diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml
index 27e50f2d97..01fc428ed4 100644
--- a/detections/application/crushftp_server_side_template_injection.yml
+++ b/detections/application/crushftp_server_side_template_injection.yml
@@ -1,7 +1,7 @@
 name: CrushFTP Server Side Template Injection
 id: ccf6b7a3-bd39-4bc9-a949-143a8d640dbc
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Michael Haag, Splunk
 data_source:
 - CrushFTP
diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml
index b1dd4b1859..a25a797b90 100644
--- a/detections/application/detect_distributed_password_spray_attempts.yml
+++ b/detections/application/detect_distributed_password_spray_attempts.yml
@@ -1,7 +1,7 @@
 name: Detect Distributed Password Spray Attempts
 id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
-version: 2
-date: '2024-10-17'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: Hunting
diff --git a/detections/application/detect_new_login_attempts_to_routers.yml b/detections/application/detect_new_login_attempts_to_routers.yml
index a82cfc978b..fb892eaaa3 100644
--- a/detections/application/detect_new_login_attempts_to_routers.yml
+++ b/detections/application/detect_new_login_attempts_to_routers.yml
@@ -1,7 +1,7 @@
 name: Detect New Login Attempts to Routers
 id: bce3ed7c-9b1f-42a0-abdf-d8b123a34836
-version: 3
-date: '2024-10-17'
+version: 4
+date: '2025-01-21'
 author: Bhavin Patel, Splunk
 status: experimental
 type: TTP
diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml
index 4292a1581d..9089026b9d 100644
--- a/detections/application/detect_password_spray_attempts.yml
+++ b/detections/application/detect_password_spray_attempts.yml
@@ -1,7 +1,7 @@
 name: Detect Password Spray Attempts
 id: 086ab581-8877-42b3-9aee-4a7ecb0923af
-version: 4
-date: '2024-10-17'
+version: 5
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/email_attachments_with_lots_of_spaces.yml b/detections/application/email_attachments_with_lots_of_spaces.yml
index 1de5fd4e87..68b4b36694 100644
--- a/detections/application/email_attachments_with_lots_of_spaces.yml
+++ b/detections/application/email_attachments_with_lots_of_spaces.yml
@@ -1,7 +1,7 @@
 name: Email Attachments With Lots Of Spaces
 id: 56e877a6-1455-4479-ada6-0550dc1e22f8
-version: 4
-date: '2024-10-17'
+version: 5
+date: '2025-01-21'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly
diff --git a/detections/application/email_files_written_outside_of_the_outlook_directory.yml b/detections/application/email_files_written_outside_of_the_outlook_directory.yml
index ea9f053c92..b60204ed4f 100644
--- a/detections/application/email_files_written_outside_of_the_outlook_directory.yml
+++ b/detections/application/email_files_written_outside_of_the_outlook_directory.yml
@@ -1,7 +1,7 @@
 name: Email files written outside of the Outlook directory
 id: 8d52cf03-ba25-4101-aa78-07994aed4f74
-version: 5
-date: '2024-10-17'
+version: 6
+date: '2025-01-21'
 author: Bhavin Patel, Splunk
 status: experimental
 type: TTP
diff --git a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml
index 1c606a864d..7a4e2f7bd3 100644
--- a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml
+++ b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml
@@ -1,7 +1,7 @@
 name: Email servers sending high volume traffic to hosts
 id: 7f5fb3e1-4209-4914-90db-0ec21b556378
-version: 4
-date: '2024-10-17'
+version: 5
+date: '2025-01-21'
 author: Bhavin Patel, Splunk
 status: experimental
 type: Anomaly
diff --git a/detections/application/ivanti_vtm_new_account_creation.yml b/detections/application/ivanti_vtm_new_account_creation.yml
index 5e4aa417b6..1cb41a1d85 100644
--- a/detections/application/ivanti_vtm_new_account_creation.yml
+++ b/detections/application/ivanti_vtm_new_account_creation.yml
@@ -1,7 +1,7 @@
 name: Ivanti VTM New Account Creation
 id: b04be6e5-2002-4349-8742-52285635b8f5
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Michael Haag, Splunk
 data_source:
 - Ivanti VTM Audit
diff --git a/detections/application/monitor_email_for_brand_abuse.yml b/detections/application/monitor_email_for_brand_abuse.yml
index 55231f7685..fb4e90525e 100644
--- a/detections/application/monitor_email_for_brand_abuse.yml
+++ b/detections/application/monitor_email_for_brand_abuse.yml
@@ -1,7 +1,7 @@
 name: Monitor Email For Brand Abuse
 id: b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8
-version: 4
-date: '2024-10-17'
+version: 5
+date: '2025-01-21'
 author: David Dorsey, Splunk
 status: experimental
 type: TTP
diff --git a/detections/application/no_windows_updates_in_a_time_frame.yml b/detections/application/no_windows_updates_in_a_time_frame.yml
index b492738eef..5c20fa4d04 100644
--- a/detections/application/no_windows_updates_in_a_time_frame.yml
+++ b/detections/application/no_windows_updates_in_a_time_frame.yml
@@ -1,7 +1,7 @@
 name: No Windows Updates in a time frame
 id: 1a77c08c-2f56-409c-a2d3-7d64617edd4f
-version: 3
-date: '2024-10-17'
+version: 4
+date: '2025-01-21'
 author: Bhavin Patel, Splunk
 status: experimental
 type: Hunting
diff --git a/detections/application/okta_authentication_failed_during_mfa_challenge.yml b/detections/application/okta_authentication_failed_during_mfa_challenge.yml
index c656d2d810..48faea347a 100644
--- a/detections/application/okta_authentication_failed_during_mfa_challenge.yml
+++ b/detections/application/okta_authentication_failed_during_mfa_challenge.yml
@@ -1,7 +1,7 @@
 name: Okta Authentication Failed During MFA Challenge
 id: e2b99e7d-d956-411a-a120-2b14adfdde93
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-21'
 author: Bhavin Patel, Splunk
 data_source:
 - Okta
diff --git a/detections/application/okta_idp_lifecycle_modifications.yml b/detections/application/okta_idp_lifecycle_modifications.yml
index afc64b9a2e..aaaf5d028c 100644
--- a/detections/application/okta_idp_lifecycle_modifications.yml
+++ b/detections/application/okta_idp_lifecycle_modifications.yml
@@ -1,7 +1,7 @@
 name: Okta IDP Lifecycle Modifications
 id: e0be2c83-5526-4219-a14f-c3db2e763d15
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-21'
 author: Bhavin Patel, Splunk
 data_source:
 - Okta
diff --git a/detections/application/okta_mfa_exhaustion_hunt.yml b/detections/application/okta_mfa_exhaustion_hunt.yml
index 3643bf20f6..44e343d505 100644
--- a/detections/application/okta_mfa_exhaustion_hunt.yml
+++ b/detections/application/okta_mfa_exhaustion_hunt.yml
@@ -1,7 +1,7 @@
 name: Okta MFA Exhaustion Hunt
 id: 97e2fe57-3740-402c-988a-76b64ce04b8d
-version: 4
-date: '2024-10-17'
+version: 5
+date: '2025-01-21'
 author: Michael Haag, Marissa Bower, Mauricio Velazco, Splunk
 status: production
 type: Hunting
diff --git a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml
index 0beec24bab..d305ab358d 100644
--- a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml
+++ b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml
@@ -1,7 +1,7 @@
 name: Okta Mismatch Between Source and Response for Verify Push Request
 id: 8085b79b-9b85-4e67-ad63-351c9e9a5e9a
-version: 4
-date: '2024-11-19'
+version: 5
+date: '2025-01-21'
 author: John Murphy and Jordan Ruocco, Okta, Michael Haag, Bhavin Patel, Splunk
 type: TTP
 status: production
diff --git a/detections/application/okta_multi_factor_authentication_disabled.yml b/detections/application/okta_multi_factor_authentication_disabled.yml
index f4f0e05cf5..fbef02e3e1 100644
--- a/detections/application/okta_multi_factor_authentication_disabled.yml
+++ b/detections/application/okta_multi_factor_authentication_disabled.yml
@@ -1,7 +1,7 @@
 name: Okta Multi-Factor Authentication Disabled
 id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a
-version: 4
-date: '2024-09-30'
+version: 5
+date: '2025-01-21'
 author: Mauricio Velazco, Splunk
 data_source:
 - Okta
diff --git a/detections/application/okta_multiple_accounts_locked_out.yml b/detections/application/okta_multiple_accounts_locked_out.yml
index 10fd170f2e..4a83589bca 100644
--- a/detections/application/okta_multiple_accounts_locked_out.yml
+++ b/detections/application/okta_multiple_accounts_locked_out.yml
@@ -1,7 +1,7 @@
 name: Okta Multiple Accounts Locked Out
 id: a511426e-184f-4de6-8711-cfd2af29d1e1
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-21'
 author: Michael Haag, Mauricio Velazco, Splunk
 data_source:
 - Okta
diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml
index 54f3b8f689..c5659a666c 100644
--- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml
+++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml
@@ -1,7 +1,7 @@
 name: Okta Multiple Failed MFA Requests For User
 id: 826dbaae-a1e6-4c8c-b384-d16898956e73
-version: 4
-date: '2024-09-30'
+version: 5
+date: '2025-01-21'
 author: Mauricio Velazco, Splunk
 data_source:
 - Okta
diff --git a/detections/application/okta_multiple_failed_requests_to_access_applications.yml b/detections/application/okta_multiple_failed_requests_to_access_applications.yml
index 87a0f7cab0..66af928a39 100644
--- a/detections/application/okta_multiple_failed_requests_to_access_applications.yml
+++ b/detections/application/okta_multiple_failed_requests_to_access_applications.yml
@@ -1,7 +1,7 @@
 name: Okta Multiple Failed Requests to Access Applications
 id: 1c21fed1-7000-4a2e-9105-5aaafa437247
-version: 3
-date: '2024-10-17'
+version: 4
+date: '2025-01-21'
 author: John Murphy, Okta, Michael Haag, Splunk
 type: Hunting
 status: experimental
diff --git a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
index 07964438c0..ba4d1413d8 100644
--- a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
+++ b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml
@@ -1,7 +1,7 @@
 name: Okta Multiple Users Failing To Authenticate From Ip
 id: de365ffa-42f5-46b5-b43f-fa72290b8218
-version: 4
-date: '2024-09-30'
+version: 5
+date: '2025-01-21'
 author: Michael Haag, Mauricio Velazco, Splunk
 data_source:
 - Okta
diff --git a/detections/application/okta_new_api_token_created.yml b/detections/application/okta_new_api_token_created.yml
index d3f4414d14..7a8e0e78e3 100644
--- a/detections/application/okta_new_api_token_created.yml
+++ b/detections/application/okta_new_api_token_created.yml
@@ -1,7 +1,7 @@
 name: Okta New API Token Created
 id: c3d22720-35d3-4da4-bd0a-740d37192bd4
-version: 5
-date: '2024-09-30'
+version: 6
+date: '2025-01-21'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: TTP
diff --git a/detections/application/okta_new_device_enrolled_on_account.yml b/detections/application/okta_new_device_enrolled_on_account.yml
index 67196fa6d3..a95db4b8ce 100644
--- a/detections/application/okta_new_device_enrolled_on_account.yml
+++ b/detections/application/okta_new_device_enrolled_on_account.yml
@@ -1,7 +1,7 @@
 name: Okta New Device Enrolled on Account
 id: bb27cbce-d4de-432c-932f-2e206e9130fb
-version: 5
-date: '2024-09-30'
+version: 6
+date: '2025-01-21'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: TTP
diff --git a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml
index 7b02e8bc66..8171b96c75 100644
--- a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml
+++ b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml
@@ -1,7 +1,7 @@
 name: Okta Phishing Detection with FastPass Origin Check
 id: f4ca0057-cbf3-44f8-82ea-4e330ee901d3
-version: 3
-date: '2024-10-17'
+version: 4
+date: '2025-01-21'
 author: Okta, Inc, Michael Haag, Splunk
 type: TTP
 status: experimental
diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml
index 68900373d0..5e36be6c59 100644
--- a/detections/application/okta_risk_threshold_exceeded.yml
+++ b/detections/application/okta_risk_threshold_exceeded.yml
@@ -1,7 +1,7 @@
 name: Okta Risk Threshold Exceeded
 id: d8b967dd-657f-4d88-93b5-c588bcd7218c
-version: 4
-date: '2024-09-30'
+version: 5
+date: '2025-01-21'
 author: Michael Haag, Bhavin Patel, Splunk
 status: production
 type: Correlation
diff --git a/detections/application/okta_successful_single_factor_authentication.yml b/detections/application/okta_successful_single_factor_authentication.yml
index 80cb6eeb23..1c0f03def8 100644
--- a/detections/application/okta_successful_single_factor_authentication.yml
+++ b/detections/application/okta_successful_single_factor_authentication.yml
@@ -1,7 +1,7 @@
 name: Okta Successful Single Factor Authentication
 id: 98f6ad4f-4325-4096-9d69-45dc8e638e82
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-21'
 author: Bhavin Patel, Splunk
 data_source:
 - Okta
diff --git a/detections/application/okta_suspicious_activity_reported.yml b/detections/application/okta_suspicious_activity_reported.yml
index 4e369a06d4..363f2487b6 100644
--- a/detections/application/okta_suspicious_activity_reported.yml
+++ b/detections/application/okta_suspicious_activity_reported.yml
@@ -1,7 +1,7 @@
 name: Okta Suspicious Activity Reported
 id: bfc840f5-c9c6-454c-aa13-b46fd0bf1e79
-version: 4
-date: '2024-09-30'
+version: 5
+date: '2025-01-21'
 author: Michael Haag, Splunk
 status: production
 type: TTP
diff --git a/detections/application/okta_suspicious_use_of_a_session_cookie.yml b/detections/application/okta_suspicious_use_of_a_session_cookie.yml
index a2ae19afba..cc38b599fc 100644
--- a/detections/application/okta_suspicious_use_of_a_session_cookie.yml
+++ b/detections/application/okta_suspicious_use_of_a_session_cookie.yml
@@ -1,7 +1,7 @@
 name: Okta Suspicious Use of a Session Cookie
 id: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959e
-version: 4
-date: '2024-09-30'
+version: 5
+date: '2025-01-21'
 author: Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk
 type: Anomaly
 status: production
diff --git a/detections/application/okta_threatinsight_threat_detected.yml b/detections/application/okta_threatinsight_threat_detected.yml
index 8bed296449..04d5e1e5fe 100644
--- a/detections/application/okta_threatinsight_threat_detected.yml
+++ b/detections/application/okta_threatinsight_threat_detected.yml
@@ -1,7 +1,7 @@
 name: Okta ThreatInsight Threat Detected
 id: 140504ae-5fe2-4d65-b2bc-a211813fbca6
-version: 4
-date: '2024-09-30'
+version: 5
+date: '2025-01-21'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: Anomaly
diff --git a/detections/application/okta_unauthorized_access_to_application.yml b/detections/application/okta_unauthorized_access_to_application.yml
index f8807b45f5..eb6bafb02b 100644
--- a/detections/application/okta_unauthorized_access_to_application.yml
+++ b/detections/application/okta_unauthorized_access_to_application.yml
@@ -1,7 +1,7 @@
 name: Okta Unauthorized Access to Application
 id: 5f661629-9750-4cb9-897c-1f05d6db8727
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-21'
 author: Bhavin Patel, Splunk
 data_source:
 - Okta
diff --git a/detections/application/okta_user_logins_from_multiple_cities.yml b/detections/application/okta_user_logins_from_multiple_cities.yml
index cd6cfac3bd..46695a6647 100644
--- a/detections/application/okta_user_logins_from_multiple_cities.yml
+++ b/detections/application/okta_user_logins_from_multiple_cities.yml
@@ -1,7 +1,7 @@
 name: Okta User Logins from Multiple Cities
 id: a3d1df37-c2a9-41d0-aa8f-59f82d6192a8
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-21'
 author: Bhavin Patel, Splunk
 data_source:
 - Okta
diff --git a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml
index 34c499b15e..021ec93c2e 100644
--- a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml
+++ b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml
@@ -1,7 +1,7 @@
 name: PingID Mismatch Auth Source and Verification Response
 id: 15b0694e-caa2-4009-8d83-a1f98b86d086
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-21'
 author: Steven Dick
 status: production
 type: TTP
diff --git a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml
index da8b1353ed..cc54651de5 100644
--- a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml
+++ b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml
@@ -1,7 +1,7 @@
 name: PingID Multiple Failed MFA Requests For User
 id: c1bc706a-0025-4814-ad30-288f38865036
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-21'
 author: Steven Dick
 status: production
 type: TTP
diff --git a/detections/application/pingid_new_mfa_method_after_credential_reset.yml b/detections/application/pingid_new_mfa_method_after_credential_reset.yml
index 1387e64017..b8edaa08af 100644
--- a/detections/application/pingid_new_mfa_method_after_credential_reset.yml
+++ b/detections/application/pingid_new_mfa_method_after_credential_reset.yml
@@ -1,7 +1,7 @@
 name: PingID New MFA Method After Credential Reset
 id: 2fcbce12-cffa-4c84-b70c-192604d201d0
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-21'
 author: Steven Dick
 status: production
 type: TTP
diff --git a/detections/application/pingid_new_mfa_method_registered_for_user.yml b/detections/application/pingid_new_mfa_method_registered_for_user.yml
index 21a03cd6c5..0547d0d3b2 100644
--- a/detections/application/pingid_new_mfa_method_registered_for_user.yml
+++ b/detections/application/pingid_new_mfa_method_registered_for_user.yml
@@ -1,7 +1,7 @@
 name: PingID New MFA Method Registered For User
 id: 892dfeaf-461d-4a78-aac8-b07e185c9bce
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-21'
 author: Steven Dick
 status: production
 type: TTP
diff --git a/detections/application/suspicious_email_attachment_extensions.yml b/detections/application/suspicious_email_attachment_extensions.yml
index 58095311e1..0f01351ca0 100644
--- a/detections/application/suspicious_email_attachment_extensions.yml
+++ b/detections/application/suspicious_email_attachment_extensions.yml
@@ -1,7 +1,7 @@
 name: Suspicious Email Attachment Extensions
 id: 473bd65f-06ca-4dfe-a2b8-ba04ab4a0084
-version: 5
-date: '2024-10-17'
+version: 6
+date: '2025-01-21'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly
diff --git a/detections/application/suspicious_java_classes.yml b/detections/application/suspicious_java_classes.yml
index 00bcfb5e23..d97372c093 100644
--- a/detections/application/suspicious_java_classes.yml
+++ b/detections/application/suspicious_java_classes.yml
@@ -1,7 +1,7 @@
 name: Suspicious Java Classes
 id: 6ed33786-5e87-4f55-b62c-cb5f1168b831
-version: 3
-date: '2024-10-17'
+version: 4
+date: '2025-01-21'
 author: Jose Hernandez, Splunk
 status: experimental
 type: Anomaly
diff --git a/detections/application/web_servers_executing_suspicious_processes.yml b/detections/application/web_servers_executing_suspicious_processes.yml
index 0f57ca9a9f..728ef8c11c 100644
--- a/detections/application/web_servers_executing_suspicious_processes.yml
+++ b/detections/application/web_servers_executing_suspicious_processes.yml
@@ -1,7 +1,7 @@
 name: Web Servers Executing Suspicious Processes
 id: ec3b7601-689a-4463-94e0-c9f45638efb9
-version: 3
-date: '2024-10-17'
+version: 4
+date: '2025-01-21'
 author: David Dorsey, Splunk
 status: experimental
 type: TTP
diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml
index 456f1506ee..898b7fbfb8 100644
--- a/detections/application/windows_ad_add_self_to_group.yml
+++ b/detections/application/windows_ad_add_self_to_group.yml
@@ -1,7 +1,7 @@
 name: Windows AD add Self to Group
 id: 065f2701-b7ea-42f5-9ec4-fbc2261165f9
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_dangerous_deny_acl_modification.yml b/detections/application/windows_ad_dangerous_deny_acl_modification.yml
index 2f77fcb284..40076288f5 100644
--- a/detections/application/windows_ad_dangerous_deny_acl_modification.yml
+++ b/detections/application/windows_ad_dangerous_deny_acl_modification.yml
@@ -1,7 +1,7 @@
 name: Windows AD Dangerous Deny ACL Modification
 id: 8e897153-2ebd-4cb2-85d3-09ad57db2fb7
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_dangerous_group_acl_modification.yml b/detections/application/windows_ad_dangerous_group_acl_modification.yml
index f1b1d3b1ba..c6bffd639e 100644
--- a/detections/application/windows_ad_dangerous_group_acl_modification.yml
+++ b/detections/application/windows_ad_dangerous_group_acl_modification.yml
@@ -1,7 +1,7 @@
 name: Windows AD Dangerous Group ACL Modification
 id: 59b0fc85-7a0d-4585-97ec-06a382801990
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_dangerous_user_acl_modification.yml b/detections/application/windows_ad_dangerous_user_acl_modification.yml
index bc562881f4..f298e0616d 100644
--- a/detections/application/windows_ad_dangerous_user_acl_modification.yml
+++ b/detections/application/windows_ad_dangerous_user_acl_modification.yml
@@ -1,7 +1,7 @@
 name: Windows AD Dangerous User ACL Modification
 id: ec5b6790-595a-4fb8-ad43-56e5b55a9617
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml
index ba4ceb0477..2e4977e6c4 100644
--- a/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml
+++ b/detections/application/windows_ad_dcshadow_privileges_acl_addition.yml
@@ -1,7 +1,7 @@
 name: Windows AD DCShadow Privileges ACL Addition
 id: ae915743-1aa8-4a94-975c-8062ebc8b723
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_domain_root_acl_deletion.yml b/detections/application/windows_ad_domain_root_acl_deletion.yml
index bc48ea2acf..c4bfa9c916 100644
--- a/detections/application/windows_ad_domain_root_acl_deletion.yml
+++ b/detections/application/windows_ad_domain_root_acl_deletion.yml
@@ -1,7 +1,7 @@
 name: Windows AD Domain Root ACL Deletion
 id: 3cb56e57-5642-4638-907f-8dfde9afb889
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_domain_root_acl_modification.yml b/detections/application/windows_ad_domain_root_acl_modification.yml
index 64ab06ca9c..56d121c7d2 100644
--- a/detections/application/windows_ad_domain_root_acl_modification.yml
+++ b/detections/application/windows_ad_domain_root_acl_modification.yml
@@ -1,7 +1,7 @@
 name: Windows AD Domain Root ACL Modification
 id: 4981e2db-1372-440d-816e-3e7e2ed74433
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_gpo_deleted.yml b/detections/application/windows_ad_gpo_deleted.yml
index 568fa7954d..995e41b3d2 100644
--- a/detections/application/windows_ad_gpo_deleted.yml
+++ b/detections/application/windows_ad_gpo_deleted.yml
@@ -1,7 +1,7 @@
 name: Windows AD GPO Deleted
 id: 0d41772b-35ab-4e1c-a2ba-d0b455481aee
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_gpo_disabled.yml b/detections/application/windows_ad_gpo_disabled.yml
index 4b29627395..a694166f05 100644
--- a/detections/application/windows_ad_gpo_disabled.yml
+++ b/detections/application/windows_ad_gpo_disabled.yml
@@ -1,7 +1,7 @@
 name: Windows AD GPO Disabled
 id: 72793bc0-c0cd-400e-9e60-fdf36f278917
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_gpo_new_cse_addition.yml b/detections/application/windows_ad_gpo_new_cse_addition.yml
index c23158ac69..4f0f4fce8f 100644
--- a/detections/application/windows_ad_gpo_new_cse_addition.yml
+++ b/detections/application/windows_ad_gpo_new_cse_addition.yml
@@ -1,7 +1,7 @@
 name: Windows AD GPO New CSE Addition
 id: 700c11d1-da09-47b2-81aa-358c143c7986
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_hidden_ou_creation.yml b/detections/application/windows_ad_hidden_ou_creation.yml
index a55e3f6241..2885f00678 100644
--- a/detections/application/windows_ad_hidden_ou_creation.yml
+++ b/detections/application/windows_ad_hidden_ou_creation.yml
@@ -1,7 +1,7 @@
 name: Windows AD Hidden OU Creation
 id: 66b6ad5e-339a-40af-b721-dacefc7bdb75
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_object_owner_updated.yml b/detections/application/windows_ad_object_owner_updated.yml
index 91bb69b83b..fb234c3f1a 100644
--- a/detections/application/windows_ad_object_owner_updated.yml
+++ b/detections/application/windows_ad_object_owner_updated.yml
@@ -1,7 +1,7 @@
 name: Windows AD Object Owner Updated
 id: 4af01f6b-d8d4-4f96-8635-758a01557130
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_privileged_group_modification.yml b/detections/application/windows_ad_privileged_group_modification.yml
index f6bfc81c31..1d45a23098 100644
--- a/detections/application/windows_ad_privileged_group_modification.yml
+++ b/detections/application/windows_ad_privileged_group_modification.yml
@@ -1,7 +1,7 @@
 name: Windows AD Privileged Group Modification
 id: 187bf937-c436-4c65-bbcb-7539ffe02da1
-version: 3
-date: '2024-10-17'
+version: 4
+date: '2025-01-21'
 author: Dean Luxton
 status: experimental
 type: TTP
diff --git a/detections/application/windows_ad_self_dacl_assignment.yml b/detections/application/windows_ad_self_dacl_assignment.yml
index 2fd5a898a6..c80ffee6da 100644
--- a/detections/application/windows_ad_self_dacl_assignment.yml
+++ b/detections/application/windows_ad_self_dacl_assignment.yml
@@ -1,7 +1,7 @@
 name: Windows AD Self DACL Assignment
 id: 16132445-da9f-4d03-ad44-56d717dcd67d
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_suspicious_attribute_modification.yml b/detections/application/windows_ad_suspicious_attribute_modification.yml
index b0e713a070..df005bfae6 100644
--- a/detections/application/windows_ad_suspicious_attribute_modification.yml
+++ b/detections/application/windows_ad_suspicious_attribute_modification.yml
@@ -1,7 +1,7 @@
 name: Windows AD Suspicious Attribute Modification
 id: 5682052e-ce55-4f9f-8d28-59191420b7e0
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_ad_suspicious_gpo_modification.yml b/detections/application/windows_ad_suspicious_gpo_modification.yml
index 2c8db0be84..976ed7ea7d 100644
--- a/detections/application/windows_ad_suspicious_gpo_modification.yml
+++ b/detections/application/windows_ad_suspicious_gpo_modification.yml
@@ -1,7 +1,7 @@
 name: Windows AD Suspicious GPO Modification
 id: 0a2afc18-a3b5-4452-b60a-2e774214f9bf
-version: 2
-date: '2024-10-17'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: experimental
 type: TTP
diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml
index c4ec23f7d4..51f33607d6 100644
--- a/detections/application/windows_increase_in_group_or_object_modification_activity.yml
+++ b/detections/application/windows_increase_in_group_or_object_modification_activity.yml
@@ -1,7 +1,7 @@
 name: Windows Increase in Group or Object Modification Activity
 id: 4f9564dd-a204-4f22-b375-4dfca3a68731
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml
index af72030a28..f3fcfca207 100644
--- a/detections/application/windows_increase_in_user_modification_activity.yml
+++ b/detections/application/windows_increase_in_user_modification_activity.yml
@@ -1,7 +1,7 @@
 name: Windows Increase in User Modification Activity
 id: 0995fca1-f346-432f-b0bf-a66d14e6b428
-version: 2
-date: '2024-09-30'
+version: 3
+date: '2025-01-21'
 author: Dean Luxton
 status: production
 type: TTP
diff --git a/detections/endpoint/7zip_commandline_to_smb_share_path.yml b/detections/endpoint/7zip_commandline_to_smb_share_path.yml
index 6f1b33e350..01c78be576 100644
--- a/detections/endpoint/7zip_commandline_to_smb_share_path.yml
+++ b/detections/endpoint/7zip_commandline_to_smb_share_path.yml
@@ -1,7 +1,7 @@
 name: 7zip CommandLine To SMB Share Path
 id: 01d29b48-ff6f-11eb-b81e-acde48001123
-version: 4
-date: '2024-11-26'
+version: 5
+date: '2025-01-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml
index 0248f25f5e..55022f84b4 100644
--- a/detections/endpoint/disable_defender_enhanced_notification.yml
+++ b/detections/endpoint/disable_defender_enhanced_notification.yml
@@ -1,7 +1,7 @@
 name: Disable Defender Enhanced Notification
 id: dc65678c-301f-11ec-8e30-acde48001122
-version: 6
-date: '2024-11-14'
+version: 7
+date: '2025-01-21'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
diff --git a/detections/endpoint/microsoft_defender_atp_alerts.yml b/detections/endpoint/microsoft_defender_atp_alerts.yml
index 9d158fdd14..eb9a570618 100644
--- a/detections/endpoint/microsoft_defender_atp_alerts.yml
+++ b/detections/endpoint/microsoft_defender_atp_alerts.yml
@@ -1,7 +1,7 @@
 name: Microsoft Defender ATP Alerts
 id: 38f034ed-1598-46c8-95e8-14edf05fdf5d
-version: 1
-date: '2024-10-30'
+version: 2
+date: '2025-01-21'
 author: Bryan Pluta, Bhavin Patel, Splunk
 status: production
 type: TTP
diff --git a/detections/endpoint/microsoft_defender_incident_alerts.yml b/detections/endpoint/microsoft_defender_incident_alerts.yml
index 0fdef700bd..0b648b1ec0 100644
--- a/detections/endpoint/microsoft_defender_incident_alerts.yml
+++ b/detections/endpoint/microsoft_defender_incident_alerts.yml
@@ -1,7 +1,7 @@
 name: Microsoft Defender Incident Alerts
 id: 13435b55-afd8-46d4-9045-7d5457f430a5
-version: 1
-date: '2024-10-30'
+version: 2
+date: '2025-01-21'
 author: Bryan Pluta, Bhavin Patel, Splunk
 status: production
 type: TTP
diff --git a/detections/endpoint/windows_bitlockertogo_process_execution.yml b/detections/endpoint/windows_bitlockertogo_process_execution.yml
index 158e3a66a5..61c3ece759 100644
--- a/detections/endpoint/windows_bitlockertogo_process_execution.yml
+++ b/detections/endpoint/windows_bitlockertogo_process_execution.yml
@@ -1,7 +1,7 @@
 name: Windows BitLockerToGo Process Execution
 id: 68cbc9e9-2882-46f2-b636-3b5080589d58
-version: 1
-date: '2024-11-13'
+version: 2
+date: '2025-01-21'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 data_source:
 - Sysmon Event ID 1
diff --git a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml
index d17dc21b22..697b12d58d 100644
--- a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml
+++ b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml
@@ -1,7 +1,7 @@
 name: Windows BitLockerToGo with Network Activity
 id: 14e3a089-cc23-4f4d-a770-26e44a31fbac
-version: 1
-date: '2024-11-13'
+version: 2
+date: '2025-01-21'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 data_source:
 - Sysmon Event ID 22
diff --git a/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml b/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml
index cf6c7f82ed..cd4e6a6221 100644
--- a/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml
+++ b/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml
@@ -1,7 +1,7 @@
 name: Windows Credentials Access via VaultCli Module
 id: c0d89118-3f89-4cd7-8140-1f39e7210681
-version: 1
-date: '2024-11-29'
+version: 2
+date: '2025-01-21'
 author: Teoderick Contreras, Splunk
 data_source:
 - Sysmon Event ID 7
diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
index ca11c618d5..4e1f435595 100644
--- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
+++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml
@@ -1,7 +1,7 @@
 name: Windows Impair Defense Configure App Install Control
 id: c54b7439-cfb1-44c3-bb35-b0409553077c
-version: 4
-date: '2024-11-14'
+version: 5
+date: '2025-01-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
index f637bb20c8..14fe3afff2 100644
--- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
+++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml
@@ -1,7 +1,7 @@
 name: Windows Impair Defense Disable Web Evaluation
 id: e234970c-dcf5-4f80-b6a9-3a562544ca5b
-version: 4
-date: '2024-11-14'
+version: 5
+date: '2025-01-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
index 14cc95636f..89c4b37a2d 100644
--- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
+++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml
@@ -1,7 +1,7 @@
 name: Windows Impair Defense Override SmartScreen Prompt
 id: 08058866-7987-486f-b042-275715ef6e9d
-version: 4
-date: '2024-11-14'
+version: 5
+date: '2025-01-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
index 43a809eabd..2c0acb2019 100644
--- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
+++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml
@@ -1,7 +1,7 @@
 name: Windows LSA Secrets NoLMhash Registry
 id: 48cc1605-538c-4223-8382-e36bee5b540d
-version: 4
-date: '2024-11-14'
+version: 5
+date: '2025-01-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
index a0decd983a..028409c292 100644
--- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
+++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml
@@ -1,7 +1,7 @@
 name: Windows Modify Registry Disable Restricted Admin
 id: cee573a0-7587-48e6-ae99-10e8c657e89a
-version: 4
-date: '2024-11-14'
+version: 5
+date: '2025-01-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
index 6e22d4b102..f0df461846 100644
--- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
+++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml
@@ -1,7 +1,7 @@
 name: Windows Modify Registry EnableLinkedConnections
 id: 93048164-3358-4af0-8680-aa5f38440516
-version: 4
-date: '2024-11-14'
+version: 5
+date: '2025-01-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml
index 8638c48ff1..7906cae067 100644
--- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml
+++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml
@@ -1,7 +1,7 @@
 name: Windows Modify Registry LongPathsEnabled
 id: 36f9626c-4272-4808-aadd-267acce681c0
-version: 4
-date: '2024-11-14'
+version: 5
+date: '2025-01-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
index 87b7e56d44..68eaadf694 100644
--- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
+++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml
@@ -1,7 +1,7 @@
 name: Windows Modify Registry NoChangingWallPaper
 id: a2276412-e254-4e9a-9082-4d92edb6a3e0
-version: 4
-date: '2024-11-14'
+version: 5
+date: '2025-01-21'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
diff --git a/detections/endpoint/windows_rdp_file_execution.yml b/detections/endpoint/windows_rdp_file_execution.yml
index b1c516d1ca..dd590dc0e6 100644
--- a/detections/endpoint/windows_rdp_file_execution.yml
+++ b/detections/endpoint/windows_rdp_file_execution.yml
@@ -1,7 +1,7 @@
 name: Windows RDP File Execution
 id: 0b6b12b9-8ba9-48fe-b3b8-b4e3e1cd22b4
-version: 1
-date: '2024-11-21'
+version: 2
+date: '2025-01-21'
 author: Michael Haag, Splunk
 type: TTP
 status: production
diff --git a/detections/endpoint/windows_rdpclient_connection_sequence_events.yml b/detections/endpoint/windows_rdpclient_connection_sequence_events.yml
index cae5f229b5..f50b20c891 100644
--- a/detections/endpoint/windows_rdpclient_connection_sequence_events.yml
+++ b/detections/endpoint/windows_rdpclient_connection_sequence_events.yml
@@ -1,7 +1,7 @@
 name: Windows RDPClient Connection Sequence Events
 id: 67340df1-3f1d-4470-93c8-9ac7249d11b0
-version: 1
-date: '2024-11-21'
+version: 2
+date: '2025-01-21'
 author: Michael Haag, Splunk
 type: Anomaly
 status: production
diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml
index 6916ab5cbc..2781d73827 100644
--- a/detections/endpoint/windows_registry_certificate_added.yml
+++ b/detections/endpoint/windows_registry_certificate_added.yml
@@ -1,7 +1,7 @@
 name: Windows Registry Certificate Added
 id: 5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87
-version: 5
-date: '2024-11-14'
+version: 6
+date: '2025-01-21'
 author: Michael Haag, Teodeerick Contreras, Splunk
 status: production
 type: Anomaly
diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml
index 5709162a78..6414202591 100644
--- a/detections/endpoint/windows_registry_delete_task_sd.yml
+++ b/detections/endpoint/windows_registry_delete_task_sd.yml
@@ -1,7 +1,7 @@
 name: Windows Registry Delete Task SD
 id: ffeb7893-ff06-446f-815b-33ca73224e92
-version: 4
-date: '2024-11-14'
+version: 5
+date: '2025-01-21'
 author: Michael Haag, Teoderick Contreras, Splunk
 status: production
 type: Anomaly
diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
index 37c5cf17c9..fbd1a12913 100644
--- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
+++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml
@@ -1,7 +1,7 @@
 name: Windows Registry Modification for Safe Mode Persistence
 id: c6149154-c9d8-11eb-9da7-acde48001122
-version: 7
-date: '2024-11-14'
+version: 8
+date: '2025-01-21'
 author: Teoderick Contreras, Michael Haag, Splunk
 status: production
 type: TTP
diff --git a/detections/endpoint/windows_runmru_command_execution.yml b/detections/endpoint/windows_runmru_command_execution.yml
index d0b6fcad31..83723be901 100644
--- a/detections/endpoint/windows_runmru_command_execution.yml
+++ b/detections/endpoint/windows_runmru_command_execution.yml
@@ -1,7 +1,7 @@
 name: Windows RunMRU Command Execution
 id: a15aa1ab-2b79-467f-8201-65e0f32d5b1a
-version: 1
-date: '2024-11-08'
+version: 2
+date: '2025-01-21'
 author: Nasreddine Bencherchali, Michael Haag, Splunk
 data_source:
 - Sysmon Event ID 11