updating research.splunk.com site bits [ci skip]

_pages/aws_iam.md

@@ -1,5 +1,5 @@
 ---
-title: AWS IAM
+title: aws_iam
 layout: tag
 author_profile: false
 classes: wide
@@ -10,7 +10,4 @@ sidebar:
 
 | Name    | SOAR App   | D3FEND      | Use Case    |
 | --------| ---------- | ----------- | ----------- |
-| [AWS Disable User Accounts](/playbooks/aws_disable_user_accounts/)| [AWS IAM](https://splunkbase.splunk.com/apps?keyword=aws+iam&filters=product%3Asoar)| | |
-| [AWS Find Inactive Users](/playbooks/aws_find_inactive_users/)| [AWS IAM](https://splunkbase.splunk.com/apps?keyword=aws+iam&filters=product%3Asoar), [Phantom](https://splunkbase.splunk.com/apps?keyword=phantom&filters=product%3Asoar)| | |
-| [AWS IAM Account Locking](/playbooks/aws_iam_account_locking/)| [AWS IAM](https://splunkbase.splunk.com/apps?keyword=aws+iam&filters=product%3Asoar)| [Account Locking](https://d3fend.mitre.org/technique/d3f:AccountLocking)| [Phishing](/playbooks/phishing), [Endpoint](/playbooks/endpoint)|
-| [AWS IAM Account Unlocking](/playbooks/aws_iam_account_unlocking/)| [AWS IAM](https://splunkbase.splunk.com/apps?keyword=aws+iam&filters=product%3Asoar)| | |
+| [Active Directory Enable Account Dispatch](/playbooks/active_directory_enable_account_dispatch/)| [microsoft_ad_ldap](https://splunkbase.splunk.com/apps?keyword=microsoft_ad_ldap&filters=product%3Asoar), [azure_ad_graph](https://splunkbase.splunk.com/apps?keyword=azure_ad_graph&filters=product%3Asoar), [aws_iam](https://splunkbase.splunk.com/apps?keyword=aws_iam&filters=product%3Asoar)| | |

_posts/2017-01-07-354be8e0-32cd-4da0-8c47-796de13b60ea.md

@@ -99,8 +99,8 @@ The search is used to detect systems that are still vulnerable to the Spectre an
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **spectre_and_meltdown_vulnerable_systems_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2017-09-12-a34aae96-ccf8-4aaa-952c-3ea21444444f.md

@@ -99,8 +99,8 @@ This search gives you the hosts where a backup was attempted and then failed.
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [netbackup](https://github.com/splunk/security_content/blob/develop/macros/netbackup.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **unsuccessful_netbackup_backups_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2017-09-12-a34aae96-ccf8-4aef-952c-3ea214444440.md

@@ -100,8 +100,8 @@ This search returns a list of hosts that have not successfully completed a backu
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [netbackup](https://github.com/splunk/security_content/blob/develop/macros/netbackup.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **extended_period_without_successful_netbackup_backups_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2017-09-12-bce3ed7c-9b1f-42a0-abdf-d8b123a34836.md

@@ -100,8 +100,8 @@ The search queries the authentication logs for assets that are categorized as ro
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **detect_new_login_attempts_to_routers_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2017-09-15-1a77c08c-2f56-409c-a2d3-7d64617edd4f.md

@@ -103,8 +103,8 @@ This search looks for Windows endpoints that have not generated an event indicat
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **no_windows_updates_in_a_time_frame_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2017-09-23-104658f4-afdc-499e-9719-17243f982681.md

@@ -115,8 +115,8 @@ This search looks for specific GET or HEAD requests to web servers that are indi
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **detect_attackers_scanning_for_vulnerable_jboss_servers_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2017-09-23-134da869-e264-4a8f-8d7e-fcd0ec88f301.md

@@ -98,9 +98,9 @@ This search looks for Web requests to faux domains similar to the one that you w
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [brand_abuse_web](https://github.com/splunk/security_content/blob/develop/macros/brand_abuse_web.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **monitor_web_traffic_for_brand_abuse_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2017-09-23-24dd17b1-e2fb-4c31-878c-d4f746595bfa.md

@@ -99,9 +99,9 @@ This search looks for DNS requests for faux domains similar to the domains that
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [brand_abuse_dns](https://github.com/splunk/security_content/blob/develop/macros/brand_abuse_dns.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **monitor_dns_for_brand_abuse_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2017-09-23-c8bff7a4-11ea-4416-a27d-c5bca472913d.md

@@ -100,8 +100,8 @@ This search is used to detect malicious HTTP requests crafted to exploit jmx-con
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **detect_malicious_requests_to_exploit_jboss_servers_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2017-11-27-104658f4-afdc-499f-9719-17a43f9826f5.md

@@ -100,8 +100,8 @@ The search is used to detect hosts that generate Windows Event ID 4663 for succe
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **detect_usb_device_insertion_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-01-05-b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8.md

@@ -103,8 +103,8 @@ This search looks for emails claiming to be sent from a domain similar to one th
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **monitor_email_for_brand_abuse_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-04-18-ada0f478-84a8-4641-a3f1-e32372d4bd53.md

@@ -127,8 +127,8 @@ This search will detect users creating spikes in API activity related to securit
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_group_api_calls](https://github.com/splunk/security_content/blob/develop/macros/security_group_api_calls.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **detect_spike_in_security_group_activity_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-05-21-ada0f478-84a8-4641-a1f1-e32372d4bd53.md

@@ -122,8 +122,8 @@ This search will detect users creating spikes in API activity related to network
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [network_acl_events](https://github.com/splunk/security_content/blob/develop/macros/network_acl_events.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **detect_spike_in_network_acl_activity_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-06-01-e9c102de-4d43-42a7-b1c8-8062ea297419.md

@@ -109,8 +109,8 @@ This search looks for outbound ICMP packets with a packet size larger than 1,000
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **detect_large_outbound_icmp_packets_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-06-28-e6f1bb1b-f441-492b-9126-902acda217da.md

@@ -115,8 +115,8 @@ This search looks at S3 bucket-access logs and detects new or previously unseen
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [aws_s3_accesslogs](https://github.com/splunk/security_content/blob/develop/macros/aws_s3_accesslogs.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **detect_s3_access_from_a_new_ip_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-10-23-38cbd42c-1098-41bb-99cf-9d6d2b296d83.md

@@ -109,8 +109,8 @@ The following analytic detects the creation of WMI temporary event subscriptions
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [wmi](https://github.com/splunk/security_content/blob/develop/macros/wmi.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **wmi_temporary_event_subscription_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-10-23-71bfdb13-f200-4c6c-b2c9-a2e07adf437d.md

@@ -110,8 +110,8 @@ The following analytic detects the creation of permanent event subscriptions usi
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [wmi](https://github.com/splunk/security_content/blob/develop/macros/wmi.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **wmi_permanent_event_subscription_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-11-02-06a6fc63-a72d-41dc-8736-7e3dd9612116.md

@@ -100,8 +100,8 @@ The search looks for modifications to the hosts file on all Windows endpoints ac
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **windows_hosts_file_modification_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-12-03-b6e0ff70-b122-4227-9368-4cf322ab43c3.md

@@ -107,8 +107,8 @@ The fsutil.exe application is a legitimate Windows utility used to perform tasks
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **usn_journal_deletion_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-12-06-6ed33786-5e87-4f55-b62c-cb5f1168b831.md

@@ -99,8 +99,8 @@ This search looks for suspicious Java classes that are often used to exploit rem
 
 #### Macros
 The SPL above uses the following Macros:
-* [stream_http](https://github.com/splunk/security_content/blob/develop/macros/stream_http.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [stream_http](https://github.com/splunk/security_content/blob/develop/macros/stream_http.yml)
 
 > :information_source:
 > **suspicious_java_classes_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-12-14-02c6cfc2-ae66-4735-bfc7-6291da834cbf.md

@@ -98,8 +98,8 @@ The following analytic detects file writes with extensions that are consistent w
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **file_with_samsam_extension_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2018-12-14-493a879d-519d-428f-8f57-a06a0fdc107e.md

@@ -106,8 +106,8 @@ The search looks for a file named "test.txt" written to the windows syst
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **samsam_test_file_write_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2019-02-27-61a7d1e6-f5d4-41d9-a9be-39a1ffe69459.md

@@ -110,8 +110,8 @@ The search looks for command-line arguments used to hide a file or directory usi
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **reg_exe_used_to_hide_files_directories_via_registry_keys_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2019-02-27-98917be2-bfc8-475a-8618-a9bb06575188.md

@@ -111,8 +111,8 @@ This search looks for PowerShell requesting privileges consistent with credentia
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [wineventlog_security](https://github.com/splunk/security_content/blob/develop/macros/wineventlog_security.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **detect_mimikatz_via_powershell_and_eventcode_4703_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

_posts/2019-04-01-ec3b7601-689a-4463-94e0-c9f45638efb9.md

@@ -108,8 +108,8 @@ The following analytic detects suspicious processes on systems labeled as web se
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **web_servers_executing_suspicious_processes_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.