splunk/security_content v6.0.0

on GitHub

🚀 Key Highlights

ESCU 6.0.0 is a major release that includes a number of changes for better alignment with Enterprise Security v8.x+ features.

Please note that all content has been updated in this release, resulting in cleaner, more readable .conf files.

🔍Expanded Finding and Intermediate Finding Support 🔎

Detections that previously created Notable Events, and then Findings with a 0 score “N/A” entity will now create a Finding with an appropriately tagged entity from the search results, with the score that previously would have been used for a risk event/Intermediate Finding for that entity.

Because of the shift to tagging entities to Findings, fewer total Intermediate Findings may be created for some detections, as we won’t be separately creating Intermediate Findings for every entity.

🗓️ Increased Clarity on Content Creation Date vs Modification Date 🗓️

Detections, Analytic Stories, and other things, depending on where you view them now have both creation and modification dates indicating when we first created them and when we’ve last modified them.

🛠️ Repository Tooling Updates 🛠️

ESCU v6.0 marks the transition away from contentctl. We are shifting future investment from contentctl to Detection Studio as we work to bring this functionality into Splunk as an officially supported capability. The contentctl repository will remain publicly available for reference, forking, and customization, but continued use may require customer-managed customization. For more information, see https://github.com/splunk/contentctl/blob/main/README.md

Future Breaking Changes

As previously communicated in ESCU v5.27.0, a number of detections will be removed in v6.1.0. For details on detections scheduled for removal in ESCU version v6.1.0, see the List of Detections Scheduled for Removal.

List of detections scheduled for removal in ESCU version 6.1.0

List of detections deprecated in ESCU version 6.0.0