Deprecated analytics from ESCU versions 5.2.0 and higher
Some detections and analytic stories from Splunk Enterprise Security Content Update (ESCU) versions 5.2.0 and higher are marked for deprecation and can be deleted from the ESCU app. Deprecating these detections might impact your environment if these detections are enabled in your environment.
Dashboard to assist tracking deprecated detections
Use the Deprecation Assistant dashboard for a comprehensive overview of all deprecated ESCU detections that are enabled within your Splunk environment. Monitoring this dashboard helps to ensure that your security posture is robust by identifying outdated content and making timely updates or replacements to maintain optimal threat detection capabilities.
Potential impact of deprecated detections
- Deprecated detections can be removed from the following location:
DA-ESS-ContentUpdate/default/savedsearches.conf
. - Edited detections might stop functioning if the base detection is removed and if the search parameter was not modified or saved in your local configuration. Edited detections with saved search parameters can continue to function.
- The Job Scheduler might display errors with the message:
Alert is invalid
- Detections might disappear from the Content Management page.
- When a detection is removed from
DA-ESS-ContentUpdate/default/savedsearches.conf
, partial configurations inDA-ESS-ContentUpdate/local/savedsearches.conf
might be orphaned. - The Correlation Search Editor might fail to load deprecated detections.
- The Job Scheduler might report errors for deprecated detections even if they appear to be enabled in the user interface.
Required actions if you are using deprecated detections
If you are using deprecated detections, perform the following actions:
- Review all the deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
- Ensure you have a full copy of the detection including all knowledge objects such as lookups and macros by cloning it in your Splunk environment before installing ESCU versions 5.2.0 and higher.
Risk mitigation: Clone and preserve deprecated detections
Follow these steps to clone deprecated detections before upgrading the app to avoid losing important updates and ensure the smooth management of deprecated detections:
- Identify the deprecated detections by reviewing the release notes.
- Identify the list of deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
- Create a clone of the deprecated detections under a new name and ensure that these cloned detections do not conflict with future updates of the ESCU app.
- Modify the titles and other app metadata such as adding notes to the description to explain its history and the reason for retention.
- Identify and create a backup of the lookups and macros that are used by the deprecated detection that is turned on. This applies especially for the filter macros that are denoted by the suffix of
`_filter`
and are typically used at the end of a search as missing macros prevent searches from running. - Adjust permissions if the deprecated detection is shared across the app or globally and ensure that the cloned search retains the appropriate sharing permissions.
- Verify that the cloned searches work correctly before upgrading the app.
Replacements for detections are provided as necessary. However, a replacement for every detection might not be available.
List of removed detections in ESCU version 5.2.0
Following is a list of removed detections and replacement detections, where applicable:
List of detections scheduled for removal in ESCU version 5.4.0
- AWS SAML Access by Provider User and Principal
- GitHub Actions Disable Security Workflow
- aws detect permanent key creation
- Github Commit In Develop
- Suspicious Driver Loaded Path
- Known Services Killed by Ransomware
- Github Commit Changes In Master
- GitHub Pull Request from Unknown User
- Suspicious Event Log Service Behavior
- Suspicious Process File Path
- aws detect attach to role policy
- GitHub Dependabot Alert
- aws detect sts get session token abuse
- aws detect role creation
- aws detect sts assume role abuse
- AWS Cross Account Activity From Previously Unseen Account
- Remote Desktop Network Bruteforce
Use ESCU tuning and filter macros to optimize detections | Troubleshooting common errors |
This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 5.2.0
Feedback submitted, thanks!