Skip to content

Releases: splunk/security_content

v4.38.0

16 Aug 00:15
@gowthamarajr gowthamarajr
v4.38.0
9f85603
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.38.0

Key highlights

Enterprise Security Content Update version 4.38.0 introduces new detections focusing on Windows Endpoints and Office365 with specific attention to identity and access management vulnerabilities. This version also includes detections to identify unusual NTLM authentication patterns. A number of new detections are included for Crowdstrike environments to identify weak password policies, detect duplicate passwords among users and administrators, assess identity risk with various severity levels, and detect privilege escalation attempts in non-administrative accounts. For Office 365 environments, this update includes detections to monitor cross-tenant access changes, external guest invitations, changes in external identity policies, and privileged role assignments. Finally, two new analytic stores are included for help detect Compromised Windows Hosts or activities linked to the Handala Wiper Malware.

New Analytic Story - [2]

Updated Analytic Story - [1]

New Analytics - [20]

Updated Analytics - [13]

Macros Added - [3]

  • crowdstrike_identities
  • crowdstrike_stream
  • ntlm_audit

Macros Updated - [1]

  • linux_hosts

Lookups Updated - [1]

  • privileged_azure_ad_roles

Other Updates

  • Added new data_source objects
  • Changes TA names in data sources to match the name in Splunk
  • Updated TA version to match the latest (new check in contentctl)
  • Add configuration file to Sysmon and Windows Event Code 4688
  • Update analytic story on detections for Handala Wiper

Contributors

nterl0k
Loading

v4.37.0

31 Jul 18:30
@patel-bhavin patel-bhavin
v4.37.0
891ebbe
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.37.0

Key Highlights

Enterprise Security Content Updates version 4.37.0 introduces new detections focused on emerging threats like AcidPour, Gozi Malware, and ShrinkLocker. These analytics identify sophisticated techniques used by these malware families to compromise Windows environments, primarily through registry modifications. The update includes detections for attempts to configure BitLocker, delete firewall rules, disable Remote Desktop Protocol (RDP), alter Smart Card Group Policy, modify firewall rules, and change Outlook WebView settings. By monitoring these critical registry changes, security teams can more effectively identify potential compromises and swiftly mitigate risks associated with these advanced malware variants.We have also published a detailed blog on Acid Pour Wiper Malware and the various TTPs used by this wiper malware.

This release also contains detections for identifying exploitation of the following vulnerabilities:

  • CVE-2024-5806, published by Progress Software, describes an improper authentication vulnerability affecting the MOVEit Transfer SFTP service that can lead to authentication bypass.
  • CVE-2024-29824, published by ZDI and Ivanti, concerns an enterprise endpoint management solution and describes a SQL injection resulting in remote code execution with a CVSS score of 9.8.
  • CVE-2024-37085, published by Broadcom, impacts VMware ESXi hypervisors. Successful exploitation of this flaw allows attackers with sufficient Active Directory permissions to gain full access to an ESXi host configured to use AD for user management by re-creating the default 'ESXi Admins' group after it has been deleted from Active Directory.

New Analytic Story - [6]

New Analytics - [16]

Updated Analytics - [11]

Macros Added - [2]

  • moveit_sftp_logs
  • remote_access_software_usage_exceptions

Lookups Added - [1]

  • remote_access_software_exceptions

Lookups Updated - [4]

  • lolbas_file_path
  • privileged_azure_ad_roles
  • remote_access_software
  • splunk_risky_command

Other Updates

  • Remove usage_searches.conf from the ESCU app
  • Update the yaml file structure for data_sources objects
  • Remove dev/ directory from Github repo as we do not actively maintain Sigma supported detections in this directory
  • Removed ransomware_extensions.csv from the repo and replaced it with an updated lookup - ransomware_extensions_20231219.csv
  • Removed ransomware_notes.csv from the repo and replaced it with an updated lookup - ransomware_notes_20231219.csv
  • Removed privileged_azure_ad_roles.csv from the repo and replaced it with an updated lookup - privileged_azure_ad_roles20240729.csv
  • Removed remote_access_software.csv from the repo and replaced it with an updated lookup - remote_access_software20240726.csv

Contributors

TheLawsOfChaos, nterl0k, and 2 other contributors
Loading

v4.36.0

17 Jul 23:06
@patel-bhavin patel-bhavin
v4.36.0
16885f0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.36.0

Key highlights

Enterprise Security Content Updates version 4.36.0 introduces a comprehensive suite of new detections related to Sneaky Active Directory Persistence Tricks. These detections are designed to identify and alert on subtle techniques used by attackers to maintain unauthorized access within Active Directory environments. The update includes analytics for detecting distributed and localized password spray attempts, identifying internal horizontal and vertical port scans, and alerting on Windows AD self-group additions.

Additionally, this release incorporates detections for monitoring increases in group/object modification activity, tracking unusual spikes in user modification activity, detecting suspicious Windows network share interactions, and identifying installations of known vulnerable drivers. These new capabilities significantly enhance an organization's ability to spot and respond to sophisticated persistence techniques in Active Directory, improving overall security posture against advanced persistent threats.

ESCU 4.36.0

###Total New and Updated Content: [10]

New Analytics - [10]

Other Updates

  • Added new data_source objects
Loading

v4.35.0

01 Jul 18:38
@patel-bhavin patel-bhavin
v4.35.0
fb7346f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.35.0

Key Highlights

  • Enterprise Security Content Updates version 4.35.0 contains 11 new analytics and 6 updated analytics that are specifically crafted to detect the Splunk Security Advisories that were published on July 1st, 2024 for Splunk Enterprise 9.2.2, 9.1.5, 9.0.10 and Splunk Cloud. These Splunk Enterprise updates address several critical vulnerabilities, including multiple instances of persistent cross-site scripting (XSS) in various endpoints, remote code execution (RCE) exploits, and denial of service (DoS) vulnerabilities. Additionally, in this ESCU build we have updated the analytics for detecting information disclosure of user names, path traversal, insecure file uploads, and risky command safeguards bypasses, ensuring a more secure environment for Splunk Enterprise users. Please refer to https://advisory.splunk.com/ for specific details about the vulnerabilities.

Total New and Updated Content: [19]

New Analytic Story - [0]

Updated Analytic Story - [0]

New Analytics - [11]

Updated Analytics - [6]

Macros Added - [1]

  • splunkd_webs

Macros Updated - [0]

Lookups Added - [0]

Lookups Updated - [1]

  • splunk_risky_command

Playbooks Added - [0]

Playbooks Updated - [0]

Deprecated Analytics - [0]

Other Updates

  • Updated the ESCU Summary Dashboard to link directly to the Enterprise Security Use Case Library.

Full Changelog: v4.34.0...v4.35.0

Loading

v4.34.0

26 Jun 23:57
@ljstella ljstella
v4.34.0
3e64dfb
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.34.0

Release notes for ESCU release_v4.34.0

Total New and Updated Content: [1256]

New Analytic Story - [1]

Updated Analytic Story - [0]

New Analytics - [2]

Updated Analytics - [1238]

Over 1200+ descriptions updated.

Macros Added - [3]

  • fillnull_config
  • oldsummaries_config
  • summariesonly_config

Macros Updated - [2]

  • prohibited_softwares
  • security_content_summariesonly

Updated the security_content_summariesonly macro to use macros for each of the configuration settings that were previously hardcoded. There's no change in the values of those macros and the previous configuration of the security_content_summariesonly macro

Lookups Added - [0]

Lookups Updated - [0]

Playbooks Added - [0]

Playbooks Updated - [0]

Deprecated Analytics - [10]

Other Updates

  • Updated descriptions and _filter macro for several analytics to have a consistent standard and formatting.
  • Updated distsearch.conf to remove bias language.
  • Updated testing to run against the official Splunk Sysmon for Linux Add-on.

Full Changelog: v4.33.0...v4.34.0

Loading

v4.33.0

06 Jun 18:09
@patel-bhavin patel-bhavin
v4.33.0
8f253cd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.33.0

Key highlights

Enterprise Security Content Updates version 4.33.0 adds a new detection, CrushFTP Server Side Template Injection. This detection highlights any attempts to exploit CVE-2024-4040, a critical vulnerability that allows unauthenticated remote attackers to run arbitrary code and bypass authentication in CrushFTP versions before 10.7.1 and 11.1.0.

Additionally, this release includes updates to the detection logic of some analytics that use lookups. This includes changing the order of operations in the SPL so that the lookup command is run after the stats command. Thus, in a distributed environment, lookups don't need to be replicated and the search performance improves slightly in all environments because it involves looking up values for fewer events.

New Analytic Story - [1]

New Analytics - [1]

Updated Analytics - [12]

Other Updates

  • Updated descriptions for 80+ analytics to have a consistent standard and formatting.
Loading

v4.32.0

22 May 20:00
@gowthamarajr gowthamarajr
v4.32.0
bb3788d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.32.0

What's new

Enterprise Security Content Updates v4.32.0 was released on May 22, 2024. It includes the following enhancements:

Key highlights

Splunk Threat Research team has added 6 new detections and updated 6 existing detection analytics focused on AWS, leveraging the Open Cybersecurity Schema Framework (OCSF) to support the recent GA release of Amazon Security Lake (ASL) and the Splunk Add-On for Amazon Web Services. Additionally, Enterprise Security Content Updates v4.32.0 updated 6 analytics based on testing on real-world data to enhance accuracy and effectiveness in identifying suspicious activities and potential threats.

Enterprise Security Content Updates v4.32.0 detects critical security events such as attempts to disable or modify CloudTrail logging, unauthorized container uploads to Amazon ECR, and suspicious IAM group deletions, ensuring comprehensive monitoring and rapid response to potential threats.

This release also introduced a new object called data_sources for each detection to improve mapping by associating detections with their corresponding Splunkbase TAs, sample events. In addition, this release lists fields extracted in the raw data.

New analytics

Updated Analytics

Macros added

aws_ecr_users_asl

Macros updated

amazon_security_lake

Deprecated detection

Windows DLL Search Order Hijacking Hunt

Other updates

  • Updates to several reference links that were no longer working.
  • Added dist/ files to .gitignore and added them back in the release.yml CI job to keep generated dist/ files up to date.
  • Added a new yml object called data_sources with information of each data source leveraged by the detection search.
Loading

v4.31.1

15 May 16:38
@patel-bhavin patel-bhavin
v4.31.1
1771534
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.31.1

Release notes

  • Splunk btool throws errors on es_investigations.conf and a few stanzas in savedsearches.conf due to spacing issues. Contentctl v4.0.2 fixes this issue. We have updated the tooling to remove these whitespaces that were introduced with contentctl 4.0 in previous release ESCU 4.31.0

Contentctl Fix : splunk/contentctl#143

Loading

v4.31.0

08 May 17:23
@patel-bhavin patel-bhavin
v4.31.0
59e85b0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.31.0
New Analytic Story
Updated Analytic Story
New Analytics
Updated Analytics
Deprecated Analytics
Other Updates
  • Updated risk and threat related configurations for several detections
  • Added Victims to missing detections to create correct risk_objects
  • Converted the following Windows detections to leverage the XML log format:
    • kerberos_user_enumeration.yml
    • known_services_killed_by_ransomware.yml
    • malicious_powershell_executed_as_a_service.yml
    • non_chrome_process_accessing_chrome_default_dir.yml
    • non_firefox_process_access_firefox_profile_dir.yml
    • print_processor_registry_autostart.yml
    • suspicious_computer_account_name_change.yml
    • suspicious_event_log_service_behavior.yml
    • suspicious_kerberos_service_ticket_request.yml
    • suspicious_ticket_granting_ticket_request.yml
    • svchost_lolbas_execution_process_spawn.yml
    • windows_computer_account_requesting_kerberos_ticket.yml
    • windows_event_for_service_disabled.yml
    • windows_excessive_disabled_services_event.yml
    • windows_get_adcomputer_unconstrained_delegation_discovery.yml
    • windows_kerberos_local_successful_logon.yml
    • windows_krbrelayup_service_creation.yml
    • windows_powerview_constrained_delegation_discovery.yml
    • windows_powerview_unconstrained_delegation_discovery.yml
    • windows_rdp_connection_successful.yml
    • windows_service_created_with_suspicious_service_path.yml
    • windows_service_created_within_public_path.yml
    • winevent_scheduled_task_created_to_spawn_shell.yml
    • winevent_scheduled_task_created_within_public_path.yml
    • winevent_windows_task_scheduler_event_action_started.yml

Upcoming Changes

IMPORTANT NOTE : In the upcoming v4.34.0 release, changes will be made to the security_content_summariesonly macro. Its current definition will change to wrap the existing values into another set of macros. This will allow each environment to customize each setting without changing the base macro. If this macro has already been modified in your environment, it will not be affected.

Loading

v4.30.0

17 Apr 22:55
@gowthamarajr gowthamarajr
v4.30.0
afe7cb8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v4.30.0

Release notes

New Analytics Story

Updated Analytics Story

New Analytics

Updated Analytics

Macros Added

  • applocker
  • zscaler_proxy

Macros Updated

  • okta

Lookups Added

  • applockereventcodes

Other Updates

  • Added a new dashboard ESCU - AppLocker, Navigate to your Dashboards and search for "ESCU - AppLocker" to assist with auditing and monitoring Windows AppLocker events for your endpoints (Splunk Enterprise 9.x.x version and above only)

Contributors

nterl0k
Loading