ESCU Companion App

The ESCU Companion App is your ally in the fight to implement Splunk ES Content Updates in your organization. The common approach to using the Splunk Threat Research Team's over 1600 detections is to clone out each one that you want to use, but when you clone it out, how do you check back to verify if a later version of ESCU has updated it so you can take advantage of better detection logic or bug fixes? That's where the ESCU Companion App comes in. Using new features provided by ES 8.0 (but functional in ES 7.0!) the Splunk Threat Research Team has added metadata fields to their ESCU project. The ESCU Companion App uses those metadata fields with some simple dashboards so you can monitor your cloned detections and see which needs to be modified. There is also an alert configured, that you can schedule and add actions such as email or other custom actions (ansible playbooks, SOAR automation, etc.) to instantly notify or take action when a search is detected as being a different version than the ESCU version. This app is released in conjunction with a Splunk .conf24 talk "SEC1961-From Dolly to Detection: Operationalizing ESCU Without Cloning Around!" by Brandon Sternfield, Optiv + ClearShark.