Clean up MITRE Tagging. When a type is defined, such as T1003, DO NOT allow a subtype such as T1003.001 to be defined. Remove the generic type T1003 and keep the subtype T1003.001. However, it is acceptable for a subtype to be defined or for a type to be defined separately. It is also okay for multiple subtypes to be defined.

Author: pyth0n1c

Diff for: detections/application/detect_distributed_password_spray_attempts.yml

@@ -1,7 +1,7 @@
 name: Detect Distributed Password Spray Attempts
 id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: Hunting
@@ -65,7 +65,6 @@ tags:
   - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
   mitre_attack_id:
   - T1110.003
-  - T1110
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

Diff for: detections/application/detect_password_spray_attempts.yml

@@ -1,7 +1,7 @@
 name: Detect Password Spray Attempts
 id: 086ab581-8877-42b3-9aee-4a7ecb0923af
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -83,7 +83,6 @@ tags:
   - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
   mitre_attack_id:
   - T1110.003
-  - T1110
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

Diff for: detections/application/email_files_written_outside_of_the_outlook_directory.yml

@@ -1,7 +1,7 @@
 name: Email files written outside of the Outlook directory
 id: 8d52cf03-ba25-4101-aa78-07994aed4f74
-version: 6
-date: '2025-01-21'
+version: 7
+date: '2025-02-10'
 author: Bhavin Patel, Splunk
 status: experimental
 type: TTP
@@ -44,7 +44,6 @@ tags:
   - Collection and Staging
   asset_type: Endpoint
   mitre_attack_id:
-  - T1114
   - T1114.001
   product:
   - Splunk Enterprise

Diff for: detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml

@@ -1,7 +1,7 @@
 name: Email servers sending high volume traffic to hosts
 id: 7f5fb3e1-4209-4914-90db-0ec21b556378
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Bhavin Patel, Splunk
 status: experimental
 type: Anomaly
@@ -51,7 +51,6 @@ tags:
   - HAFNIUM Group
   asset_type: Endpoint
   mitre_attack_id:
-  - T1114
   - T1114.002
   product:
   - Splunk Enterprise

Diff for: detections/application/okta_authentication_failed_during_mfa_challenge.yml

@@ -1,7 +1,7 @@
 name: Okta Authentication Failed During MFA Challenge
 id: e2b99e7d-d956-411a-a120-2b14adfdde93
-version: 4
-date: '2025-01-21'
+version: 5
+date: '2025-02-10'
 author: Bhavin Patel, Splunk
 data_source:
 - Okta
@@ -59,10 +59,8 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1586
-  - T1586.003
-  - T1078
   - T1078.004
+  - T1586.003
   - T1621
   product:
   - Splunk Enterprise

Diff for: detections/application/okta_multi_factor_authentication_disabled.yml

@@ -1,7 +1,7 @@
 name: Okta Multi-Factor Authentication Disabled
 id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Mauricio Velazco, Splunk
 data_source:
 - Okta
@@ -57,7 +57,6 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1556
   - T1556.006
   product:
   - Splunk Enterprise

Diff for: detections/application/okta_new_api_token_created.yml

@@ -1,7 +1,7 @@
 name: Okta New API Token Created
 id: c3d22720-35d3-4da4-bd0a-740d37192bd4
-version: 6
-date: '2025-01-21'
+version: 7
+date: '2025-02-10'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -54,7 +54,6 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1078
   - T1078.001
   product:
   - Splunk Enterprise

Diff for: detections/application/okta_new_device_enrolled_on_account.yml

@@ -1,7 +1,7 @@
 name: Okta New Device Enrolled on Account
 id: bb27cbce-d4de-432c-932f-2e206e9130fb
-version: 6
-date: '2025-01-21'
+version: 7
+date: '2025-02-10'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -54,7 +54,6 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1098
   - T1098.005
   product:
   - Splunk Enterprise

Diff for: detections/application/okta_phishing_detection_with_fastpass_origin_check.yml

@@ -1,7 +1,7 @@
 name: Okta Phishing Detection with FastPass Origin Check
 id: f4ca0057-cbf3-44f8-82ea-4e330ee901d3
-version: 4
-date: '2025-01-21'
+version: 5
+date: '2025-02-10'
 author: Okta, Inc, Michael Haag, Splunk
 type: TTP
 status: experimental
@@ -38,7 +38,6 @@ tags:
   - Okta Account Takeover
   asset_type: Infrastructure
   mitre_attack_id:
-  - T1078
   - T1078.001
   - T1556
   product:

Diff for: detections/application/okta_successful_single_factor_authentication.yml

@@ -1,7 +1,7 @@
 name: Okta Successful Single Factor Authentication
 id: 98f6ad4f-4325-4096-9d69-45dc8e638e82
-version: 4
-date: '2025-01-21'
+version: 5
+date: '2025-02-10'
 author: Bhavin Patel, Splunk
 data_source:
 - Okta
@@ -55,10 +55,8 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1586
-  - T1586.003
-  - T1078
   - T1078.004
+  - T1586.003
   - T1621
   product:
   - Splunk Enterprise

Diff for: detections/application/okta_suspicious_activity_reported.yml

@@ -1,7 +1,7 @@
 name: Okta Suspicious Activity Reported
 id: bfc840f5-c9c6-454c-aa13-b46fd0bf1e79
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -55,7 +55,6 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1078
   - T1078.001
   product:
   - Splunk Enterprise

Diff for: detections/application/okta_threatinsight_threat_detected.yml

@@ -1,7 +1,7 @@
 name: Okta ThreatInsight Threat Detected
 id: 140504ae-5fe2-4d65-b2bc-a211813fbca6
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: Anomaly
@@ -56,7 +56,6 @@ tags:
   - Okta Account Takeover
   asset_type: Infrastructure
   mitre_attack_id:
-  - T1078
   - T1078.004
   product:
   - Splunk Enterprise

Diff for: detections/application/suspicious_email_attachment_extensions.yml

@@ -1,7 +1,7 @@
 name: Suspicious Email Attachment Extensions
 id: 473bd65f-06ca-4dfe-a2b8-ba04ab4a0084
-version: 6
-date: '2025-01-21'
+version: 7
+date: '2025-02-10'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly
@@ -48,7 +48,6 @@ tags:
   asset_type: Endpoint
   mitre_attack_id:
   - T1566.001
-  - T1566
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

Diff for: detections/application/windows_ad_dangerous_deny_acl_modification.yml

@@ -1,7 +1,7 @@
 name: Windows AD Dangerous Deny ACL Modification
 id: 8e897153-2ebd-4cb2-85d3-09ad57db2fb7
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -76,9 +76,8 @@ tags:
   - Sneaky Active Directory Persistence Tricks
   asset_type: Endpoint
   mitre_attack_id:
-  - T1484
-  - T1222
   - T1222.001
+  - T1484
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

Diff for: detections/application/windows_ad_dangerous_group_acl_modification.yml

@@ -1,7 +1,7 @@
 name: Windows AD Dangerous Group ACL Modification
 id: 59b0fc85-7a0d-4585-97ec-06a382801990
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -85,9 +85,8 @@ tags:
   - Sneaky Active Directory Persistence Tricks
   asset_type: Endpoint
   mitre_attack_id:
-  - T1484
-  - T1222
   - T1222.001
+  - T1484
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

Diff for: detections/application/windows_ad_dangerous_user_acl_modification.yml

@@ -1,7 +1,7 @@
 name: Windows AD Dangerous User ACL Modification
 id: ec5b6790-595a-4fb8-ad43-56e5b55a9617
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -82,9 +82,8 @@ tags:
   - Sneaky Active Directory Persistence Tricks
   asset_type: Endpoint
   mitre_attack_id:
-  - T1484
-  - T1222
   - T1222.001
+  - T1484
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

Diff for: detections/application/windows_ad_domain_root_acl_deletion.yml

@@ -1,7 +1,7 @@
 name: Windows AD Domain Root ACL Deletion
 id: 3cb56e57-5642-4638-907f-8dfde9afb889
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -75,9 +75,8 @@ tags:
   - Sneaky Active Directory Persistence Tricks
   asset_type: Endpoint
   mitre_attack_id:
-  - T1484
-  - T1222
   - T1222.001
+  - T1484
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

Diff for: detections/application/windows_ad_domain_root_acl_modification.yml

@@ -1,7 +1,7 @@
 name: Windows AD Domain Root ACL Modification
 id: 4981e2db-1372-440d-816e-3e7e2ed74433
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -75,9 +75,8 @@ tags:
   - Sneaky Active Directory Persistence Tricks
   asset_type: Endpoint
   mitre_attack_id:
-  - T1484
-  - T1222
   - T1222.001
+  - T1484
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

Diff for: detections/application/windows_ad_gpo_new_cse_addition.yml

@@ -1,7 +1,7 @@
 name: Windows AD GPO New CSE Addition
 id: 700c11d1-da09-47b2-81aa-358c143c7986
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -64,10 +64,8 @@ tags:
   - Sneaky Active Directory Persistence Tricks
   asset_type: Endpoint
   mitre_attack_id:
-  - T1484
-  - T1484.001
-  - T1222
   - T1222.001
+  - T1484.001
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

Diff for: detections/application/windows_ad_hidden_ou_creation.yml

@@ -1,7 +1,7 @@
 name: Windows AD Hidden OU Creation
 id: 66b6ad5e-339a-40af-b721-dacefc7bdb75
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -74,9 +74,8 @@ tags:
   - Sneaky Active Directory Persistence Tricks
   asset_type: Endpoint
   mitre_attack_id:
-  - T1484
-  - T1222
   - T1222.001
+  - T1484
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security