Skip to content

ESCU 6 Manual Migrations#4088

Merged
ljstella merged 17 commits into
escu_6from
escu6_manual_review
May 21, 2026
Merged

ESCU 6 Manual Migrations#4088
ljstella merged 17 commits into
escu_6from
escu6_manual_review

Conversation

@ljstella
Copy link
Copy Markdown
Contributor

@ljstella ljstella commented May 19, 2026
edited
Loading

Details

Working through rba_upgrade_tracking.json

done so far:

  • "Correlation" type searches that did not have entities
  • "Multiple non-user entities but no user entities"
  • Unbalanced $ in risk message
  • Multiple user-type entities
  • Messages missing a $ or not referencing a field
  • Baselines (see below)

@ljstella ljstella changed the title Escu6 manual review ESCU 6 Manual Migrations May 19, 2026
@ljstella
Copy link
Copy Markdown
Contributor Author

ljstella commented May 19, 2026

Baselines:

baselines/dnstwist_domain_names.yml <- flagged because it previously listed a detection that used it, but that detection doesn't exist. However, there are other detections that use it, so it has to stay for now.

modified: baselines/baseline_of_network_acl_activity_by_arn.yml <- dangling
modified: baselines/baseline_of_security_group_activity_by_arn.yml <- dangling
modified: baselines/create_a_list_of_approved_aws_service_accounts.yml <- dangling
modified: baselines/discover_dns_records.yml <- dangling
modified: baselines/previously_seen_command_line_arguments.yml <- dangling

As far as I can tell, these others are "dangling" - they are no longer referenced by any existing detections. Not easy to tell if other folks are still using them for their own purposes, but I'd suggest we follow up post 6.0 launch and mark these for removal.

@ljstella
Copy link
Copy Markdown
Contributor Author

ljstella commented May 19, 2026

contentctl-ng build now successfully builds a package!

@ljstella ljstella marked this pull request as ready for review May 19, 2026 16:24
patel-bhavin
patel-bhavin reviewed May 19, 2026
View reviewed changes
Comment thread detections/application/okta_risk_threshold_exceeded.yml Outdated
patel-bhavin
patel-bhavin reviewed May 19, 2026
View reviewed changes
Comment thread detections/cloud/aws_s3_exfiltration_behavior_identified.yml Outdated
patel-bhavin
patel-bhavin reviewed May 19, 2026
View reviewed changes
Comment thread detections/cloud/azure_ad_privileged_role_assigned.yml
nasbench
nasbench reviewed May 19, 2026
View reviewed changes
Comment thread detections/cloud/o365_bec_email_hiding_rule_created.yml Outdated
Comment thread detections/web/monitor_web_traffic_for_brand_abuse.yml Outdated
ljstella and others added 2 commits May 19, 2026 14:21
@ljstella
Reordering keys
bc18194
@ljstella @nasbench
Update detections/web/monitor_web_traffic_for_brand_abuse.yml
d235c3e 
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
patel-bhavin
patel-bhavin reviewed May 19, 2026
View reviewed changes
Comment thread detections/cloud/o365_email_access_by_security_administrator.yml
ljstella and others added 5 commits May 19, 2026 14:25
@ljstella
Reordering key
d7b8c0f
@pyth0n1c
Merge branch 'escu6_manual_review' into port_playbooks
e190246
@pyth0n1c
Complete porinting of playbooks. Fix references to old, removed detec…
13f06b5 
…tions

in playbooks that were previously unvalidated.
Add a MANUAL_REVIEW section, which is commented out,
for clarity and to allow CICD to run and pass on this content.
Renamed an existing playbook because it diverges from the name
of that playbook elsewhere.
@ljstella
Manual Review completion
c498d21
@ljstella
Merge pull request #4089 from splunk/port_playbooks
e5dc0c4 
Port playbooks
pyth0n1c
pyth0n1c approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@pyth0n1c pyth0n1c left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Lou! All these changes look great!
This has my approval from the SCE Side!

I have also committed updated schemas/ myself. These were updated since the MANUAL_REVIEW content now parses correctly, which means they make it into the enums that make up the schema files.

@ljstella ljstella merged commit bd1b475 into escu_6 May 21, 2026
3 of 6 checks passed
@ljstella ljstella deleted the escu6_manual_review branch May 21, 2026 15:09
@ljstella ljstella mentioned this pull request May 21, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patel-bhavin patel-bhavin patel-bhavin left review comments

@nasbench nasbench nasbench left review comments

@pyth0n1c pyth0n1c pyth0n1c approved these changes

Assignees

No one assigned

Labels

Baselines Detections Playbooks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ljstella @patel-bhavin @nasbench @pyth0n1c