Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecated mapping yaml for detections #3297

Draft
wants to merge 11 commits into
base: develop
Choose a base branch
from

Conversation

patel-bhavin
Copy link
Contributor

adds a new mapping file for deprecated detections:

  • deprecated_name: Okta Two or More Rejected Okta Pushes
    deprecated_id: d93f785e-4c2c-4262-b8c7-12b77a13fd39
    replacement_name: Okta Multiple Failed MFA Requests For User
    replacement_id: 826dbaae-a1e6-4c8c-b384-d16898956e73
    date: '2025-01-28'
    escu_version: 5.0.0
    migration_guide: https://docs.splunk.com/Documentation/ESCU/5.0.0/user/DeprecatedAnalytics
    reason: Detections updated to use the new search logic and field names due to the
    TA update

@pyth0n1c
Copy link
Collaborator

pyth0n1c commented Feb 1, 2025

I have moved the deprecation information into each relevant YML file itself in line with some proposed contentctl updates.
I find this makes organization, parsing, etc much easier and more intuitive and explicit rather than keeping a separate file with mapping information.

Note that the following detections in the deprecated detections folder are still missing deprecation information in the YML and, as such, have not yet had their YMLs updated:

https://github.com/splunk/security_content/blob/deprecated_mapping/detections/deprecated/excel_spawning_windows_script_host.yml
https://github.com/splunk/security_content/blob/deprecated_mapping/detections/deprecated/windows_service_stop_via_net__and_sc_application.yml

We also lack deprecation information at this time for:

  • Baselines
  • Analytic Stories
  • Investigations

…ty_content into deprecated_mapping
pyth0n1c and others added 3 commits February 14, 2025 10:10
that was previously added to detections
develop branch
@patel-bhavin patel-bhavin added the WIP DO NOT MERGE Work in Progress label Feb 18, 2025
@josehelps josehelps added this to the v5.2.0 milestone Feb 20, 2025
pyth0n1c and others added 2 commits February 24, 2025 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
WIP DO NOT MERGE Work in Progress
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants