Yml validation cleanups

baselines/baseline_of_open_s3_bucket_decommissioning.yml

@@ -37,7 +37,7 @@ search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR
 | eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy")
 | eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting")
 | table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
-| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`'
+| outputlookup append=true decommissioned_buckets'
 how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public.
 known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
 references:
@@ -61,4 +61,4 @@ deployment:
     cron_schedule: 0 2 * * 0
     earliest_time: -30d@d
     latest_time: -1d@d
-    schedule_window: auto
+    schedule_window: auto

detections/application/cisco_asa___aaa_policy_tampering.yml

@@ -74,6 +74,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/application/cisco_asa___device_file_copy_activity.yml

@@ -78,6 +78,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/application/cisco_asa___device_file_copy_to_remote_location.yml

@@ -103,6 +103,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/application/cisco_asa___logging_disabled_via_cli.yml

@@ -76,6 +76,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/application/cisco_asa___logging_filters_configuration_tampering.yml

@@ -87,6 +87,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/application/cisco_asa___logging_message_suppression.yml

@@ -74,6 +74,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/application/cisco_asa___new_local_user_account_created.yml

@@ -66,6 +66,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/application/cisco_asa___packet_capture_activity.yml

@@ -74,6 +74,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/application/cisco_asa___reconnaissance_command_activity.yml

@@ -130,6 +130,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/application/cisco_asa___user_account_deleted_from_local_database.yml

@@ -66,6 +66,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml

@@ -66,6 +66,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/application/cisco_asa___user_privilege_level_change.yml

@@ -67,6 +67,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

detections/deprecated/cobalt_strike_named_pipes.yml

@@ -4,6 +4,14 @@ version: 13
 date: '2025-12-04'
 author: Michael Haag, Splunk
 status: deprecated
+deprecation_info:
+  content_type: Search
+  full_stanza_name: ESCU - Cobalt Strike Named Pipes - Rule
+  reason: Detection is now part of a larger collection of suspicious named pipes
+  removed_in_version: 5.22.0
+  replacement_content: []
+  # TODO - commented out for now. This will be updated after a parsing improvement.
+  #- Windows Suspicious C2 Named Pipe
 type: TTP
 description: The following analytic detects the use of default or publicly known named
   pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify

detections/deprecated/http_suspicious_tool_user_agent.yml

@@ -9,6 +9,13 @@ description: This Splunk query analyzes web access logs to identify and categori
   non-browser user agents, detecting various types of security tools, scripting languages,
   automation frameworks, and suspicious patterns. This activity can signify malicious actors
   attempting to interact with web endpoints in non-standard ways.
+deprecation_info:
+   content_type: Search
+   full_stanza_name: ESCU - HTTP Suspicious Tool User Agent - Rule
+   removed_in_version: 5.22.0
+   reason: Detection has been renamed for clarity
+   replacement_content:
+   - HTTP Scripting Tool User Agent
 data_source:
 - Nginx Access
 search: '`nginx_access_logs`

detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml

@@ -92,6 +92,7 @@ tags:
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
+  - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml

@@ -89,6 +89,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml

@@ -95,6 +95,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml

@@ -91,6 +91,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml

@@ -88,6 +88,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml

@@ -99,6 +99,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml

@@ -86,6 +86,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml

@@ -87,6 +87,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml

@@ -105,6 +105,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml

@@ -125,6 +125,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml

@@ -95,6 +95,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml

@@ -88,6 +88,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml

@@ -101,6 +101,7 @@ tags:
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
+  - Splunk Cloud
   security_domain: endpoint
 tests:
 - name: True Positive Test - Cisco NVM

detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml

@@ -95,6 +95,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/network/cisco_secure_firewall___binary_file_type_download.yml

@@ -72,6 +72,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
 - name: True Positive Test

detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml

@@ -82,6 +82,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test

detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml

@@ -69,6 +69,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
 - name: True Positive Test

detections/network/cisco_secure_firewall___malware_file_downloaded.yml

@@ -67,6 +67,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
 - name: True Positive Test

detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml

@@ -78,6 +78,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test