updating research.splunk.com site bits [ci skip]

splunk · Feb 24, 2024 · 89b50e1 · 89b50e1
1 parent 90be883
commit 89b50e1
Show file tree

Hide file tree

Showing 580 changed files with 598 additions and 598 deletions.
diff --git a/_posts/2017-09-23-134da869-e264-4a8f-8d7e-fcd0ec88f301.md b/_posts/2017-09-23-134da869-e264-4a8f-8d7e-fcd0ec88f301.md
@@ -98,9 +98,9 @@ This search looks for Web requests to faux domains similar to the one that you w
 
 #### Macros
 The SPL above uses the following Macros:
+* [brand_abuse_web](https://github.com/splunk/security_content/blob/develop/macros/brand_abuse_web.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
-* [brand_abuse_web](https://github.com/splunk/security_content/blob/develop/macros/brand_abuse_web.yml)
 
 > :information_source:
 > **monitor_web_traffic_for_brand_abuse_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2017-09-23-24dd17b1-e2fb-4c31-878c-d4f746595bfa.md b/_posts/2017-09-23-24dd17b1-e2fb-4c31-878c-d4f746595bfa.md
@@ -100,8 +100,8 @@ This search looks for DNS requests for faux domains similar to the domains that
 #### Macros
 The SPL above uses the following Macros:
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
-* [brand_abuse_dns](https://github.com/splunk/security_content/blob/develop/macros/brand_abuse_dns.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [brand_abuse_dns](https://github.com/splunk/security_content/blob/develop/macros/brand_abuse_dns.yml)
 
 > :information_source:
 > **monitor_dns_for_brand_abuse_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-02-23-ada0f478-84a8-4641-a3f3-d82362d6fd75.md b/_posts/2018-02-23-ada0f478-84a8-4641-a3f3-d82362d6fd75.md
@@ -112,8 +112,8 @@ This search looks for AWS CloudTrail events where an instance is started in a pa
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **ec2_instance_started_in_previously_unseen_region_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-03-12-347ec301-601b-48b9-81aa-9ddf9c829dd3.md b/_posts/2018-03-12-347ec301-601b-48b9-81aa-9ddf9c829dd3.md
@@ -107,8 +107,8 @@ This search looks for EC2 instances being created with previously unseen AMIs.
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **ec2_instance_started_with_previously_unseen_ami_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-04-16-22773e84-bac0-4595-b086-20d3f335b4f1.md b/_posts/2018-04-16-22773e84-bac0-4595-b086-20d3f335b4f1.md
@@ -122,8 +122,8 @@ This search detects new API calls that have either never been seen before or tha
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **detect_new_api_calls_from_user_roles_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-04-18-ada0f478-84a8-4641-a3f1-e32372d4bd53.md b/_posts/2018-04-18-ada0f478-84a8-4641-a3f1-e32372d4bd53.md
@@ -127,8 +127,8 @@ This search will detect users creating spikes in API activity related to securit
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_group_api_calls](https://github.com/splunk/security_content/blob/develop/macros/security_group_api_calls.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **detect_spike_in_security_group_activity_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-05-17-4d46e8bd-4072-48e4-92db-0325889ef894.md b/_posts/2018-05-17-4d46e8bd-4072-48e4-92db-0325889ef894.md
@@ -101,8 +101,8 @@ This search looks for AWS CloudTrail events where a user logged into the AWS acc
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **detect_api_activity_from_users_without_mfa_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-06-28-e6f1bb1b-f441-492b-9126-902acda217da.md b/_posts/2018-06-28-e6f1bb1b-f441-492b-9126-902acda217da.md
@@ -115,8 +115,8 @@ This search looks at S3 bucket-access logs and detects new or previously unseen
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [aws_s3_accesslogs](https://github.com/splunk/security_content/blob/develop/macros/aws_s3_accesslogs.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **detect_s3_access_from_a_new_ip_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-10-23-38cbd42c-1098-41bb-99cf-9d6d2b296d83.md b/_posts/2018-10-23-38cbd42c-1098-41bb-99cf-9d6d2b296d83.md
@@ -109,8 +109,8 @@ The following analytic detects the creation of WMI temporary event subscriptions
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [wmi](https://github.com/splunk/security_content/blob/develop/macros/wmi.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **wmi_temporary_event_subscription_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-10-23-71bfdb13-f200-4c6c-b2c9-a2e07adf437d.md b/_posts/2018-10-23-71bfdb13-f200-4c6c-b2c9-a2e07adf437d.md
@@ -110,8 +110,8 @@ The following analytic detects the creation of permanent event subscriptions usi
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [wmi](https://github.com/splunk/security_content/blob/develop/macros/wmi.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **wmi_permanent_event_subscription_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2019-02-27-98917be2-bfc8-475a-8618-a9bb06575188.md b/_posts/2019-02-27-98917be2-bfc8-475a-8618-a9bb06575188.md
@@ -111,8 +111,8 @@ This search looks for PowerShell requesting privileges consistent with credentia
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [wineventlog_security](https://github.com/splunk/security_content/blob/develop/macros/wineventlog_security.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **detect_mimikatz_via_powershell_and_eventcode_4703_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2019-12-03-29e307ba-40af-4ab2-91b2-3c6b392bbba0.md b/_posts/2019-12-03-29e307ba-40af-4ab2-91b2-3c6b392bbba0.md
@@ -112,8 +112,8 @@ This search looks for reading loaded Images unique to credential dumping with Mi
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [sysmon](https://github.com/splunk/security_content/blob/develop/macros/sysmon.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **detect_mimikatz_using_loaded_images_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2019-12-06-56ef054c-76ef-45f9-af4a-a634695dcd65.md b/_posts/2019-12-06-56ef054c-76ef-45f9-af4a-a634695dcd65.md
@@ -107,8 +107,8 @@ This search detects loading of unsigned images by LSASS. Deprecated because too
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [sysmon](https://github.com/splunk/security_content/blob/develop/macros/sysmon.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **unsigned_image_loaded_by_lsass_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2019-12-06-67d4dbef-9564-4699-8da8-03a151529edc.md b/_posts/2019-12-06-67d4dbef-9564-4699-8da8-03a151529edc.md
@@ -108,8 +108,8 @@ The following analytic detects the creation of a remote thread in the Local Secu
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [sysmon](https://github.com/splunk/security_content/blob/develop/macros/sysmon.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **create_remote_thread_into_lsass_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-02-03-b2fbe95a-9c62-4c12-8a29-24b97e84c0cd.md b/_posts/2020-02-03-b2fbe95a-9c62-4c12-8a29-24b97e84c0cd.md
@@ -108,8 +108,8 @@ Detect the hands on keyboard behavior of Windows Task Manager creating a process
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [sysmon](https://github.com/splunk/security_content/blob/develop/macros/sysmon.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **creation_of_lsass_dump_with_taskmgr_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-02-07-65541c80-03c7-4e05-83c8-1dcd57a2e1ad.md b/_posts/2020-02-07-65541c80-03c7-4e05-83c8-1dcd57a2e1ad.md
@@ -109,8 +109,8 @@ This search looks for EC2 instances being created with previously unseen instanc
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **ec2_instance_started_with_previously_unseen_instance_type_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-04-15-294c4686-63dd-4fe6-93a2-ca807626704a.md b/_posts/2020-04-15-294c4686-63dd-4fe6-93a2-ca807626704a.md
@@ -107,8 +107,8 @@ This search provides information of unauthenticated requests via user agent, and
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [aws_cloudwatchlogs_eks](https://github.com/splunk/security_content/blob/develop/macros/aws_cloudwatchlogs_eks.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **amazon_eks_kubernetes_cluster_scan_detection_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-04-15-dbfca1dd-b8e5-4ba4-be0e-e565e5d62002.md b/_posts/2020-04-15-dbfca1dd-b8e5-4ba4-be0e-e565e5d62002.md
@@ -107,8 +107,8 @@ The following analytic detects unauthenticated requests made against the Kuberne
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [aws_cloudwatchlogs_eks](https://github.com/splunk/security_content/blob/develop/macros/aws_cloudwatchlogs_eks.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **amazon_eks_kubernetes_pod_scan_detection_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-07-06-ad517544-aff9-4c96-bd99-d6eb43bfbb6a.md b/_posts/2020-07-06-ad517544-aff9-4c96-bd99-d6eb43bfbb6a.md
@@ -108,9 +108,9 @@ The following analytic utilizes Windows Security Event ID 1102 or System log eve
 
 #### Macros
 The SPL above uses the following Macros:
+* [wineventlog_security](https://github.com/splunk/security_content/blob/develop/macros/wineventlog_security.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [wineventlog_system](https://github.com/splunk/security_content/blob/develop/macros/wineventlog_system.yml)
-* [wineventlog_security](https://github.com/splunk/security_content/blob/develop/macros/wineventlog_security.yml)
 
 > :information_source:
 > **windows_event_log_cleared_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-07-21-134da869-e264-4a8f-8d7e-fcd01c18f301.md b/_posts/2020-07-21-134da869-e264-4a8f-8d7e-fcd01c18f301.md
@@ -109,9 +109,9 @@ This search looks for web connections to dynamic DNS providers.
 
 #### Macros
 The SPL above uses the following Macros:
+* [dynamic_dns_web_traffic](https://github.com/splunk/security_content/blob/develop/macros/dynamic_dns_web_traffic.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
-* [dynamic_dns_web_traffic](https://github.com/splunk/security_content/blob/develop/macros/dynamic_dns_web_traffic.yml)
 
 > :information_source:
 > **detect_web_traffic_to_dynamic_domain_providers_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-07-21-22773e84-bac0-4595-b086-20d3f735b4f1.md b/_posts/2020-07-21-22773e84-bac0-4595-b086-20d3f735b4f1.md
@@ -122,8 +122,8 @@ This search looks for EC2 instances being created by users who have not created
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **ec2_instance_started_with_previously_unseen_user_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-07-21-24dd17b1-e2fb-4c31-878c-d4f226595bfa.md b/_posts/2020-07-21-24dd17b1-e2fb-4c31-878c-d4f226595bfa.md
@@ -122,13 +122,13 @@ This search looks for DNS requests for phishing domains that are leveraging Evil
 #### Macros
 The SPL above uses the following Macros:
 * [evilginx_phishlets_google](https://github.com/splunk/security_content/blob/develop/macros/evilginx_phishlets_google.yml)
-* [evilginx_phishlets_outlook](https://github.com/splunk/security_content/blob/develop/macros/evilginx_phishlets_outlook.yml)
+* [evilginx_phishlets_facebook](https://github.com/splunk/security_content/blob/develop/macros/evilginx_phishlets_facebook.yml)
+* [evilginx_phishlets_amazon](https://github.com/splunk/security_content/blob/develop/macros/evilginx_phishlets_amazon.yml)
 * [evilginx_phishlets_aws](https://github.com/splunk/security_content/blob/develop/macros/evilginx_phishlets_aws.yml)
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
-* [evilginx_phishlets_github](https://github.com/splunk/security_content/blob/develop/macros/evilginx_phishlets_github.yml)
 * [evilginx_phishlets_0365](https://github.com/splunk/security_content/blob/develop/macros/evilginx_phishlets_0365.yml)
-* [evilginx_phishlets_amazon](https://github.com/splunk/security_content/blob/develop/macros/evilginx_phishlets_amazon.yml)
-* [evilginx_phishlets_facebook](https://github.com/splunk/security_content/blob/develop/macros/evilginx_phishlets_facebook.yml)
+* [evilginx_phishlets_github](https://github.com/splunk/security_content/blob/develop/macros/evilginx_phishlets_github.yml)
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [evilginx_phishlets_outlook](https://github.com/splunk/security_content/blob/develop/macros/evilginx_phishlets_outlook.yml)
 
 > :information_source:
 > **detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-07-21-56f91724-cf3f-4666-84e1-e3712fb41e76.md b/_posts/2020-07-21-56f91724-cf3f-4666-84e1-e3712fb41e76.md
@@ -123,8 +123,8 @@ This search looks for EC2 instances being modified by users who have not previou
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [ec2_modification_api_calls](https://github.com/splunk/security_content/blob/develop/macros/ec2_modification_api_calls.yml)
 
 > :information_source:

diff --git a/_posts/2020-07-21-7594fa07-9f34-4d01-81cc-d6af6a5db9e8.md b/_posts/2020-07-21-7594fa07-9f34-4d01-81cc-d6af6a5db9e8.md
@@ -119,8 +119,8 @@ This search detects logins from the same user from different cities in a 24 hour
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [okta](https://github.com/splunk/security_content/blob/develop/macros/okta.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **okta_user_logins_from_multiple_cities_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-07-21-823136f2-d755-4b6d-ae04-372b486a5808.md b/_posts/2020-07-21-823136f2-d755-4b6d-ae04-372b486a5808.md
@@ -112,8 +112,8 @@ This search looks for the first and last time a Windows service is seen running
 
 #### Macros
 The SPL above uses the following Macros:
-* [wineventlog_system](https://github.com/splunk/security_content/blob/develop/macros/wineventlog_system.yml)
 * [previously_seen_windows_services_window](https://github.com/splunk/security_content/blob/develop/macros/previously_seen_windows_services_window.yml)
+* [wineventlog_system](https://github.com/splunk/security_content/blob/develop/macros/wineventlog_system.yml)
 
 > :information_source:
 > **first_time_seen_running_windows_service_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-07-21-9be56c82-b1cc-4318-87eb-d138afaaca39.md b/_posts/2020-07-21-9be56c82-b1cc-4318-87eb-d138afaaca39.md
@@ -110,9 +110,9 @@ This search looks for PowerShell processes started with parameters used to bypas
 
 #### Macros
 The SPL above uses the following Macros:
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [process_powershell](https://github.com/splunk/security_content/blob/develop/macros/process_powershell.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **malicious_powershell_process_-_execution_policy_bypass_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-07-21-ada0f478-84a8-4641-a3f1-d82362d4bd55.md b/_posts/2020-07-21-ada0f478-84a8-4641-a3f1-d82362d4bd55.md
@@ -120,8 +120,8 @@ This search looks for successful AWS CloudTrail activity by user accounts that a
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **detect_aws_api_activities_from_unapproved_accounts_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.