splunk · pyth0n1c · Dec 17, 2025 · Dec 17, 2025 · Dec 22, 2025 · Dec 22, 2025
@@ -37,7 +37,7 @@ search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR
 | eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy")
 | eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting")
 | table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
-| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`'
+| outputlookup append=true decommissioned_buckets'
 how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public.
 known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
 references:
@@ -61,4 +61,4 @@ deployment:
     cron_schedule: 0 2 * * 0
     earliest_time: -30d@d
     latest_time: -1d@d
-    schedule_window: auto
+    schedule_window: auto
@@ -74,6 +74,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -78,6 +78,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -103,6 +103,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -76,6 +76,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -87,6 +87,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -74,6 +74,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -66,6 +66,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -74,6 +74,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -130,6 +130,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -66,6 +66,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -66,6 +66,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -67,6 +67,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: network
 tests:
   - name: True Positive Test

@@ -4,6 +4,14 @@ version: 13
 date: '2025-12-04'
 author: Michael Haag, Splunk
 status: deprecated
+deprecation_info:
+  content_type: Search
+  full_stanza_name: ESCU - Cobalt Strike Named Pipes - Rule
+  reason: Detection is now part of a larger collection of suspicious named pipes
+  removed_in_version: 5.22.0
+  replacement_content: []
+  # TODO - commented out for now. This will be updated after a parsing improvement.
+  #- Windows Suspicious C2 Named Pipe
 type: TTP
 description: The following analytic detects the use of default or publicly known named
   pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify

@@ -92,6 +92,7 @@ tags:
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
+  - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -89,6 +89,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -95,6 +95,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -91,6 +91,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -88,6 +88,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -99,6 +99,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -86,6 +86,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -87,6 +87,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -105,6 +105,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -125,6 +125,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -95,6 +95,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -88,6 +88,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -101,6 +101,7 @@ tags:
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
+  - Splunk Cloud
   security_domain: endpoint
 tests:
 - name: True Positive Test - Cisco NVM

@@ -95,6 +95,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

@@ -72,6 +72,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
 - name: True Positive Test

@@ -82,6 +82,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test

@@ -69,6 +69,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
 - name: True Positive Test

@@ -67,6 +67,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
 - name: True Positive Test

@@ -78,6 +78,7 @@ tags:
   product:
     - Splunk Enterprise
     - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
   - name: True Positive Test