Deprecated analytics from ESCU versions 5.2.0 and higher

Some detections and analytic stories from Splunk Enterprise Security Content Update (ESCU) versions 5.2.0 and higher are marked for deprecation and can be deleted from the ESCU app. Deprecating these detections might impact your environment if these detections are enabled in your environment.

Dashboard to assist tracking deprecated detections

Use the Deprecation Assistant dashboard for a comprehensive overview of all deprecated ESCU detections that are enabled within your Splunk environment. Monitoring this dashboard helps to ensure that your security posture is robust by identifying outdated content and making timely updates or replacements to maintain optimal threat detection capabilities.

Potential impact of deprecated detections

• Deprecated detections can be removed from the following location: DA-ESS-ContentUpdate/default/savedsearches.conf.
• Edited detections might stop functioning if the base detection is removed and if the search parameter was not modified or saved in your local configuration. Edited detections with saved search parameters can continue to function.
• The Job Scheduler might display errors with the message: Alert is invalid
• Detections might disappear from the Content Management page.
• When a detection is removed from DA-ESS-ContentUpdate/default/savedsearches.conf, partial configurations in DA-ESS-ContentUpdate/local/savedsearches.conf might be orphaned.
• The Correlation Search Editor might fail to load deprecated detections.
• The Job Scheduler might report errors for deprecated detections even if they appear to be enabled in the user interface.

Required actions if you are using deprecated detections

If you are using deprecated detections, perform the following actions:

• Review all the deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
• Ensure you have a full copy of the detection including all knowledge objects such as lookups and macros by cloning it in your Splunk environment before installing ESCU versions 5.2.0 and higher.

Risk mitigation: Clone and preserve deprecated detections

Follow these steps to clone deprecated detections before upgrading the app to avoid losing important updates and ensure the smooth management of deprecated detections:

• Identify the deprecated detections by reviewing the release notes.
• Identify the list of deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
• Create a clone of the deprecated detections under a new name and ensure that these cloned detections do not conflict with future updates of the ESCU app.
• Modify the titles and other app metadata such as adding notes to the description to explain its history and the reason for retention.
• Identify and create a backup of the lookups and macros used by the enabled deprecated detection.
• Adjust permissions if the deprecated detection is shared across the app or globally and ensure that the cloned search retains the appropriate sharing permissions.
• Verify that the cloned searches work correctly before upgrading the app.

Replacements for detections are provided as necessary. However, a replacement for every detection might not be available.

List of deprecated detections

Following is a list of detections marked for deprecation:

• ASL AWS CreateAccessKey
• ASL AWS Excessive Security Scanning
• ASL AWS Password Policy Changes
• AWS Cloud Provisioning From Previously Unseen City
• AWS Cloud Provisioning From Previously Unseen Country
• AWS Cloud Provisioning From Previously Unseen IP Address
• AWS Cloud Provisioning From Previously Unseen Region
• AWS EKS Kubernetes cluster sensitive object access
• Abnormally High AWS Instances Launched by User - MLTK
• Abnormally High AWS Instances Launched by User
• Abnormally High AWS Instances Terminated by User - MLTK
• Abnormally High AWS Instances Terminated by User
• Clients Connecting to Multiple DNS Servers
• Cloud Network Access Control List Deleted
• Correlation by Repository and Risk
• Correlation by User and Risk
• DNS Query Requests Resolved by Unauthorized DNS Servers
• DNS record changed
• Detect API activity from users without MFA
• Detect AWS API Activities From Unapproved Accounts
• Detect Activity Related to Pass the Hash Attacks
• Detect DNS requests to Phishing Sites leveraging EvilGinx2
• Detect Long DNS TXT Record Response
• Detect Mimikatz Using Loaded Images
• Detect Mimikatz Via PowerShell And EventCode 4703
• Detect Spike in AWS API Activity
• Detect Spike in Network ACL Activity
• Detect Spike in Security Group Activity
• Detect USB device insertion
• Detect new API calls from user roles
• Detect new user AWS Console Login
• Detect web traffic to dynamic domain providers
• Detection of DNS Tunnels
• Dump LSASS via procdump Rename
• EC2 Instance Modified With Previously Unseen User
• EC2 Instance Started In Previously Unseen Region
• EC2 Instance Started With Previously Unseen AMI
• EC2 Instance Started With Previously Unseen Instance Type
• EC2 Instance Started With Previously Unseen User
• Execution of File With Spaces Before Extension
• Extended Period Without Successful Netbackup Backups
• First time seen command line argument
• GCP Detect accounts with high risk roles by project
• GCP Detect high risk permissions by resource and account
• GCP Kubernetes cluster scan detection
• Identify New User Accounts
• Kubernetes AWS detect RBAC authorization by account
• Kubernetes AWS detect most active service accounts by pod
• Kubernetes AWS detect sensitive role access
• Kubernetes AWS detect service accounts forbidden failure access
• Kubernetes Azure active service accounts by pod namespace
• Kubernetes Azure detect RBAC authorization by account
• Kubernetes Azure detect sensitive object access
• Kubernetes Azure detect sensitive role access
• Kubernetes Azure detect service accounts forbidden failure access
• Kubernetes Azure detect suspicious kubectl calls
• Kubernetes Azure pod scan fingerprint
• Kubernetes Azure scan fingerprint
• Kubernetes GCP detect RBAC authorizations by account
• Kubernetes GCP detect most active service accounts by pod
• Kubernetes GCP detect sensitive object access
• Kubernetes GCP detect sensitive role access
• Kubernetes GCP detect service accounts forbidden failure access
• Kubernetes GCP detect suspicious kubectl calls
• Monitor DNS For Brand Abuse
• Multiple Okta Users With Invalid Credentials From The Same IP
• O365 Suspicious Admin Email Forwarding
• O365 Suspicious Rights Delegation
• O365 Suspicious User Email Forwarding
• Okta Account Locked Out
• Okta Account Lockout Events
• Okta Failed SSO Attempts
• Okta ThreatInsight Login Failure with High Unknown users
• Okta ThreatInsight Suspected PasswordSpray Attack
• Okta Two or More Rejected Okta Pushes
• Open Redirect in Splunk Web
• Osquery pack - ColdRoot detection
• Processes created by netsh
• Prohibited Software On Endpoint
• Reg exe used to hide files directories via registry keys
• Remote Registry Key modifications
• Scheduled tasks used in BadRabbit ransomware
• Spectre and Meltdown Vulnerable Systems
• Splunk Enterprise Information Disclosure
• Suspicious Changes to File Associations
• Suspicious Email - UBA Anomaly
• Suspicious File Write
• Suspicious Powershell Command-Line Arguments
• Suspicious Rundll32 Rename
• Suspicious writes to System Volume Information
• Uncommon Processes On Endpoint
• Unsigned Image Loaded by LSASS
• Unsuccessful Netbackup backups
• Web Fraud - Account Harvesting
• Web Fraud - Anomalous User Clickspeed
• Web Fraud - Password Sharing Across Accounts
• Windows DLL Search Order Hijacking Hunt
• Windows connhost exe started forcefully
• Windows hosts file modification
• gcp detect oauth token abuse