Update playbooks to new format.

Author: pyth0n1c

playbooks/AD_LDAP_Account_Locking.yml

@@ -1,29 +1,28 @@
 name: AD LDAP Account Locking
 id: e6f96caf-610c-4ced-aa2c-ba9b19b89e1f
-version: 1
-date: '2023-05-08'
+version: 2
+creation_date: '2023-05-17'
+modification_date: '2026-05-19'
 author: Teoderick Contreras, Splunk
 type: Investigation
 description: "Accepts user, to be disabled using Microsoft AD LDAP connector. This playbook produces a normalized observables output for each user and device."
 playbook: AD_LDAP_Account_Locking
-how_to_implement: This input playbook requires the Microsoft AD LDAP connector to be configured. 
-  It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. 
+how_to_implement: This input playbook requires the Microsoft AD LDAP connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style.
 references: []
-app_list: 
-  - AD LDAP
-tags:
-  platform_tags:
+app_list:
+    - AD LDAP
+platform_tags:
     - user
     - microsoft_ad_ldap
     - D3-AL
     - disable_account
-  playbook_type: Input
-  vpe_type: Modern
-  playbook_fields: []
-  product:
-  - Splunk SOAR
-  use_cases:
-  - Phishing
-  - Endpoint
-  defend_technique_id: 
-  - D3-AL
+playbook_type: Input
+vpe_type: Modern
+playbook_fields: []
+product:
+    - Splunk SOAR
+use_cases:
+    - Phishing
+    - Endpoint
+defend_technique_id:
+    - D3-AL

playbooks/AD_LDAP_Account_Unlocking.yml

@@ -1,24 +1,24 @@
 name: AD LDAP Account Unlocking
 id: e6f96caf-61ac-4ced-aabc-ba9b19bd9e1f
-version: 1
-date: '2023-06-21'
+version: 2
+creation_date: '2023-06-22'
+modification_date: '2026-05-19'
 author: Lou Stella, Splunk
 type: Response
 description: "Accepts user, to be unlocked using Microsoft AD LDAP connector. This playbook produces a normalized observable output for each user."
 playbook: AD_LDAP_Account_Unlocking
-how_to_implement: This input playbook requires the Microsoft AD LDAP connector to be configured. It is designed to work in conjunction with the Active Directory Enable Account Dispatch playbook or other playbooks in the same style. 
+how_to_implement: This input playbook requires the Microsoft AD LDAP connector to be configured. It is designed to work in conjunction with the Active Directory Enable Account Dispatch playbook or other playbooks in the same style.
 references: []
-app_list: 
-  - AD LDAP
-tags:
-  platform_tags:
+app_list:
+    - AD LDAP
+platform_tags:
     - user
     - microsoft_ad_ldap
     - D3-RUAA
     - active_directory
     - enable_account
-  playbook_type: Input
-  vpe_type: Modern
-  playbook_fields: []
-  product:
-  - Splunk SOAR
+playbook_type: Input
+vpe_type: Modern
+playbook_fields: []
+product:
+    - Splunk SOAR

playbooks/AD_LDAP_Entity_Attribute_Lookup.yml

@@ -1,25 +1,25 @@
 name: AD LDAP Entity Attribute Lookup
 id: fc0edc96-aa2b-4cb0-7b4d-63da67d3fe74
-version: 1
-date: '2023-01-11'
+version: 2
+creation_date: '2023-03-06'
+modification_date: '2026-05-19'
 author: Kelby Shelton, Lou Stella, Splunk
 type: Investigation
 description: "Accepts a user or device and looks up the most recent attributes and groups for that user or device. This playbook produces a normalized output for each user and device."
 playbook: AD_LDAP_Entity_Attribute_Lookup
-how_to_implement: This input playbook requires the AD LDAP connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. 
+how_to_implement: This input playbook requires the AD LDAP connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style.
 references: []
-app_list: 
-  - AD LDAP
-tags:
-  platform_tags:
-    - attributes 
+app_list:
+    - AD LDAP
+platform_tags:
+    - attributes
     - user
-    - device 
+    - device
     - ad_ldap
-  playbook_type: Input
-  vpe_type: Modern
-  playbook_fields: []
-  product:
-  - Splunk SOAR
-  use_cases:
-  - Enrichment
+playbook_type: Input
+vpe_type: Modern
+playbook_fields: []
+product:
+    - Splunk SOAR
+use_cases:
+    - Enrichment

playbooks/AWS_IAM_Account_Locking.yml

@@ -1,29 +1,28 @@
 name: AWS IAM Account Locking
 id: f15e4ab7-b057-4225-86ae-c36ab78b50f2
-version: 1
-date: '2023-05-08'
+version: 2
+creation_date: '2023-05-10'
+modification_date: '2026-05-19'
 author: Teoderick Contreras, Splunk
 type: Investigation
 description: "Accepts user name that needs to be disabled in AWS IAM Active Directory. Disabling an account involves deleting their login profile which will clear the user's password. Generates an observable output based on the status of account locking or disabling."
 playbook: AWS_IAM_Account_Locking
-how_to_implement: This input playbook requires the AWS IAM connector to be configured. 
-  It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style. 
+how_to_implement: This input playbook requires the AWS IAM connector to be configured. It is designed to work in conjunction with the Dynamic Attribute Lookup playbook or other playbooks in the same style.
 references: []
-app_list: 
-  - AWS IAM
-tags:
-  platform_tags:
+app_list:
+    - AWS IAM
+platform_tags:
     - user
     - aws_iam
     - D3-AL
     - disable_account
-  playbook_type: Input
-  vpe_type: Modern
-  playbook_fields: []
-  product:
-  - Splunk SOAR
-  use_cases:
-  - Phishing
-  - Endpoint
-  defend_technique_id: 
-  - D3-AL
+playbook_type: Input
+vpe_type: Modern
+playbook_fields: []
+product:
+    - Splunk SOAR
+use_cases:
+    - Phishing
+    - Endpoint
+defend_technique_id:
+    - D3-AL

playbooks/AWS_IAM_Account_Unlocking.yml

@@ -1,25 +1,25 @@
 name: AWS IAM Account Unlocking
 id: f15a4db3-b157-4225-86ae-c36ab78b50f2
-version: 1
-date: '2023-06-21'
+version: 2
+creation_date: '2023-06-22'
+modification_date: '2026-05-19'
 author: Lou Stella, Splunk
 type: Response
 description: "Accepts user, to be enabled using AWS IAM connector. Enabling an account involves reattaching their login profile which will require setting a new password. This playbook produces a normalized observables output for each user. "
 playbook: AWS_IAM_Account_Unlocking
-how_to_implement: This input playbook requires the AWS IAM connector to be configured. 
+how_to_implement: This input playbook requires the AWS IAM connector to be configured.
 references: []
-app_list: 
-  - AWS IAM
-tags:
-  platform_tags:
+app_list:
+    - AWS IAM
+platform_tags:
     - user
     - aws_iam
     - D3-RUAA
     - enable_account
-  playbook_type: Input
-  vpe_type: Modern
-  playbook_fields: []
-  product:
-  - Splunk SOAR
-  defend_technique_id: 
-  - D3-RUAA
+playbook_type: Input
+vpe_type: Modern
+playbook_fields: []
+product:
+    - Splunk SOAR
+defend_technique_id:
+    - D3-RUAA

playbooks/Active_Directory_Disable_Account_Dispatch.yml

@@ -1,29 +1,28 @@
 name: Active Directory Disable Account Dispatch
 id: 86320591-1bbd-41ab-8990-602a3968fd99
-version: 1
-date: '2023-05-23'
+version: 2
+creation_date: '2023-05-23'
+modification_date: '2026-05-19'
 author: Teoderick Contreras, Splunk
 type: Investigation
-description: Automatically dispatches input playbooks with the 'disable_account' tag.
-  This will produce a merge report and indicator tag for each inputs.
+description: Automatically dispatches input playbooks with the 'disable_account' tag. This will produce a merge report and indicator tag for each inputs.
 playbook: Active_Directory_Disable_Account_Dispatch
 how_to_implement: This automatic playbook requires "disable_account" tag be present on each input playbook you want to launch.
 references: []
-app_list: 
-  - AD LDAP
-  - Azure AD Graph
-tags:
-  platform_tags:
+app_list:
+    - AD LDAP
+    - Azure AD Graph
+platform_tags:
     - user
     - D3-AL
     - disable_account
-  playbook_type: Automation
-  vpe_type: Modern
-  playbook_fields: []
-  product:
-  - Splunk SOAR
-  use_cases:
-  - Phishing
-  - Endpoint
-  defend_technique_id: 
-  - D3-AL
+playbook_type: Automation
+vpe_type: Modern
+playbook_fields: []
+product:
+    - Splunk SOAR
+use_cases:
+    - Phishing
+    - Endpoint
+defend_technique_id:
+    - D3-AL

playbooks/Active_Directory_Enable_Account_Dispatch.yml

@@ -1,25 +1,25 @@
 name: Active Directory Enable Account Dispatch
 id: 86320a91-1bde-41ab-8990-602a3768fd99
-version: 1
-date: '2023-05-23'
+version: 2
+creation_date: '2023-06-22'
+modification_date: '2026-05-19'
 author: Lou Stella, Splunk
 type: Response
 description: Automatically dispatches input playbooks with the 'enable_account' tag. This will produce a merge report and indicator tag for each inputs.
 playbook: Active_Directory_Enable_Account_Dispatch
 how_to_implement: This automatic playbook requires the "enable_account" tag be present on each input playbook you want to launch.
 references: []
-app_list: 
-  - AD LDAP
-  - Azure AD Graph
-  - AWS IAM
-tags:
-  platform_tags:
+app_list:
+    - AD LDAP
+    - Azure AD Graph
+    - AWS IAM
+platform_tags:
     - user
     - D3-RUAA
     - enable_account
     - active_directory
-  playbook_type: Automation
-  vpe_type: Modern
-  playbook_fields: []
-  product:
-  - Splunk SOAR
+playbook_type: Automation
+vpe_type: Modern
+playbook_fields: []
+product:
+    - Splunk SOAR

playbooks/Attribute_Lookup_Dispatch.yml

@@ -1,20 +1,20 @@
 name: Attribute Lookup Dispatch
 id: fc0edc96-ff2b-68d0-9a4d-63da6783fd64
-version: 1
-date: '2023-03-06'
+version: 2
+creation_date: '2023-03-06'
+modification_date: '2026-05-19'
 author: Lou Stella, Splunk
 type: Investigation
 description: "Detects available entities and routes them to attribute lookup playbooks. The output of the playbooks will create new artifacts for any technologies that returned information."
 playbook: Attribute_Lookup_Dispatch
-how_to_implement: This playbook looks for artifacts and then dispatches the community Attribute Lookup playbooks. This playbook takes the output of those playbooks and nicely formats them into new artifacts with their results.  
+how_to_implement: This playbook looks for artifacts and then dispatches the community Attribute Lookup playbooks. This playbook takes the output of those playbooks and nicely formats them into new artifacts with their results.
 references: []
 app_list: []
-tags:
-  platform_tags: []
-  playbook_type: Automation
-  vpe_type: Modern
-  playbook_fields: []
-  product:
-  - Splunk SOAR
-  use_cases:
-  - Enrichment
+platform_tags: []
+playbook_type: Automation
+vpe_type: Modern
+playbook_fields: []
+product:
+    - Splunk SOAR
+use_cases:
+    - Enrichment

playbooks/Automated_Enrichment.yml

@@ -1,19 +1,19 @@
 name: Automated Enrichment
 id: fc0edc96-ff1b-65e0-9a4d-64da6783fd64
-version: 2
-date: '2023-03-06'
+version: 3
+creation_date: '2023-03-06'
+modification_date: '2026-05-19'
 author: Kelby Shelton, Patrick Bareiss, Teoderick Contreras, Lou Stella Splunk
 type: Investigation
 description: "Moves the event status to open and then launches the Dispatch playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets."
 playbook: Automated_Enrichment
 how_to_implement: 1. Ensure you have a reputation analysis playbook (e.g. VirusTotal v3), an attribute lookup playbook (e.g. Azure AD), and a related ticket search playbook (e.g. ServiceNow).\n2. Download local versions of Identifier Reputation Analysis Dispatch, Attribute Lookup Dispatch, and Related Tickets Search Dispatch playbooks.
 references: []
 app_list: []
-tags:
-  platform_tags:
+platform_tags:
     - Enrichment
-  playbook_type: Automation
-  vpe_type: Modern
-  playbook_fields: []
-  product:
-  - Splunk SOAR
+playbook_type: Automation
+vpe_type: Modern
+playbook_fields: []
+product:
+    - Splunk SOAR