Deprecated analytics from ESCU versions 5.2.0 and higher

Some detections and analytic stories from Splunk Enterprise Security Content Update (ESCU) versions 5.2.0 and higher are marked for deprecation and can be deleted from the ESCU app. Deprecating these detections might impact your environment if these detections are enabled in your environment.

Dashboard to assist tracking deprecated detections

Use the Deprecation Assistant dashboard for a comprehensive overview of all deprecated ESCU detections that are enabled within your Splunk environment. Monitoring this dashboard helps to ensure that your security posture is robust by identifying outdated content and making timely updates or replacements to maintain optimal threat detection capabilities.

Potential impact of deprecated detections

• Deprecated detections can be removed from the following location: DA-ESS-ContentUpdate/default/savedsearches.conf.
• Edited detections might stop functioning if the base detection is removed and if the search parameter was not modified or saved in your local configuration. Edited detections with saved search parameters can continue to function.
• The Job Scheduler might display errors with the message: Alert is invalid
• Detections might disappear from the Content Management page.
• When a detection is removed from DA-ESS-ContentUpdate/default/savedsearches.conf, partial configurations in DA-ESS-ContentUpdate/local/savedsearches.conf might be orphaned.
• The Correlation Search Editor might fail to load deprecated detections.
• The Job Scheduler might report errors for deprecated detections even if they appear to be enabled in the user interface.

Required actions if you are using deprecated detections

If you are using deprecated detections, perform the following actions:

• Review all the deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
• Ensure you have a full copy of the detection including all knowledge objects such as lookups and macros by cloning it in your Splunk environment before installing ESCU versions 5.2.0 and higher.

Risk mitigation: Clone and preserve deprecated detections

Follow these steps to clone deprecated detections before upgrading the app to avoid losing important updates and ensure the smooth management of deprecated detections:

• Identify the deprecated detections by reviewing the release notes.
• Identify the list of deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
• Create a clone of the deprecated detections under a new name and ensure that these cloned detections do not conflict with future updates of the ESCU app.
• Modify the titles and other app metadata such as adding notes to the description to explain its history and the reason for retention.
• Identify and create a backup of the lookups and macros used by the enabled deprecated detection.
• Adjust permissions if the deprecated detection is shared across the app or globally and ensure that the cloned search retains the appropriate sharing permissions.
• Verify that the cloned searches work correctly before upgrading the app.

Replacements for detections are provided as necessary. However, a replacement for every detection might not be available.

List of deprecated detections

Following is a list of detections marked for deprecation:

1. ASL AWS CreateAccessKey
2. ASL AWS Excessive Security Scanning
3. ASL AWS Password Policy Changes
4. AWS Cloud Provisioning From Previously Unseen City
5. AWS Cloud Provisioning From Previously Unseen Country
6. AWS Cloud Provisioning From Previously Unseen IP Address
7. AWS Cloud Provisioning From Previously Unseen Region
8. AWS EKS Kubernetes cluster sensitive object access
9. Abnormally High AWS Instances Launched by User - MLTK
10. Abnormally High AWS Instances Launched by User
11. Abnormally High AWS Instances Terminated by User - MLTK
12. Abnormally High AWS Instances Terminated by User
13. Account Discovery With Net App
14. Attempt To Stop Security Service
15. Attempted Credential Dump From Registry via Reg exe
16. Change Default File Association
17. Clients Connecting to Multiple DNS Servers
18. Cmdline Tool Not Executed In CMD Shell
19. Cloud Network Access Control List Deleted
20. Correlation by Repository and Risk
21. Correlation by User and Risk
22. Create local admin accounts using net exe
23. DNS Query Requests Resolved by Unauthorized DNS Servers
24. DNS record changed
25. Deleting Of Net Users
26. Detect API activity from users without MFA
27. Detect AWS API Activities From Unapproved Accounts
28. Detect Activity Related to Pass the Hash Attacks
29. Detect Critical Alerts from Security Tools
30. Detect DNS requests to Phishing Sites leveraging EvilGinx2
31. Detect Long DNS TXT Record Response
32. Detect Mimikatz Using Loaded Images
33. Detect Mimikatz Via PowerShell And EventCode 4703
34. Detect Spike in AWS API Activity
35. Detect Spike in Network ACL Activity
36. Detect Spike in Security Group Activity
37. Detect USB device insertion
38. Detect Webshell Exploit Behavior
39. Detect new API calls from user roles
40. Detect new user AWS Console Login
41. Detect processes used for System Network Configuration Discovery
42. Detect web traffic to dynamic domain providers
43. Detection of DNS Tunnels
44. Disabling Net User Account
45. Domain Account Discovery With Net App
46. Domain Group Discovery With Net
47. Dump LSASS via procdump Rename
48. EC2 Instance Modified With Previously Unseen User
49. EC2 Instance Started In Previously Unseen Region
50. EC2 Instance Started With Previously Unseen AMI
51. EC2 Instance Started With Previously Unseen Instance Type
52. EC2 Instance Started With Previously Unseen User
53. Elevated Group Discovery With Net
54. Excel Spawning PowerShell
55. Excel Spawning Windows Script Host
56. Excessive Service Stop Attempt
57. Excessive Usage Of Net App
58. Execution of File With Spaces Before Extension
59. Extended Period Without Successful Netbackup Backups
60. Extraction of Registry Hives
61. First time seen command line argument
62. GCP Detect accounts with high risk roles by project
63. GCP Detect high risk permissions by resource and account
64. GCP Kubernetes cluster scan detection
65. Identify New User Accounts
66. Kubernetes AWS detect RBAC authorization by account
67. Kubernetes AWS detect most active service accounts by pod
68. Kubernetes AWS detect sensitive role access
69. Kubernetes AWS detect service accounts forbidden failure access
70. Kubernetes Azure active service accounts by pod namespace
71. Kubernetes Azure detect RBAC authorization by account
72. Kubernetes Azure detect sensitive object access
73. Kubernetes Azure detect sensitive role access
74. Kubernetes Azure detect service accounts forbidden failure access
75. Kubernetes Azure detect suspicious kubectl calls
76. Kubernetes Azure pod scan fingerprint
77. Kubernetes Azure scan fingerprint
78. Kubernetes GCP detect RBAC authorizations by account
79. Kubernetes GCP detect most active service accounts by pod
80. Kubernetes GCP detect sensitive object access
81. Kubernetes GCP detect sensitive role access
82. Kubernetes GCP detect service accounts forbidden failure access
83. Kubernetes GCP detect suspicious kubectl calls
84. Linux Auditd Find Private Keys
85. Local Account Discovery with Net
86. MSHTML Module Load in Office Product
87. Monitor DNS For Brand Abuse
88. Multiple Okta Users With Invalid Credentials From The Same IP
89. Net Localgroup Discovery
90. Network Connection Discovery With Net
91. O365 Suspicious Admin Email Forwarding
92. O365 Suspicious Rights Delegation
93. O365 Suspicious User Email Forwarding
94. Office Application Drop Executable
95. Office Application Spawn Regsvr32 process
96. Office Application Spawn rundll32 process
97. Office Document Creating Schedule Task
98. Office Document Executing Macro Code
99. Office Document Spawned Child Process To Download
100. Office Product Spawn CMD Process
101. Office Product Spawning BITSAdmin
102. Office Product Spawning CertUtil
103. Office Product Spawning MSHTA
104. Office Product Spawning Rundll32 with no DLL
105. Office Product Spawning Windows Script Host
106. Office Product Spawning Wmic
107. Office Product Writing cab or inf
108. Office Spawning Control
109. Okta Account Locked Out
110. Okta Account Lockout Events
111. Okta Failed SSO Attempts
112. Okta ThreatInsight Login Failure with High Unknown users
113. Okta ThreatInsight Suspected PasswordSpray Attack
114. Okta Two or More Rejected Okta Pushes
115. Open Redirect in Splunk Web
116. Osquery pack - ColdRoot detection
117. Password Policy Discovery with Net
118. Processes created by netsh
119. Prohibited Software On Endpoint
120. Reg exe used to hide files directories via registry keys
121. Remote Registry Key modifications
122. Remote System Discovery with Net
123. Scheduled tasks used in BadRabbit ransomware
124. Spectre and Meltdown Vulnerable Systems
125. Splunk Enterprise Information Disclosure
126. Suspicious Changes to File Associations
127. Suspicious Email - UBA Anomaly
128. Suspicious File Write
129. Suspicious Powershell Command-Line Arguments
130. Suspicious Rundll32 Rename
131. Suspicious writes to System Volume Information
132. Uncommon Processes On Endpoint
133. Unsigned Image Loaded by LSASS
134. Unsuccessful Netbackup backups
135. Web Fraud - Account Harvesting
136. Web Fraud - Anomalous User Clickspeed
137. Web Fraud - Password Sharing Across Accounts
138. Windows Command Shell Fetch Env Variables
139. Windows DLL Search Order Hijacking Hunt
140. Windows Lateral Tool Transfer RemCom
141. Windows MSIExec With Network Connections
142. Windows Modify Registry Reg Restore
143. Windows Network Share Interaction With Net
144. Windows Office Product Spawning MSDT
145. Windows Query Registry Reg Save
146. Windows Service Stop Via Net and SC Application
147. Windows Valid Account With Never Expires Password
148. Windows connhost exe started forcefully
149. Windows hosts file modification
150. Winword Spawning Cmd
151. Winword Spawning PowerShell
152. Winword Spawning Windows Script Host
153. gcp detect oauth token abuse