Merge branch 'develop' into default_meta_updates

Author: ljstella

.github/CODEOWNERS

@@ -1,2 +1,3 @@
 * @patel-bhavin @ljstella @nasbench
-/response_templates/ @kbouchardherjavecgroup @ccl0utier
+/response_templates/ @kbouchardherjavecgroup @ccl0utier @henryy-splunk
+/.github/workflows/response_templates/mcopenapi_public.yml @kbouchardherjavecgroup @ccl0utier @henryy-splunk

.github/workflows/build-response-templates.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repository code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - uses: actions/setup-python@v6
         with:
@@ -31,7 +31,7 @@ jobs:
           cp response_templates/merged_response_templates/* dist/api/response_templates/
 
       - name: store_artifacts
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: response-templates
           path: |

.github/workflows/response_templates/mcopenapi_public.yml

@@ -2864,7 +2864,11 @@ components:
           type: number
           format: double
           example: 1690743671.0881049633
-      example: { "version": 2, "update_time": 1690743671.0881049633 }
+        description:
+          type: string
+          description: Description of the response template version.
+          example: "This is version 2 of the response template."
+      example: { "version": 2, "update_time": 1690743671.0881049633, "description": "This is version 2 of the response template." }
     ResponseTemplateManifest:
       type: object
       description: Response template manifest.

.github/workflows/response_templates/template_script.py

@@ -32,21 +32,25 @@ def generate_manifest(directory, prefix, output_dir):
         template_mapping = _get_template_mapping(directory)
         for template_name, template_list in sorted(template_mapping.items(), key=lambda x: x[0]):
             out_template_name = f"{template_name}.json"
+            curr_template_name = template_name
 
             templates_version= []
             for _, file in template_list:
                 with open(file, 'r') as in_file:
                     content = in_file.read()
                     curr_template = json.loads(content)
-                    version = curr_template.get("version", "1.0")
+                    version = curr_template.get("version")
                     update_time = curr_template.get("update_time")
+                    description = curr_template.get("description")
+                    curr_template_name = curr_template.get("name", template_name)
                     curr_metadata = {
                         "version": version,
                         "update_time": update_time,
+                        "description": description,
                     }
                     templates_version.append(curr_metadata)
             response_templates.append({
-                "name": template_name,
+                "name": curr_template_name,
                 "versions": templates_version,
                 "link": f"{prefix}{out_template_name}"
             })

baselines/baseline_of_blocked_outbound_traffic_from_aws.yml

@@ -1,7 +1,7 @@
 name: Baseline of blocked outbound traffic from AWS
 id: fc0edd96-ff2b-48b0-9f1f-63da3782fd63
-version: 1
-date: '2018-05-07'
+version: 2
+date: '2026-01-14'
 author: Bhavin Patel, Splunk
 type: Baseline
 status: production
@@ -21,7 +21,7 @@ search: '`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=17
 how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
   and Splunk Add-on for AWS version (4.4.0 or later), then configure your `VPC flow
   logs.`.
-known_false_positives: none
+known_false_positives: No false positives have been identified at this time.
 references: []
 tags:
   analytic_story:

baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml

@@ -1,7 +1,7 @@
 name: Baseline Of Cloud Infrastructure API Calls Per User
 id: 1da5d5ea-4382-447d-98a9-87c358c95fcb
-version: 1
-date: '2020-09-07'
+version: 2
+date: '2026-01-14'
 author: David Dorsey, Splunk
 type: Baseline
 status: production
@@ -28,7 +28,7 @@ how_to_implement: You must have Enterprise Security 6.0 or later, if not you wil
   90 days of data. You can modify the search window to build the model over a longer
   period of time, which may give you better results. You may also want to periodically
   re-run this search to rebuild the model with the latest data.
-known_false_positives: none
+known_false_positives: No false positives have been identified at this time.
 references: []
 tags:
   analytic_story:

baselines/baseline_of_cloud_instances_destroyed.yml

@@ -1,7 +1,7 @@
 name: Baseline Of Cloud Instances Destroyed
 id: a2f701f8-5296-4d74-829c-0b7eb346d549
-version: 1
-date: '2020-08-25'
+version: 2
+date: '2026-01-14'
 author: David Dorsey, Splunk
 type: Baseline
 status: production
@@ -32,7 +32,7 @@ how_to_implement:
   period of time, which may give you better results. You may also want to periodically
   re-run this search to rebuild the model with the latest data.\nMore information
   on the algorithm used in the search can be found at `https://help.splunk.com/en/splunk-enterprise/apply-machine-learning/use-splunk-machine-learning-toolkit/5.5.0/algorithms-and-scoring-metrics-in-mltk/algorithms-in-the-splunk-machine-learning-toolkit#densityfunction-0`."
-known_false_positives: none
+known_false_positives: No false positives have been identified at this time.
 references: []
 tags:
   analytic_story:

baselines/baseline_of_cloud_instances_launched.yml

@@ -1,7 +1,7 @@
 name: Baseline Of Cloud Instances Launched
 id: b01bd274-f661-4f9c-bd9f-cf23ff6ae0bc
-version: 1
-date: '2020-08-14'
+version: 2
+date: '2026-01-14'
 author: David Dorsey, Splunk
 type: Baseline
 status: production
@@ -32,7 +32,7 @@ how_to_implement:
   period of time, which may give you better results. You may also want to periodically
   re-run this search to rebuild the model with the latest data.\nMore information
   on the algorithm used in the search can be found at `https://help.splunk.com/en/splunk-enterprise/apply-machine-learning/use-splunk-machine-learning-toolkit/5.5.0/algorithms-and-scoring-metrics-in-mltk/algorithms-in-the-splunk-machine-learning-toolkit#densityfunction-0`."
-known_false_positives: none
+known_false_positives: No false positives have been identified at this time.
 references: []
 tags:
   analytic_story:

baselines/baseline_of_cloud_security_group_api_calls_per_user.yml

@@ -1,7 +1,7 @@
 name: Baseline Of Cloud Security Group API Calls Per User
 id: 67b84d51-8329-4909-849f-8d38ce54260a
-version: 1
-date: '2020-09-07'
+version: 2
+date: '2026-01-14'
 author: David Dorsey, Splunk
 type: Baseline
 status: production
@@ -27,7 +27,7 @@ how_to_implement: You must have Enterprise Security 6.0 or later, if not you wil
   90 days of data. You can modify the search window to build the model over a longer
   period of time, which may give you better results. You may also want to periodically
   re-run this search to rebuild the model with the latest data.
-known_false_positives: none
+known_false_positives: No false positives have been identified at this time.
 references: []
 tags:
   analytic_story:

baselines/baseline_of_command_line_length___mltk.yml

@@ -1,7 +1,7 @@
 name: Baseline of Command Line Length - MLTK
 id: d2a4d85b-fc6a-47a0-82f6-bc1ec2ebc459
-version: 1
-date: '2019-05-08'
+version: 2
+date: '2026-01-14'
 author: Rico Valdez, Splunk
 type: Baseline
 status: production
@@ -29,7 +29,7 @@ how_to_implement:
   periodically re-run this search to rebuild the model with the latest data. More
   information on the algorithm used in the search can be found at
   `https://help.splunk.com/en/splunk-enterprise/apply-machine-learning/use-splunk-machine-learning-toolkit/5.5.0/algorithms-and-scoring-metrics-in-mltk/algorithms-in-the-splunk-machine-learning-toolkit#densityfunction-0`.
-known_false_positives: none
+known_false_positives: No false positives have been identified at this time.
 references: []
 tags:
   analytic_story: