Macros were missed during the porting copy over. They have now been added.

Author: pyth0n1c

macros/admon.yml

@@ -1,4 +1,8 @@
-definition: source=ActiveDirectory
-description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environment.
 name: admon
+id: 0cb6c059-e840-4887-8564-9db206ff1115
+version: 1
+creation_date: '2020-04-30'
+modification_date: '2026-05-13'
+author: Splunk Threat Research Team
+description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
+definition: source=ActiveDirectory

macros/amazon_security_lake.yml

@@ -1,4 +1,8 @@
-definition: sourcetype=aws:asl
-description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environment.
 name: amazon_security_lake
+id: b25c757e-d3e1-40a5-8762-4be3fe2190f0
+version: 1
+creation_date: '2020-04-30'
+modification_date: '2026-05-13'
+author: Splunk Threat Research Team
+description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
+definition: sourcetype=aws:asl

macros/appdynamics_security.yml

@@ -1,4 +1,8 @@
+name: appdynamics_security
+id: a6eb6e52-7b54-4163-b574-665c1f79419b
+version: 1
+creation_date: '2020-04-30'
+modification_date: '2026-05-13'
+author: Splunk Threat Research Team
+description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
 definition: sourcetype=appdynamics_security
-description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environment.
-name: appdynamics_security

macros/applocker.yml

@@ -1,3 +1,8 @@
-definition: (source="WinEventLog:Microsoft-Windows-AppLocker/*" OR source="XmlWinEventLog:Microsoft-Windows-AppLocker/*")
-description: This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events.
 name: applocker
+id: d7e1567e-5e93-4337-b4d2-c488bece65f5
+version: 1
+creation_date: '2024-04-17'
+modification_date: '2026-05-13'
+author: Splunk Threat Research Team
+description: This macro is designed to simplify the search for AppLocker events by providing a predefined search query. AppLocker, a feature in Windows, helps administrators control which executables, scripts, and libraries can run on their systems. By using this macro, analysts can quickly query AppLocker logs to monitor application control policies and investigate potential unauthorized software executions or policy violations. To modify this macro for a customer environment, you may need to adjust the source field to match the specific log source or index where AppLocker events are stored. Additionally, if the organization uses custom naming conventions or has AppLocker logs aggregated with other data, further refinement of the search query might be necessary to accurately filter for relevant events.
+definition: (source="WinEventLog:Microsoft-Windows-AppLocker/*" OR source="XmlWinEventLog:Microsoft-Windows-AppLocker/*")

macros/aws_cloudwatchlogs_eks.yml

@@ -1,4 +1,8 @@
-definition: sourcetype="aws:cloudwatchlogs:eks"
-description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environment.
 name: aws_cloudwatchlogs_eks
+id: 3c38a8b2-937b-4db1-8a5f-33044625a7b6
+version: 1
+creation_date: '2020-05-05'
+modification_date: '2026-05-13'
+author: Splunk Threat Research Team
+description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
+definition: sourcetype="aws:cloudwatchlogs:eks"

macros/aws_ecr_users.yml

@@ -1,3 +1,8 @@
-definition: userName IN (user)
-description: specify the user allowed to push Images to AWS ECR.
 name: aws_ecr_users
+id: 5774a0e0-ad59-4df0-89a1-40843ca7ca24
+version: 1
+creation_date: '2021-08-19'
+modification_date: '2026-05-13'
+author: Splunk Threat Research Team
+description: specify the user allowed to push Images to AWS ECR.
+definition: userName IN (user)

macros/aws_ecr_users_asl.yml

@@ -1,3 +1,8 @@
-definition: actor.user.name IN (admin)
-description: specify the user allowed to push Images to AWS ECR.
 name: aws_ecr_users_asl
+id: 88a41da0-322c-4b81-8002-be88ade4cb70
+version: 1
+creation_date: '2021-08-19'
+modification_date: '2026-05-13'
+author: Splunk Threat Research Team
+description: specify the user allowed to push Images to AWS ECR.
+definition: actor.user.name IN (admin)

macros/aws_s3_accesslogs.yml

@@ -1,4 +1,8 @@
-definition: sourcetype=aws:s3:accesslogs
-description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environment.
 name: aws_s3_accesslogs
+id: b476100b-b0b3-4fdb-aa18-87eb91db5aea
+version: 1
+creation_date: '2020-05-05'
+modification_date: '2026-05-13'
+author: Splunk Threat Research Team
+description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
+definition: sourcetype=aws:s3:accesslogs

macros/aws_securityhub_finding.yml

@@ -1,4 +1,8 @@
-definition: sourcetype="aws:securityhub:finding"
-description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environment.
 name: aws_securityhub_finding
+id: 28467776-425b-4c42-a749-4a301e0f1d41
+version: 1
+creation_date: '2020-05-05'
+modification_date: '2026-05-13'
+author: Splunk Threat Research Team
+description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
+definition: sourcetype="aws:securityhub:finding"

macros/azure_audit.yml

@@ -1,4 +1,8 @@
-definition: sourcetype=mscs:azure:audit
-description: customer specific splunk configurations(eg- index, source, sourcetype).
-  Replace the macro definition with configurations for your Splunk Environment.
 name: azure_audit
+id: 61af3b50-d482-4cd2-b9ae-6d1e3d655932
+version: 1
+creation_date: '2020-04-30'
+modification_date: '2026-05-13'
+author: Splunk Threat Research Team
+description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
+definition: sourcetype=mscs:azure:audit