Alert when ESCU updates detections

This query can set up an alert for when ESCU updates a detection, compared to the version you are using from clone. This requires ESCU v4.31.0 with the new metadata information being used.

| rest splunk_server=local count=0 /servicesNS/-/-/saved/searches 
| search action.notable.param.rule_title=* action.correlationsearch.metadata=* disabled=0
| rex field=action.correlationsearch.metadata "\"detection_id\": \"(?P<detection_id>.{8}-.{4}-.{4}-.{4}-.{12})" 
| rex field=action.correlationsearch.metadata "\"detection_version\": \"(?P<detection_version>.+)\"" 
| rename action.correlationsearch.label AS title, eai:acl.app AS app 
| table title app detection_version detection_id 
| eval appVersion = app. ":" .detection_version
| stats values(*) AS * by detection_id 
| search app = "DA-ESS-ContentUpdate" 
| where mvcount(detection_version) > 1 
| eval escuSearch = mvindex(title, mvfind(title, "^ESCU"), mvfind(title, "^ESCU"))
| eval customSearch = (mvindex(title, mvfind(title, "[^ESCU]"), mvfind(title, "[^ESCU]")))
| table escuSearch customSearch appVersion
| eval _time = now() 
| stats values(_time) AS _time values(*) AS *

This alert, and other helpful information related to implementing ESCU can be found in the ESCU Companion App : https://splunkbase.splunk.com/app/7356

Splunk Query Repository

Alert when ESCU updates detections

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

Alert when ESCU updates detections

Related Queries

Correlation Search Audit Search

Query to see incidents logged by correlation search in ES incident review dashboard

Detect Credit Card Numbers using Luhn Algorithm

Leave A Comment? Click here to cancel reply.