '2018-01-08'
+version: 2
+date: '2025-02-27'
 author: David Dorsey, Splunk
 type: Baseline
-status: production
+status: removed
 description: Some AV applications can cause the Spectre/Meltdown patch for Windows
   not to install successfully. This registry key is supposed to be created by the
   AV engine when it has been patched to be able to handle the Windows patch. If this
 
@@ -4,7 +4,7 @@ version: 2
 date: '2025-01-16'
 author: Jason Brewer, Splunk
 type: Baseline
-status: deprecated
+status: removed
 description: This search looks for CloudTrail events where a user logs into the console,
   then updates the baseline of the latest and earliest times, City, Region, and Country
   we have encountered this user in our dataset, grouped by ARN, within the last hour.