Splunk® Enterprise Security Content Update

How to Use Splunk Security Content

Deprecated analytics from ESCU versions 5.2.0 and higher

Some detections and analytic stories from Splunk Enterprise Security Content Update (ESCU) versions 5.2.0 and higher are marked for deprecation and can be deleted from the ESCU app. Deprecating these detections might impact your environment if these detections are enabled in your environment.

Dashboard to assist tracking deprecated detections

Use the Deprecation Assistant dashboard for a comprehensive overview of all deprecated ESCU detections that are enabled within your Splunk environment. Monitoring this dashboard helps to ensure that your security posture is robust by identifying outdated content and making timely updates or replacements to maintain optimal threat detection capabilities.

Potential impact of deprecated detections

  • Deprecated detections can be removed from the following location: DA-ESS-ContentUpdate/default/savedsearches.conf.
  • Edited detections might stop functioning if the base detection is removed and if the search parameter was not modified or saved in your local configuration. Edited detections with saved search parameters can continue to function.
  • The Job Scheduler might display errors with the message: Alert is invalid
  • Detections might disappear from the Content Management page.
  • When a detection is removed from DA-ESS-ContentUpdate/default/savedsearches.conf, partial configurations in DA-ESS-ContentUpdate/local/savedsearches.conf might be orphaned.
  • The Correlation Search Editor might fail to load deprecated detections.
  • The Job Scheduler might report errors for deprecated detections even if they appear to be enabled in the user interface.

Required actions if you are using deprecated detections

If you are using deprecated detections, perform the following actions:

  • Review all the deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
  • Ensure you have a full copy of the detection including all knowledge objects such as lookups and macros by cloning it in your Splunk environment before installing ESCU versions 5.2.0 and higher.

Risk mitigation: Clone and preserve deprecated detections

Follow these steps to clone deprecated detections before upgrading the app to avoid losing important updates and ensure the smooth management of deprecated detections:

  • Identify the deprecated detections by reviewing the release notes.
  • Identify the list of deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
  • Create a clone of the deprecated detections under a new name and ensure that these cloned detections do not conflict with future updates of the ESCU app.
  • Modify the titles and other app metadata such as adding notes to the description to explain its history and the reason for retention.
  • Identify and create a backup of the lookups and macros that are used by the deprecated detection that is turned on. This applies especially for the filter macros that are denoted by the suffix of `_filter` and are typically used at the end of a search as missing macros prevent searches from running.
  • Adjust permissions if the deprecated detection is shared across the app or globally and ensure that the cloned search retains the appropriate sharing permissions.
  • Verify that the cloned searches work correctly before upgrading the app.

Replacements for detections are provided as necessary. However, a replacement for every detection might not be available.

List of removed detections in ESCU version 5.2.0

Following is a list of removed detections and replacement detections, where applicable:

Removed detection Replacement detection
ASL AWS CreateAccessKey ASL AWS Create Access Key
ASL AWS Excessive Security Scanning NA
ASL AWS Password Policy Changes NA
AWS Cloud Provisioning From Previously Unseen City Cloud Provisioning Activity From Previously Unseen City
AWS Cloud Provisioning From Previously Unseen Country Cloud Provisioning Activity From Previously Unseen Country
AWS Cloud Provisioning From Previously Unseen IP Address Cloud Provisioning Activity From Previously Unseen IP Address
AWS Cloud Provisioning From Previously Unseen Region Cloud Provisioning Activity From Previously Unseen Region
AWS EKS Kubernetes cluster sensitive object access Kubernetes Abuse of Secret by Unusual Location
Abnormally High AWS Instances Launched by User - MLTK NA
Abnormally High AWS Instances Launched by User Abnormally High Number Of Cloud Instances Launched
Abnormally High AWS Instances Terminated by User - MLTK NA
Abnormally High AWS Instances Terminated by User Abnormally High Number Of Cloud Instances Destroyed
Account Discovery With Net App Windows Excessive Usage Of Net App
Attempt To Stop Security Service Windows Attempt To Stop Security Service
Attempted Credential Dump From Registry via Reg exe Windows Sensitive Registry Hive Dump Via CommandLine
Change Default File Association Windows New Default File Association Value Set
Clients Connecting to Multiple DNS Servers NA
Cmdline Tool Not Executed In CMD Shell Windows Cmdline Tool Execution From Non-Shell Process
Cloud Network Access Control List Deleted AWS Network Access Control List Deleted
Correlation by Repository and Risk Risk Rule for Dev Sec Ops by Repository
Correlation by User and Risk Risk Rule for Dev Sec Ops by Repository
Create local admin accounts using net exe Windows Create Local Administrator Account Via Net
DNS Query Requests Resolved by Unauthorized DNS Servers NA
DNS record changed NA
Deleting Of Net Users Windows User Deletion Via Net
Detect API activity from users without MFA AWS Successful Single-Factor Authentication
Detect AWS API Activities From Unapproved Accounts NA
Detect Activity Related to Pass the Hash Attacks NA
Detect Critical Alerts from Security Tools Microsoft Defender ATP Alerts
Detect DNS requests to Phishing Sites leveraging EvilGinx2 NA
Detect Long DNS TXT Record Response NA
Detect Mimikatz Using Loaded Images NA
Detect Mimikatz Via PowerShell And EventCode 4703 Detect Mimikatz With PowerShell Script Block Logging
Detect Spike in AWS API Activity NA
Detect Spike in Network ACL Activity Abnormally High Number Of Cloud Infrastructure API Calls
Detect Spike in Security Group Activity Abnormally High Number Of Cloud Security Group API Calls
Detect USB device insertion NA
Detect Webshell Exploit Behavior Windows Suspicious Child Process Spawned From WebServer
Detect new API calls from user roles Cloud API Calls From Previously Unseen User Roles
Detect new user AWS Console Login Detect AWS Console Login by New User
Detect processes used for System Network Configuration Discovery Potential System Network Configuration Discovery Activity
Detect web traffic to dynamic domain providers Detect hosts connecting to dynamic domain providers
Detection of DNS Tunnels NA
Disabling Net User Account Windows User Disabled Via Net
Domain Account Discovery With Net App Windows User Discovery Via Net
Domain Group Discovery With Net Windows Group Discovery Via Net
Dump LSASS via procdump Rename Dump LSASS via procdump
EC2 Instance Modified With Previously Unseen User Cloud API Calls From Previously Unseen User Roles
EC2 Instance Started In Previously Unseen Region Cloud Compute Instance Created In Previously Unused Region
EC2 Instance Started With Previously Unseen AMI Cloud Compute Instance Created With Previously Unseen Image
EC2 Instance Started With Previously Unseen Instance Type Cloud Compute Instance Created With Previously Unseen Instance Type
EC2 Instance Started With Previously Unseen User Cloud Compute Instance Created By Previously Unseen User
Elevated Group Discovery With Net Windows Sensitive Group Discovery With Net
Excel Spawning PowerShell Windows Office Product Spawned Uncommon Process
Excel Spawning Windows Script Host NA
Excessive Service Stop Attempt Windows Excessive Service Stop Attempt
Excessive Usage Of Net App Windows Excessive Usage Of Net App
Execution of File With Spaces Before Extension Execution of File with Multiple Extensions
Extended Period Without Successful Netbackup Backups NA
Extraction of Registry Hives Windows Sensitive Registry Hive Dump Via CommandLine
First time seen command line argument NA
GCP Detect accounts with high risk roles by project NA
GCP Detect high risk permissions by resource and account NA
GCP Kubernetes cluster scan detection Kubernetes Scanning by Unauthenticated IP Address
Identify New User Accounts NA
Kubernetes AWS detect RBAC authorization by account NA
Kubernetes AWS detect most active service accounts by pod NA
Kubernetes AWS detect sensitive role access NA
Kubernetes AWS detect service accounts forbidden failure access NA
Kubernetes Azure active service accounts by pod namespace NA
Kubernetes Azure detect RBAC authorization by account NA
Kubernetes Azure detect sensitive object access NA
Kubernetes Azure detect sensitive role access NA
Kubernetes Azure detect service accounts forbidden failure access NA
Kubernetes Azure detect suspicious kubectl calls NA
Kubernetes Azure pod scan fingerprint NA
Kubernetes Azure scan fingerprint NA
Kubernetes GCP detect RBAC authorizations by account NA
Kubernetes GCP detect most active service accounts by pod NA
Kubernetes GCP detect sensitive object access NA
Kubernetes GCP detect sensitive role access NA
Kubernetes GCP detect service accounts forbidden failure access NA
Kubernetes GCP detect suspicious kubectl calls NA
Linux Auditd Find Private Keys Linux Auditd Private Keys and Certificate Enumeration
Local Account Discovery with Net Windows User Discovery Via Net
MSHTML Module Load in Office Product Windows Office Product Loaded MSHTML Module
Monitor DNS For Brand Abuse NA
Multiple Okta Users With Invalid Credentials From The Same IP Okta Multiple Users Failing To Authenticate From Ip
Net Localgroup Discovery Windows Group Discovery Via Net
Network Connection Discovery With Net Windows Network Connection Discovery Via Net
O365 Suspicious Admin Email Forwarding O365 Mailbox Email Forwarding Enabled
Suspicious Rights Delegation O365 Elevated Mailbox Permission Assigned
O365 Suspicious User Email Forwarding O365 Mailbox Email Forwarding Enabled
Office Application Drop Executable Windows Office Product Dropped Uncommon File
Office Application Spawn Regsvr32 process Windows Office Product Spawned Uncommon Process
Office Application Spawn rundll32 process Windows Office Product Spawned Uncommon Process
Office Document Creating Schedule Task Windows Office Product Loading Taskschd DLL
Office Document Executing Macro Code Windows Office Product Loading VBE7 DLL
Office Document Spawned Child Process To Download Windows Office Product Spawned Child Process For Download
Office Product Spawn CMD Process Windows Office Product Spawned Uncommon Process
Office Product Spawning BITSAdmin Windows Office Product Spawned Uncommon Process
Office Product Spawning CertUtil Windows Office Product Spawned Uncommon Process
Office Product Spawning MSHTA Windows Office Product Spawned Uncommon Process
Office Product Spawning Rundll32 with no DLL Windows Office Product Spawned Rundll32 With No DLL
Office Product Spawning Windows Script Host Windows Office Product Spawned Uncommon Process
Office Product Spawning Wmic Windows Office Product Spawned Uncommon Process
Office Product Writing cab or inf Windows Office Product Dropped Cab or Inf File
Office Spawning Control Windows Office Product Spawned Control
Okta Account Locked Out Okta Multiple Accounts Locked Out
Okta Account Lockout Events Okta Multiple Accounts Locked Out
Okta Failed SSO Attempts Okta Unauthorized Access to Application
Okta ThreatInsight Login Failure with High Unknown users NA
Okta ThreatInsight Suspected PasswordSpray Attack Okta ThreatInsight Threat Detected
Okta Two or More Rejected Okta Pushes Okta Multiple Failed MFA Requests For User
Open Redirect in Splunk Web NA
Osquery pack - ColdRoot detection NA
Password Policy Discovery with Net Windows Password Policy Discovery with Net
Processes created by netsh Processes launching netsh
Prohibited Software On Endpoint Attacker Tools On Endpoint
Reg exe used to hide files directories via registry keys NA
Remote Registry Key modifications NA
Remote System Discovery with Net Windows Sensitive Group Discovery With Net
Scheduled tasks used in BadRabbit ransomware Scheduled Task Deleted Or Created via CMD
Spectre and Meltdown Vulnerable Systems NA
Splunk Enterprise Information Disclosure NA
Suspicious Changes to File Associations NA
Suspicious Email - UBA Anomaly NA
Suspicious File Write NA
Suspicious Powershell Command-Line Arguments Attacker Tools On Endpoint
Suspicious Rundll32 Rename NA
Suspicious writes to System Volume Information NA
Uncommon Processes On Endpoint Attacker Tools On Endpoint
Unsigned Image Loaded by LSASS NA
Unsuccessful Netbackup backups NA
Web Fraud - Account Harvesting NA
Web Fraud - Anomalous User Clickspeed NA
Web Fraud - Password Sharing Across Accounts NA
Windows Command Shell Fetch Env Variables Windows List ENV Variables Via SET Command From Uncommon Parent
Windows DLL Search Order Hijacking Hunt Windows DLL Search Order Hijacking Hunt with Sysmon
Windows Lateral Tool Transfer RemCom Windows Service Execution RemCom
Windows MSIExec With Network Connections Windows HTTP Network Communication From MSIExec
Windows Modify Registry Reg Restore Windows Registry Entries Restored Via Reg
Windows Network Share Interaction With Net Windows Network Share Interaction Via Net
Windows Office Product Spawning MSDT Windows Office Product Spawned MSDT
Windows Query Registry Reg Save Windows Registry Entries Exported Via Reg
Windows Service Stop Via Net and SC Application NA
Windows Valid Account With Never Expires Password Windows Set Account Password Policy To Unlimited Via Net
Windows connhost exe started forcefully NA
Windows hosts file modification NA
Winword Spawning Cmd Windows Office Product Spawned Uncommon Process
Winword Spawning PowerShell Windows Office Product Spawned Uncommon Process
Winword Spawning Windows Script Host Windows Office Product Spawned Uncommon Process
gcp detect oauth token abuse NA

List of detections scheduled for removal in ESCU version 5.4.0

  1. AWS SAML Access by Provider User and Principal
  2. GitHub Actions Disable Security Workflow
  3. aws detect permanent key creation
  4. Github Commit In Develop
  5. Suspicious Driver Loaded Path
  6. Known Services Killed by Ransomware
  7. Github Commit Changes In Master
  8. GitHub Pull Request from Unknown User
  9. Suspicious Event Log Service Behavior
  10. Suspicious Process File Path
  11. aws detect attach to role policy
  12. GitHub Dependabot Alert
  13. aws detect sts get session token abuse
  14. aws detect role creation
  15. aws detect sts assume role abuse
  16. AWS Cross Account Activity From Previously Unseen Account
  17. Remote Desktop Network Bruteforce
Last modified on 24 March, 2025
Use ESCU tuning and filter macros to optimize detections   Troubleshooting common errors

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 5.2.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters