Deprecated analytics from ESCU versions 5.6.0 and higher
Some detections and analytic stories from Splunk Enterprise Security Content Update (ESCU) versions 5.4.0 and higher are marked for deprecation and can be deleted from the ESCU app. Deprecating these detections might impact your environment if these detections are enabled in your environment.
Dashboard to assist tracking deprecated detections
Use the Deprecation Assistant dashboard for a comprehensive overview of all deprecated ESCU detections that are enabled within your Splunk environment. Monitoring this dashboard helps to ensure that your security posture is robust by identifying outdated content and making timely updates or replacements to maintain optimal threat detection capabilities.
Potential impact of deprecated detections
- Deprecated detections can be removed from the following location:
DA-ESS-ContentUpdate/default/savedsearches.conf. - Edited detections might stop functioning if the base detection is removed and if the search parameter was not modified or saved in your local configuration. Edited detections with saved search parameters can continue to function.
- The Job Scheduler might display errors with the message:
Alert is invalid - Detections might disappear from the Content Management page.
- When a detection is removed from
DA-ESS-ContentUpdate/default/savedsearches.conf, partial configurations inDA-ESS-ContentUpdate/local/savedsearches.confmight be orphaned. - The Correlation Search Editor might fail to load deprecated detections.
- The Job Scheduler might report errors for deprecated detections even if they appear to be enabled in the user interface.
Required actions if you are using deprecated detections
If you are using deprecated detections, perform the following actions:
- Review all the deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
- Ensure you have a full copy of the detection including all knowledge objects such as lookups and macros by cloning it in your Splunk environment before installing ESCU versions 5.2.0 and higher.
Risk mitigation: Clone and preserve deprecated detections
Follow these steps to clone deprecated detections before upgrading the app to avoid losing important updates and ensure the smooth management of deprecated detections:
- Identify the deprecated detections by reviewing the release notes.
- Identify the list of deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
- Create a clone of the deprecated detections under a new name and ensure that these cloned detections do not conflict with future updates of the ESCU app.
- Modify the titles and other app metadata such as adding notes to the description to explain its history and the reason for retention.
- Identify and create a backup of the lookups and macros that are used by the deprecated detection that is turned on. This applies especially for the filter macros that are denoted by the suffix of
`_filter`and are typically used at the end of a search as missing macros prevent searches from running. - Adjust permissions if the deprecated detection is shared across the app or globally and ensure that the cloned search retains the appropriate sharing permissions.
- Verify that the cloned searches work correctly before upgrading the app.
Replacements for detections are provided as necessary. However, a replacement for every detection might not be available.
List of removed detections in ESCU version 5.6.0
| Removed detection | Replacement detection |
|---|---|
| Windows Service Created Within Public Path | Windows Service Created with Suspicious Service Path |
| Detect Large Outbound ICMP Packets | Detect Large ICMP Traffic |
| Path traversal SPL injection | NA |
| Persistent XSS in RapidDiag through User Interface Views | NA |
| Splunk Absolute Path Traversal Using runshellscript | NA |
| Splunk Account Discovery Drilldown Dashboard Disclosure | NA |
| Splunk Authentication Token Exposure in Debug Log | NA |
| Splunk CSRF in the SSG kvstore Client Endpoints | NA |
| Splunk Data exfiltration from Analytics Workspace using sid query | NA |
| Splunk Digital Certificates Infrastructure Version | NA |
| Splunk Disable KVStore via CSRF Enabling Maintenance Mode | NA |
| Splunk DoS Using Malformed SAML Request | NA |
| Splunk DOS Via Dump SPL Command | NA |
| Splunk DoS via Malformed S2S Request | NA |
| Splunk DoS via POST Request Datamodel Endpoint | NA |
| Splunk DOS via printf search function | NA |
| Splunk Edit User Privilege Escalation | NA |
| Splunk Endpoint Denial of Service DoS Zip Bomb | NA |
| Splunk Enterprise Windows Deserialization File Partition | NA |
| Splunk ES DoS Investigations Manager via Investigation Creation | |
| Splunk ES DoS Through Investigation Attachments | NA |
| Splunk HTTP Response Splitting Via Rest SPL Command | NA |
| Splunk Identified SSL TLS Certificates | NA |
| Splunk Image File Disclosure via PDF Export in Classic Dashboard | NA |
| Splunk Information Disclosure in Splunk Add-on Builder | NA |
| Splunk list all nonstandard admin accounts | NA |
| Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App | NA |
| Splunk Low Privilege User Can View Hashed Splunk Password | NA |
| Splunk Persistent XSS via Props Conf | NA |
| Splunk Persistent XSS via Scheduled Views | NA |
| Splunk Persistent XSS Via URL Validation Bypass W Dashboard | NA |
| Splunk Process Injection Forwarder Bundle Downloads | NA |
| Splunk Protocol Impersonation Weak Encryption Configuration | NA |
| Splunk protocol impersonation weak encryption selfsigned | NA |
| Splunk protocol impersonation weak encryption simplerequest | NA |
| Splunk RBAC Bypass On Indexing Preview REST Endpoint | NA |
| Splunk RCE Through Arbitrary File Write to Windows System Root | NA |
| Splunk RCE via External Lookup Copybuckets | NA |
| Splunk RCE via Serialized Session Payload | NA |
| Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature | NA |
| Splunk Reflected XSS in the templates lists radio | NA |
| Splunk Reflected XSS on App Search Table Endpoint | NA |
| Splunk risky Command Abuse disclosed february 2023 | NA |
| Splunk SG Information Disclosure for Low Privs User | NA |
| Splunk Stored XSS conf-web Settings on Premises | NA |
| Splunk Stored XSS via Data Model objectName Field | NA |
| Splunk Stored XSS via Specially Crafted Bulletin Message | NA |
| Splunk Unauthenticated DoS via Null Pointer References | NA |
| Splunk Unauthenticated Log Injection Web Service Log | NA |
| Splunk Unauthenticated Path Traversal Modules Messaging | NA |
| Splunk Unauthorized Experimental Items Creation | NA |
| Splunk Unauthorized Notification Input by User | NA |
| Splunk unnecessary file extensions allowed by lookup table uploads | NA |
| Splunk XSS in Highlighted JSON Events | NA |
| Splunk XSS in Monitoring Console | NA |
| Splunk XSS in Save table dialog header in search page | NA |
| Splunk XSS Via External Urls in Dashboards SSRF | NA |
| Splunk XSS via View | NA |
List of detections scheduled for removal in ESCU version 5.8.0
Last modified on 20 May, 2025
| Use ESCU tuning and filter macros to optimize detections | Troubleshooting common errors |
This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 5.6.0
Download manual
Feedback submitted, thanks!