Re: Bulk update ESCU detections

cseiler-gmp

Is there a way to bulk update enabled ESCU detections when a new version with a lot of metadata changes like the MITRE changes in 5.27 are released? (This is with version detection enabled, ES version 8.3.0)

livehybrid

Hi @cseiler-gmp

How are you currently managing your ESCU rules? Do you just enable the ones that come with ESCU or are you cloning them and then enabling them?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

cseiler-gmp

Currently just enabling them via Enterprise Security Content Management UI, not cloning them out unless we have a very specific logic change that would need to be made for our environment. The searches are still knowledge objects owned by ESCU.

Bulk update ESCU detections

correlation search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation