Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ES Content Updates for Critical Infrastructure

mooredaCIP
Engager
‎04-08-2025 08:14 AM

Good day. I work in a heavily regulated critical infrastructure environment. Our compliance change management requires us to consider baseline changes in a server system. Do Content Updates alter the baseline for the Splunk server onsite? We do not use cloud. Are there hash values that are checked when pushing the updates? We need to have the updates but I can't just open a whole change management process each time this has to be updated. I need assurance that critical infrastructure is considered in ES content updates. Thanks in advance. 

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-08-2025 08:21 AM

Hi @mooredaCIP 

If you are referring to the underlying Splunk server software itself, then No. Splunk ESCU only contains knowledge objects (configuration) and does not change any binaries relating to Splunk server.

In relation to the contents within ESCU which get updated - the version updates could modify content within the ESCU app in the "default" folder, so any changes or modifications to ESCU content applied in Enterprise Security will not be affected - as these changes are applied to the local directory which should not be affected by an update.

Generally when utilising Splunk ESCU you would clone a detection which would mean you take a copy of the ESCU knowledge object *at that point in time* - so again, these cloned searches would not be affected.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

 

Reply

mooredaCIP
Engager
‎04-08-2025 08:23 AM

Great answer. Thank you. Yeah, CIP is such a pain in the butt but needed. 

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...