Issue - 3901 (#3905)

* cosolidation of detections

* updating test

Author: patel-bhavin

…t/linux_apt_get_privilege_escalation.yml …d/linux_apt_get_privilege_escalation.ymldetections/endpoint/linux_apt_get_privilege_escalation.yml renamed to detections/deprecated/linux_apt_get_privilege_escalation.yml detections/endpoint/linux_apt_get_privilege_escalation.yml renamed to detections/deprecated/linux_apt_get_privilege_escalation.yml

@@ -1,9 +1,9 @@
 name: Linux apt-get Privilege Escalation
 id: d870ce3b-e796-402f-b2af-cab4da1223f2
-version: 10
-date: '2025-11-18'
+version: 11
+date: '2026-02-10'
 author: Gowthamaraj Rajendran, Bhavin Patel, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic detects the execution of the 'apt-get' command
   with elevated privileges using 'sudo' on a Linux system. It leverages data from

detections/endpoint/linux_apt_privilege_escalation.yml

@@ -1,11 +1,11 @@
 name: Linux APT Privilege Escalation
 id: 4d5a05fa-77d9-4fd0-af9c-05704f9f9a88
-version: 9
-date: '2025-05-02'
-author: Gowthamaraj Rajendran, Splunk
+version: 10
+date: '2026-02-10'
+author: Gowthamaraj Rajendran, Bhavin Patel, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects the use of the Advanced Package Tool (APT)
+description: The following analytic detects the use of the Advanced Package Tool (APT) or apt-get
   with elevated privileges via sudo on Linux systems. It leverages Endpoint Detection
   and Response (EDR) telemetry to identify processes where APT commands are executed
   with sudo rights. This activity is significant because it indicates a user can run
@@ -15,6 +15,7 @@ description: The following analytic detects the use of the Advanced Package Tool
   security risk.
 data_source:
 - Sysmon for Linux EventID 1
+- Cisco Isovalent Process Exec
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process="*apt*" AND
   Processes.process="*APT::Update::Pre-Invoke::*" AND Processes.process="*sudo*" by
@@ -82,3 +83,8 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt/sysmon_linux.log
     source: Syslog:Linux-Sysmon/Operational
     sourcetype: sysmon:linux
+- name: True Positive Test - Cisco Isovalent
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/apt_get/cisco_isovalent.log
+    source: not_applicable
+    sourcetype: cisco:isovalent:processExec

removed/deprecation_mapping.YML

@@ -1,4 +1,9 @@
 detections:
+  - content: Linux apt-get Privilege Escalation
+    removed_in_version: 5.24.0
+    reason: Detection has been deprecated in favor of a more broad and generic logic that aims to reduce overhead and increase coverage.
+    replacement_content:
+      - Linux APT Privilege Escalation
   - content: HTTP Suspicious Tool User Agent
     removed_in_version: 5.22.0
     reason: Detection has been renamed for clarity