deprecated: cleanup TBD messages

detections/deprecated/abnormally_high_aws_instances_launched_by_user.yml

@@ -26,7 +26,7 @@ known_false_positives: Many service accounts configured within an AWS infrastruc
   human user.
 references: []
 rba:
-  message: tbd
+  message: Abnormal number of instances launched by $userName$
   risk_objects:
   - field: userName
     type: user

detections/deprecated/abnormally_high_aws_instances_launched_by_user___mltk.yml

@@ -22,7 +22,7 @@ known_false_positives: Many service accounts configured within an AWS infrastruc
   human user.
 references: []
 rba:
-  message: tbd
+  message: Abnormal number of instances launched by $src_user$
   risk_objects:
   - field: src_user
     type: user

detections/deprecated/abnormally_high_aws_instances_terminated_by_user.yml

@@ -27,7 +27,7 @@ known_false_positives: Many service accounts configured with your AWS infrastruc
   on a human user.
 references: []
 rba:
-  message: tbd
+  message: Abnormal number of instances terminated by $userName$
   risk_objects:
   - field: userName
     type: user

detections/deprecated/abnormally_high_aws_instances_terminated_by_user___mltk.yml

@@ -22,7 +22,7 @@ known_false_positives: Many service accounts configured within an AWS infrastruc
   human user.
 references: []
 rba:
-  message: tbd
+  message: Abnormal number of instances terminated by $src_user$
   risk_objects:
   - field: src_user
     type: user

detections/deprecated/aws_cloud_provisioning_from_previously_unseen_city.yml

@@ -38,7 +38,7 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal
   to you."
 references: []
 rba:
-  message: tbd
+  message: AWS provisioning from new city ($City$)
   risk_objects:
   - field: src_ip
     type: system

detections/deprecated/aws_cloud_provisioning_from_previously_unseen_country.yml

@@ -39,7 +39,7 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal
   much less valuable to you."
 references: []
 rba:
-  message: tbd
+  message: AWS provisioning from new country ($Country$)
   risk_objects:
   - field: user
     type: user

detections/deprecated/aws_cloud_provisioning_from_previously_unseen_ip_address.yml

@@ -38,7 +38,7 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal
   to you."
 references: []
 rba:
-  message: tbd
+  message: AWS provisioning from new IP Address ($src_ip$)
   risk_objects:
   - field: user
     type: user

detections/deprecated/aws_cloud_provisioning_from_previously_unseen_region.yml

@@ -38,7 +38,7 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal
   to you."
 references: []
 rba:
-  message: tbd
+  message: AWS provisioning from new Region ($Region$)
   risk_objects:
   - field: user
     type: user

detections/deprecated/clients_connecting_to_multiple_dns_servers.yml

@@ -26,7 +26,7 @@ known_false_positives: It's possible that an enterprise has more than five DNS s
   that are configured in a round-robin rotation. Please customize the search, as appropriate.
 references: []
 rba:
-  message: tbd
+  message: Device ($src$) observed utilizing multiple DNS Servers
   risk_objects:
   - field: src
     type: system

detections/deprecated/cloud_network_access_control_list_deleted.yml

@@ -23,7 +23,7 @@ known_false_positives: It's possible that a user has legitimately deleted a netw
   ACL.
 references: []
 rba:
-  message: tbd
+  message: AWS Network ACL Deleted by $userName$
   risk_objects:
   - field: userName
     type: user

detections/deprecated/detect_dns_requests_to_phishing_sites_leveraging_evilginx2.yml

@@ -36,7 +36,7 @@ known_false_positives: If a known good domain is not listed in the legit_domains
   to filter out DNS requests to legitimate domains.
 references: []
 rba:
-  message: tbd
+  message: DNS Request for EvilGinx2 Phishing Site
   risk_objects:
   - field: src
     type: system

detections/deprecated/detect_long_dns_txt_record_response.yml

@@ -30,7 +30,7 @@ known_false_positives: It's possible that legitimate TXT record responses can be
   to help mitigate false positives.
 references: []
 rba:
-  message: tbd
+  message: Long DNS TXT Response observed
   risk_objects:
   - field: Destination IP
     type: system

detections/deprecated/detect_mimikatz_via_powershell_and_eventcode_4703.yml

@@ -27,7 +27,7 @@ known_false_positives: The activity may be legitimate. PowerShell is often used
   may need to tweak the search to eliminate noise.
 references: []
 rba:
-  message: tbd
+  message: Potential Mimikatz usage on $dest$
   risk_objects:
   - field: dest
     type: system

detections/deprecated/detect_new_api_calls_from_user_roles.yml

@@ -28,7 +28,7 @@ known_false_positives: It is possible that there are legitimate user roles makin
   trigger.
 references: []
 rba:
-  message: tbd
+  message: Never Before Seen API Call from $user$
   risk_objects:
   - field: user
     type: user

detections/deprecated/detect_spike_in_aws_api_activity.yml

@@ -43,7 +43,7 @@ how_to_implement: "You must install the AWS App for Splunk (version 5.1.0 or lat
 known_false_positives: None.
 references: []
 rba:
-  message: tbd
+  message: Spike in AWS API Activity from $user$
   risk_objects:
   - field: user
     type: user

detections/deprecated/detect_spike_in_network_acl_activity.yml

@@ -37,7 +37,7 @@ known_false_positives: The false-positive rate may vary based on the values of`d
   and `deviationThreshold`. Please modify this according the your environment.
 references: []
 rba:
-  message: tbd
+  message: Spike in AWS API Activity related to Network ACLs from $user$
   risk_objects:
   - field: user
     type: user

detections/deprecated/detect_spike_in_security_group_activity.yml

@@ -38,7 +38,7 @@ known_false_positives: Based on the values of`dataPointThreshold` and `deviation
   the false positive rate may vary. Please modify this according the your environment.
 references: []
 rba:
-  message: tbd
+  message: Spike in AWS API Activity related to Security Groups from $user$
   risk_objects:
   - field: user
     type: user

detections/deprecated/detect_usb_device_insertion.yml

@@ -27,7 +27,7 @@ known_false_positives: Legitimate USB activity will also be detected. Please ver
   and investigate as appropriate.
 references: []
 rba:
-  message: tbd
+  message: USB Device Activity detected on $dest$
   risk_objects:
   - field: dest
     type: system

detections/deprecated/detect_web_traffic_to_dynamic_domain_providers.yml

@@ -30,7 +30,7 @@ known_false_positives: It is possible that list of dynamic DNS providers is outd
   and/or that the URL being requested is legitimate.
 references: []
 rba:
-  message: tbd
+  message: Web traffic to Dynamic DNS Provider detected
   risk_objects:
   - field: dest
     type: system

detections/deprecated/detection_of_dns_tunnels.yml

@@ -43,7 +43,7 @@ known_false_positives: It's possible that normal DNS traffic will exhibit this b
   can also be modified to better suit your environment.
 references: []
 rba:
-  message: tbd
+  message: Potential DNS Tunneling Detected
   risk_objects:
   - field: src
     type: system

detections/deprecated/dns_query_requests_resolved_by_unauthorized_dns_servers.yml

@@ -20,7 +20,7 @@ known_false_positives: Legitimate DNS activity can be detected in this search. I
   verify and update the list of authorized DNS servers as appropriate.
 references: []
 rba:
-  message: tbd
+  message: DNS Resolution from Unauthorized DNS Server
   risk_objects:
   - field: dest
     type: system

detections/deprecated/dns_record_changed.yml

@@ -34,7 +34,7 @@ known_false_positives: Legitimate DNS changes can be detected in this search. In
   as appropriate.
 references: []
 rba:
-  message: tbd
+  message: DNS Record Changed
   risk_objects:
   - field: src
     type: system

detections/deprecated/ec2_instance_modified_with_previously_unseen_user.yml

@@ -27,7 +27,7 @@ known_false_positives: It's possible that a new user will start to modify EC2 in
   modifying instances that this is the intended behavior.
 references: []
 rba:
-  message: tbd
+  message: EC2 Instance Modified for first time by $user$
   risk_objects:
   - field: user
     type: user

detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml

@@ -29,7 +29,7 @@ known_false_positives: After a new AMI is created, the first systems created wit
   by a legitimate user.
 references: []
 rba:
-  message: tbd
+  message: EC2 Instance $dest$ launched with new AMI
   risk_objects:
   - field: dest
     type: system

detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml

@@ -29,7 +29,7 @@ known_false_positives: It is possible that an admin will create a new system usi
   to create the system with the new instance type.
 references: []
 rba:
-  message: tbd
+  message: EC2 Instance $dest$ launched with previously unseen instance type $instanceType$
   risk_objects:
   - field: user
     type: user

detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml

@@ -27,7 +27,7 @@ known_false_positives: It's possible that a user will start to create EC2 instan
   launching instances that this is the intended behavior.
 references: []
 rba:
-  message: tbd
+  message: EC2 Instance $dest$ started by previously unseen user $user$
   risk_objects:
   - field: user
     type: user

detections/deprecated/execution_of_file_with_spaces_before_extension.yml

@@ -27,7 +27,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D
 known_false_positives: None identified.
 references: []
 rba:
-  message: tbd
+  message: Execution of file with spaces before the extension on $dest$
   risk_objects:
   - field: dest
     type: system

detections/deprecated/gcp_kubernetes_cluster_scan_detection.yml

@@ -25,7 +25,7 @@ known_false_positives: Not all unauthenticated requests are malicious, but frequ
   User Agent and source IPs will provide context.
 references: []
 rba:
-  message: tbd
+  message: Possible GKE Cluster Scan 
   risk_objects:
   - field: src_ip
     type: system

detections/deprecated/monitor_dns_for_brand_abuse.yml

@@ -22,7 +22,7 @@ how_to_implement: You need to ingest data from your DNS logs. Specifically you m
 known_false_positives: None at this time
 references: []
 rba:
-  message: tbd
+  message: Potential brand abuse
   risk_objects:
   - field: query
     type: other

detections/deprecated/osquery_pack___coldroot_detection.yml

@@ -19,7 +19,7 @@ how_to_implement: In order to properly run this search, Splunk needs to ingest d
 known_false_positives: There are no known false positives.
 references: []
 rba:
-  message: tbd
+  message: Potential ColdRoot detection on $host$
   risk_objects:
   - field: host
     type: system

detections/deprecated/processes_created_by_netsh.yml

@@ -34,7 +34,7 @@ known_false_positives: It is unusual for netsh.exe to have any child processes i
   process path since it is a legitimate process by Mircosoft.
 references: []
 rba:
-  message: tbd
+  message: Proccesses created by netsh.exe on $dest$
   risk_objects:
   - field: dest
     type: system

detections/deprecated/reg_exe_used_to_hide_files_directories_via_registry_keys.yml

@@ -27,7 +27,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D
 known_false_positives: None at the moment
 references: []
 rba:
-  message: tbd
+  message: Reg.exe used to hide a file or directory on $dest$
   risk_objects:
   - field: dest
     type: system

detections/deprecated/remote_registry_key_modifications.yml

@@ -22,7 +22,7 @@ known_false_positives: This technique may be legitimately used by administrators
   modify remote registries, so it's important to filter these events out.
 references: []
 rba:
-  message: tbd
+  message: Registry remotely modified on $dest$
   risk_objects:
   - field: user
     type: user

detections/deprecated/scheduled_tasks_used_in_badrabbit_ransomware.yml

@@ -28,7 +28,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D
 known_false_positives: No known false positives
 references: []
 rba:
-  message: tbd
+  message: Tasks being scheduled with names indicative of BadRabbit ransomware on $dest$
   risk_objects:
   - field: user
     type: user

detections/deprecated/spectre_and_meltdown_vulnerable_systems.yml

@@ -19,7 +19,7 @@ known_false_positives: It is possible that your vulnerability scanner is not det
   that the patches have been applied.
 references: []
 rba:
-  message: tbd
+  message: $dest$ enumerated as a Spectre or Meltdown vulnerable system 
   risk_objects:
   - field: dest
     type: system

detections/deprecated/suspicious_changes_to_file_associations.yml

@@ -33,7 +33,7 @@ known_false_positives: There may be other processes in your environment that use
   finding false positives, you can modify the search to add those processes as exceptions.
 references: []
 rba:
-  message: tbd
+  message: Suspicious changes to file association on $dest$
   risk_objects:
   - field: dest
     type: system

detections/deprecated/suspicious_email___uba_anomaly.yml

@@ -26,7 +26,7 @@ known_false_positives: This detection model will alert on any sender domain that
   legitimate sender.
 references: []
 rba:
-  message: tbd
+  message: Suspicious Email as detected by UBA for $user$
   risk_objects:
   - field: user
     type: user

detections/deprecated/suspicious_powershell_command_line_arguments.yml

@@ -33,7 +33,7 @@ known_false_positives: Legitimate process can have this combination of command-l
   options, but it's not common.
 references: []
 rba:
-  message: tbd
+  message: Suspicious Powershell Command Line Arguments observed on $dest$
   risk_objects:
   - field: dest
     type: system

detections/deprecated/unsigned_image_loaded_by_lsass.yml

@@ -23,7 +23,7 @@ known_false_positives: Other tools could load images into LSASS for legitimate r
 references:
 - https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf
 rba:
-  message: tbd
+  message: Unsigned image loaded by LSASS on $dest$
   risk_objects:
   - field: dest
     type: system

detections/deprecated/web_fraud___account_harvesting.yml

@@ -36,7 +36,7 @@ references:
 - https://splunkbase.splunk.com/app/2734/
 - https://splunkbase.splunk.com/app/1809/
 rba:
-  message: tbd
+  message: Multiple user accounts using the same email domain 
   risk_objects:
   - field: src_user
     type: user

detections/deprecated/web_fraud___anomalous_user_clickspeed.yml

@@ -32,10 +32,10 @@ references:
 - https://en.wikipedia.org/wiki/HTTP_cookie
 - https://splunkbase.splunk.com/app/1809/
 rba:
-  message: tbd
+  message: Web sessions exhibiting unauthentic characteristics
   risk_objects:
   - field: session_id
-    type: user
+    type: other
     score: 25
   threat_objects: []
 tags:

detections/deprecated/web_fraud___password_sharing_across_accounts.yml

@@ -27,7 +27,7 @@ references:
 - https://en.wikipedia.org/wiki/HTTP_cookie
 - https://splunkbase.splunk.com/app/1809/
 rba:
-  message: tbd
+  message: Password sharing across accounts
   risk_objects:
   - field: user
     type: user

detections/deprecated/windows_connhost_exe_started_forcefully.yml

@@ -30,7 +30,7 @@ known_false_positives: This process should not be ran forcefully, we have not se
   any false positives for this detection
 references: []
 rba:
-  message: tbd
+  message: Potentially suspicious connhost.exe behavior on $dest$
   risk_objects:
   - field: dest
     type: system

detections/deprecated/windows_hosts_file_modification.yml

@@ -24,7 +24,7 @@ known_false_positives: There may be legitimate reasons for system administrators
   add entries to this file.
 references: []
 rba:
-  message: tbd
+  message: Host file modified on $dest$
   risk_objects:
   - field: dest
     type: system