Splunk® Enterprise Security Content Update

How to Use Splunk Security Content

Deprecated analytics from ESCU versions 5.4.0 and higher

Some detections and analytic stories from Splunk Enterprise Security Content Update (ESCU) versions 5.4.0 and higher are marked for deprecation and can be deleted from the ESCU app. Deprecating these detections might impact your environment if these detections are enabled in your environment.

Dashboard to assist tracking deprecated detections

Use the Deprecation Assistant dashboard for a comprehensive overview of all deprecated ESCU detections that are enabled within your Splunk environment. Monitoring this dashboard helps to ensure that your security posture is robust by identifying outdated content and making timely updates or replacements to maintain optimal threat detection capabilities.

Potential impact of deprecated detections

  • Deprecated detections can be removed from the following location: DA-ESS-ContentUpdate/default/savedsearches.conf.
  • Edited detections might stop functioning if the base detection is removed and if the search parameter was not modified or saved in your local configuration. Edited detections with saved search parameters can continue to function.
  • The Job Scheduler might display errors with the message: Alert is invalid
  • Detections might disappear from the Content Management page.
  • When a detection is removed from DA-ESS-ContentUpdate/default/savedsearches.conf, partial configurations in DA-ESS-ContentUpdate/local/savedsearches.conf might be orphaned.
  • The Correlation Search Editor might fail to load deprecated detections.
  • The Job Scheduler might report errors for deprecated detections even if they appear to be enabled in the user interface.

Required actions if you are using deprecated detections

If you are using deprecated detections, perform the following actions:

  • Review all the deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
  • Ensure you have a full copy of the detection including all knowledge objects such as lookups and macros by cloning it in your Splunk environment before installing ESCU versions 5.2.0 and higher.

Risk mitigation: Clone and preserve deprecated detections

Follow these steps to clone deprecated detections before upgrading the app to avoid losing important updates and ensure the smooth management of deprecated detections:

  • Identify the deprecated detections by reviewing the release notes.
  • Identify the list of deprecated detections that are enabled in your environment using the Deprecation Assistant dashboard.
  • Create a clone of the deprecated detections under a new name and ensure that these cloned detections do not conflict with future updates of the ESCU app.
  • Modify the titles and other app metadata such as adding notes to the description to explain its history and the reason for retention.
  • Identify and create a backup of the lookups and macros that are used by the deprecated detection that is turned on. This applies especially for the filter macros that are denoted by the suffix of `_filter` and are typically used at the end of a search as missing macros prevent searches from running.
  • Adjust permissions if the deprecated detection is shared across the app or globally and ensure that the cloned search retains the appropriate sharing permissions.
  • Verify that the cloned searches work correctly before upgrading the app.

Replacements for detections are provided as necessary. However, a replacement for every detection might not be available.

List of removed detections in ESCU version 5.4.0

Following is a list of removed detections and replacement detections, where applicable:

Removed detection Replacement detection
AWS Cross Account Activity From Previously Unseen Account NA
AWS detect attach to role policy NA
ASL AWS Password Policy Changes NA
AWS Cloud Provisioning From Previously Unseen City NA
AWS detect permanent key creation NA
AWS detect role creation NA
AWS detect STS get session token abuse NA
AWS detect sts get session token abuse NA
AWS SAML Access by Provider User and Principal NA
GitHub Actions Disable Security Workflow GitHub Organizations Disable Classic Branch Protection Rule
Github Commit Changes In Master NA
Github Commit In Develop NA
GitHub Dependabot Alert GitHub Enterprise Disable Dependabot
GitHub Pull Request from Unknown User NA
Known Services Killed by Ransomware Windows Security And Backup Services Stop
Remote Desktop Network Bruteforce Windows Remote Desktop Network Bruteforce Attempt
Suspicious Driver Loaded Path Windows Suspicious Driver Loaded Path
Suspicious Event Log Service Behavior Windows Event Logging Service Has Shutdown
Suspicious Process File Path Windows Suspicious Process File Path

List of detections scheduled for removal in ESCU version 5.6.0

Deprecated detection Replacement detection
Windows Service Created Within Public Path Windows Service Created with Suspicious Service Path
Detect Large Outbound ICMP Packets Detect Large ICMP Traffic
Path traversal SPL injection NA
Persistent XSS in RapidDiag through User Interface Views NA
Splunk Absolute Path Traversal Using runshellscript NA
Splunk Account Discovery Drilldown Dashboard Disclosure NA
Splunk Authentication Token Exposure in Debug Log NA
Splunk CSRF in the SSG kvstore Client Endpoints NA
Splunk Data exfiltration from Analytics Workspace using sid query NA
Splunk Digital Certificates Infrastructure Version NA
Splunk Disable KVStore via CSRF Enabling Maintenance Mode NA
Splunk DoS Using Malformed SAML Request NA
Splunk DOS Via Dump SPL Command NA
Splunk DoS via Malformed S2S Request NA
Splunk DoS via POST Request Datamodel Endpoint NA
Splunk DOS via printf search function NA
Splunk Edit User Privilege Escalation NA
Splunk Endpoint Denial of Service DoS Zip Bomb NA
Splunk Enterprise Windows Deserialization File Partition NA
Splunk ES DoS Investigations Manager via Investigation Creation
Splunk ES DoS Through Investigation Attachments NA
Splunk HTTP Response Splitting Via Rest SPL Command NA
Splunk Identified SSL TLS Certificates NA
Splunk Image File Disclosure via PDF Export in Classic Dashboard NA
Splunk Information Disclosure in Splunk Add-on Builder NA
Splunk list all nonstandard admin accounts NA
Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App NA
Splunk Low Privilege User Can View Hashed Splunk Password NA
Splunk Persistent XSS via Props Conf NA
Splunk Persistent XSS via Scheduled Views NA
Splunk Persistent XSS Via URL Validation Bypass W Dashboard NA
Splunk Process Injection Forwarder Bundle Downloads NA
Splunk Protocol Impersonation Weak Encryption Configuration NA
Splunk protocol impersonation weak encryption selfsigned NA
Splunk protocol impersonation weak encryption simplerequest NA
Splunk RBAC Bypass On Indexing Preview REST Endpoint NA
Splunk RCE Through Arbitrary File Write to Windows System Root NA
Splunk RCE via External Lookup Copybuckets NA
Splunk RCE via Serialized Session Payload NA
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature NA
Splunk Reflected XSS in the templates lists radio NA
Splunk Reflected XSS on App Search Table Endpoint NA
Splunk risky Command Abuse disclosed february 2023 NA
GCP Kubernetes cluster scan detection Kubernetes Scanning by Unauthenticated IP Address
Splunk SG Information Disclosure for Low Privs User NA
Splunk Stored XSS conf-web Settings on Premises NA
Splunk Stored XSS via Data Model objectName Field NA
Splunk Stored XSS via Specially Crafted Bulletin Message NA
Splunk Unauthenticated DoS via Null Pointer References NA
Splunk Unauthenticated Log Injection Web Service Log NA
Splunk Unauthenticated Path Traversal Modules Messaging NA
Splunk Unauthorized Experimental Items Creation NA
Splunk Unauthorized Notification Input by User NA
Splunk unnecessary file extensions allowed by lookup table uploads NA
Splunk XSS in Highlighted JSON Events NA
Splunk XSS in Monitoring Console NA
Splunk XSS in Save table dialog header in search page NA
Splunk XSS Via External Urls in Dashboards SSRF NA
Splunk XSS via View NA
Last modified on 23 April, 2025
Use ESCU tuning and filter macros to optimize detections   Troubleshooting common errors

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 5.4.0


Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters