From 1eaa1a12d241f5d81fe2c78ab6686a6b30c7e06f Mon Sep 17 00:00:00 2001 From: research bot Date: Wed, 4 Mar 2026 19:11:57 +0000 Subject: [PATCH 1/4] chore: bump contentctl.yml to 5.24.0 --- contentctl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contentctl.yml b/contentctl.yml index 10c28bd95b..55e7acbc92 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -3,7 +3,7 @@ app: uid: 3449 title: ES Content Updates appid: DA-ESS-ContentUpdate - version: 5.23.0 + version: 5.24.0 description: Explore the Analytic Stories included with ES Content Updates. prefix: ESCU label: ESCU From 54403179666723f33a7309f26862363c96f57ece Mon Sep 17 00:00:00 2001 From: ljstella Date: Thu, 5 Mar 2026 09:12:44 -0500 Subject: [PATCH 2/4] Removed detection for v5.24.0 --- .../linux_apt_get_privilege_escalation.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename detections/{deprecated => endpoint}/linux_apt_get_privilege_escalation.yml (100%) diff --git a/detections/deprecated/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml similarity index 100% rename from detections/deprecated/linux_apt_get_privilege_escalation.yml rename to detections/endpoint/linux_apt_get_privilege_escalation.yml From 8f80f086b3a514fc0985ebdc5c6ba2f0b59cf1dd Mon Sep 17 00:00:00 2001 From: ljstella Date: Thu, 5 Mar 2026 09:15:43 -0500 Subject: [PATCH 3/4] Actually remove the detection --- .../detections}/linux_apt_get_privilege_escalation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename {detections/endpoint => removed/detections}/linux_apt_get_privilege_escalation.yml (99%) diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/removed/detections/linux_apt_get_privilege_escalation.yml similarity index 99% rename from detections/endpoint/linux_apt_get_privilege_escalation.yml rename to removed/detections/linux_apt_get_privilege_escalation.yml index 23144f3d9e..6b682ef683 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/removed/detections/linux_apt_get_privilege_escalation.yml @@ -3,7 +3,7 @@ id: d870ce3b-e796-402f-b2af-cab4da1223f2 version: 11 date: '2026-02-10' author: Gowthamaraj Rajendran, Bhavin Patel, Splunk -status: deprecated +status: removed type: Anomaly description: The following analytic detects the execution of the 'apt-get' command with elevated privileges using 'sudo' on a Linux system. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a user may be attempting to escalate privileges to root, which could lead to unauthorized system control. If confirmed malicious, an attacker could gain root access, allowing them to execute arbitrary commands, install or remove software, and potentially compromise the entire system. data_source: From ba6f9b948d7b89851d9e73b8895ee54ad1cc17f0 Mon Sep 17 00:00:00 2001 From: ljstella Date: Thu, 5 Mar 2026 12:28:06 -0500 Subject: [PATCH 4/4] Bumping requirements.txt --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index c6c17aa150..4fcf39f316 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ -contentctl==5.5.15 +contentctl==5.5.16