5.4 ‐ Deprecated Detections
Detections under the deprecated folder are treated a bit differently, below is a list of things that happen to them specifically:
-
doc_gen.pywill no longer include deprecated detections on Splunk Docs. - The correlation search label is updated to
ESCU - Deprecated -<search_name> - Rule - research.splunk.com shows a deprecation WARNING
- The following note is added to the beginning of the description of the deprecated detection:
WARNING, this detection has been marked deprecated by the Splunk Threat Research team, which means that it will no longer be maintained or supported. If you have any questions feel free to email us at: [email protected].*
- Note the detections are still included on the ESCU package
- The attack or analytic is no longer relevant.
- STRT builds a better approach to the analytic.
- Uses a data source or TA no longer supported.
- When a data source becomes CIM compliant, we deprecate the _raw source type searches and convert them into a data model based search.
- If we get enough bug reports and it does not make sense to maintain or meet our bar for quality