splunk · ljstella · May 21, 2026 · May 19, 2026 · May 19, 2026 · May 19, 2026
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -17,6 +17,7 @@
         "./schemas/KVStoreLookup.schema.json": "lookups/kvstore/*.yml",
         "./schemas/FilebackedMacro.schema.json": "macros/*.yml",
         "./schemas/FilebackedSchedule.schema.json": "schedules/*.yml",
+        "./schemas/Playbook.schema.json": "playbooks/*.yml",
         "./schemas/Story.schema.json": ["stories/*.yml", "!removed/stories/*.yml"]
     }
 }
diff --git a/baselines/baseline_of_network_acl_activity_by_arn.yml b/baselines/baseline_of_network_acl_activity_by_arn.yml
@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect Spike in Network ACL Activity'
diff --git a/baselines/baseline_of_security_group_activity_by_arn.yml b/baselines/baseline_of_security_group_activity_by_arn.yml
@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect Spike in Security Group Activity'
diff --git a/baselines/create_a_list_of_approved_aws_service_accounts.yml b/baselines/create_a_list_of_approved_aws_service_accounts.yml
@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Detect AWS API Activities From Unapproved Accounts'
diff --git a/baselines/discover_dns_records.yml b/baselines/discover_dns_records.yml
@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: DNS record changed'
diff --git a/baselines/dnstwist_domain_names.yml b/baselines/dnstwist_domain_names.yml
@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: network
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: Monitor DNS For Brand Abuse'
diff --git a/baselines/previously_seen_command_line_arguments.yml b/baselines/previously_seen_command_line_arguments.yml
@@ -16,6 +16,3 @@ product:
     - Splunk Cloud
 security_domain: endpoint
 schedule: Default Baseline
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Baseline references detections that do not exist in the corpus: First time seen command line argument'
diff --git a/detections/application/esxi_external_root_login_activity.yml b/detections/application/esxi_external_root_login_activity.yml
@@ -26,11 +26,11 @@ intermediate_findings:
         - field: dest
           type: system
           score: 20
-          message: Root logged in on ESXi host $dest$ from $SrcIpAddr.
+          message: Root logged in on ESXi host $dest$ from $SrcIpAddr$.
         - field: SrcIpAddr
           type: system
           score: 20
-          message: Root logged in on ESXi host $dest$ from $SrcIpAddr.
+          message: Root logged in on ESXi host $dest$ from $SrcIpAddr$.
 analytic_story:
     - ESXi Post Compromise
     - Black Basta Ransomware
@@ -50,15 +50,3 @@ tests:
           source: vmware:esxlog
           sourcetype: vmw-syslog
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: Root logged in on ESXi host $dest$ from $SrcIpAddr.
-        risk_objects:
-            - field: dest
-              type: system
-              score: 20
-            - field: SrcIpAddr
-              type: system
-              score: 20
-        threat_objects: []
-    manual_review_rationale: "The following error was found while validating the intermediate finding message: 1 validation error for EsTokenString\n  Value error, Unbalanced $ delimiter in token string: 'Root logged in on ESXi host $dest$ from $SrcIpAddr.'. Each $ must be part of a $field_name$ token pair. [type=value_error, input_value='Root logged in on ESXi h...$dest$ from $SrcIpAddr.', input_type=str]\n    For further information visit https://errors.pydantic.dev/2.13/v/value_error"
diff --git a/detections/application/monitor_email_for_brand_abuse.yml b/detections/application/monitor_email_for_brand_abuse.yml
@@ -43,6 +43,3 @@ category: application
 security_domain: network
 baselines:
     - DNSTwist Domain Names
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: 'Detection references baseline(s) flagged for manual review: DNSTwist Domain Names'
diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml
@@ -30,6 +30,12 @@ drilldown_searches:
       search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
       earliest_offset: 7d
       latest_offset: "0"
+finding:
+    title: Multiple suspicious Okta risk events - $risk_object$
+    entity:
+        field: risk_object
+        type: user
+        score: 0
 analytic_story:
     - Okta Account Takeover
     - Okta MFA Exhaustion
@@ -51,6 +57,3 @@ tests:
           source: risk_data
           sourcetype: stash
       test_type: unit
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate.
diff --git a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml
@@ -20,7 +20,7 @@ search: |-
     | where source_count >= 2 and mitre_tactic_id_count>=2
     | `aws_s3_exfiltration_behavior_identified_filter`
 how_to_implement: You must enable all the detection searches in the Data Exfiltration Analytic story to create risk events in Enterprise Security.
-known_false_positives: alse positives may be present based on automated tooling or system administrators. Filter as needed.
+known_false_positives: False positives may be present based on automated tooling or system administrators. Filter as needed.
 references:
     - https://labs.nettitude.com/blog/how-to-exfiltrate-aws-ec2-data/
     - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/
@@ -34,6 +34,12 @@ drilldown_searches:
       search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
       earliest_offset: 7d
       latest_offset: "0"
+finding:
+    title: Suspicious AWS S3 exfiltration behavior identified - $risk_object$
+    entity:
+        field: risk_object
+        type: other
+        score: 0
 analytic_story:
     - Suspicious Cloud Instance Activities
     - Data Exfiltration
@@ -53,6 +59,3 @@ tests:
           sourcetype: stash
           source: aws_exfil
       test_type: unit
-MANUAL_REVIEW:
-    rba: {}
-    manual_review_rationale: Legacy Correlation detections have no rba section (and therefore no entities), but the new format requires a finding with at least one entity. A content author must supply the finding entity for each Correlation detection. Additionally, evaluate whether any Threat Objects are appropriate.
diff --git a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml
@@ -54,15 +54,3 @@ tests:
           source: Azure AD
           sourcetype: azure:monitor:aad
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: Service principal $src_user$ bypassed the admin consent process and granted permissions to $user$
-        risk_objects:
-            - field: user
-              type: user
-              score: 50
-            - field: src_user
-              type: user
-              score: 50
-        threat_objects: []
-    manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review.
diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml
@@ -69,15 +69,3 @@ tests:
           source: Azure AD
           sourcetype: azure:monitor:aad
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: External Guest User $user$ initiated by $initiatedBy$
-        risk_objects:
-            - field: user
-              type: user
-              score: 50
-            - field: initiatedBy
-              type: user
-              score: 50
-        threat_objects: []
-    manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review.
diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml
@@ -43,12 +43,12 @@ drilldown_searches:
 finding:
     title: Global Administrator Role assigned for User $user$ initiated by $initiatedBy$
     entity:
-        field: user
+        field: initiatedBy
         type: user
         score: 50
 intermediate_findings:
     entities:
-        - field: initiatedBy
+        - field: user
           type: user
           score: 50
           message: Global Administrator Role assigned for User $user$ initiated by $initiatedBy$
@@ -72,15 +72,3 @@ tests:
           source: Azure AD
           sourcetype: azure:monitor:aad
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: Global Administrator Role assigned for User $user$ initiated by $initiatedBy$
-        risk_objects:
-            - field: user
-              type: user
-              score: 50
-            - field: initiatedBy
-              type: user
-              score: 50
-        threat_objects: []
-    manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review.
diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml
@@ -39,12 +39,12 @@ drilldown_searches:
 finding:
     title: The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$
     entity:
-        field: user
+        field: initiatedBy
         type: user
         score: 50
 intermediate_findings:
     entities:
-        - field: initiatedBy
+        - field: user
           type: user
           score: 50
           message: The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$
@@ -67,15 +67,3 @@ tests:
           source: Azure AD
           sourcetype: azure:monitor:aad
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: The privileged Azure AD role Privileged Authentication Administrator was assigned for User $user$ initiated by $initiatedBy$
-        risk_objects:
-            - field: user
-              type: user
-              score: 50
-            - field: initiatedBy
-              type: user
-              score: 50
-        threat_objects: []
-    manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review.
diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml
@@ -46,12 +46,12 @@ drilldown_searches:
 finding:
     title: A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$
     entity:
-        field: user
+        field: initiatedBy
         type: user
         score: 50
 intermediate_findings:
     entities:
-        - field: initiatedBy
+        - field: user
           type: user
           score: 50
           message: A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$
@@ -76,15 +76,3 @@ tests:
           source: Azure AD
           sourcetype: azure:monitor:aad
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$
-        risk_objects:
-            - field: user
-              type: user
-              score: 50
-            - field: initiatedBy
-              type: user
-              score: 50
-        threat_objects: []
-    manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review.
diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml
@@ -42,12 +42,12 @@ drilldown_searches:
 finding:
     title: A new owner was added for service principal $displayName$ by $initiatedBy$
     entity:
-        field: displayName
+        field: initiatedBy
         type: user
         score: 50
 intermediate_findings:
     entities:
-        - field: initiatedBy
+        - field: displayName
           type: user
           score: 50
           message: A new owner was added for service principal $displayName$ by $initiatedBy$
@@ -71,15 +71,3 @@ tests:
           source: Azure AD
           sourcetype: azure:monitor:aad
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: A new owner was added for service principal $displayName$ by $initiatedBy$
-        risk_objects:
-            - field: displayName
-              type: user
-              score: 50
-            - field: initiatedBy
-              type: user
-              score: 50
-        threat_objects: []
-    manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review.
diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml
@@ -40,12 +40,12 @@ drilldown_searches:
 finding:
     title: A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$
     entity:
-        field: user
+        field: initiatedBy
         type: user
         score: 50
 intermediate_findings:
     entities:
-        - field: initiatedBy
+        - field: user
           type: user
           score: 50
           message: A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$
@@ -68,15 +68,3 @@ tests:
           source: Azure AD
           sourcetype: azure:monitor:aad
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: A user account, $user$, was enabled and its password reset within 2 minutes by $initiatedBy$
-        risk_objects:
-            - field: user
-              type: user
-              score: 50
-            - field: initiatedBy
-              type: user
-              score: 50
-        threat_objects: []
-    manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review.
diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml
@@ -43,12 +43,12 @@ drilldown_searches:
 finding:
     title: The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$
     entity:
-        field: user
+        field: initiatedBy
         type: user
         score: 50
 intermediate_findings:
     entities:
-        - field: initiatedBy
+        - field: user
           type: user
           score: 50
           message: The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$
@@ -71,15 +71,3 @@ tests:
           source: Azure AD
           sourcetype: azure:monitor:aad
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: The SourceAnchor or ImmutableID attribute has been modified for user $user$ by $initiatedBy$
-        risk_objects:
-            - field: user
-              type: user
-              score: 50
-            - field: initiatedBy
-              type: user
-              score: 50
-        threat_objects: []
-    manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review.
diff --git a/detections/cloud/gcp_multi_factor_authentication_disabled.yml b/detections/cloud/gcp_multi_factor_authentication_disabled.yml
@@ -36,12 +36,12 @@ drilldown_searches:
 finding:
     title: MFA disabled for User $user$ initiated by $actor.email$
     entity:
-        field: user
+        field: actor.email
         type: user
         score: 50
 intermediate_findings:
     entities:
-        - field: actor.email
+        - field: user
           type: user
           score: 50
           message: MFA disabled for User $user$ initiated by $actor.email$
@@ -65,15 +65,3 @@ tests:
           source: gws:reports:admin
           sourcetype: gws:reports:admin
       test_type: unit
-MANUAL_REVIEW:
-    rba:
-        message: MFA disabled for User $user$ initiated by $actor.email$
-        risk_objects:
-            - field: user
-              type: user
-              score: 50
-            - field: actor.email
-              type: user
-              score: 50
-        threat_objects: []
-    manual_review_rationale: Multiple user-type entities found. We have picked the first one and flagged this detection for manual review.