What's new
Enterprise Security Content Updates v3.52.0 was released on November 2, 2022. It includes the following enhancements.
New analytic story
- CVE-2022-40684 Fortinet Appliance Auth bypass
- GCP Account Takeover
- Qakbot
- Text4Shell CVE-2022-42889
Updated analytic story
- Splunk Vulnerabilities
New analytics
- Exploit Public Facing Application via Apache Commons Text
- Fortinet Appliance Auth Bypass
- GCP Authentication Failed During MFA Challenge
- GCP Multi-Factor Authentication Disabled
- GCP Multiple Failed MFA Requests for User
- GCP Multiple Users Failing to Authenticate from Ip
- GCP Successful Single-Factor Authentication
- GCP Unusual Number of Failed Authentications from Ip
- Splunk Code Injection via Custom Dashboard Leading to RCE
- Splunk Data exfiltration from Analytics Workspace Using Sid Query
- Splunk RCE via Splunk Secure Gateway Splunk Mobile Alerts Feature
- Splunk Reflected XSS in the Templates Lists Radio
- Splunk Stored XSS via Data Model objectName Field
- Splunk XSS in Save Table Dialog Header in Search Page
- Windows App Layer Protocol Wermgr Connect to NamedPipe
- Windows Command Shell Fetch Env Variables
- Windows DLL Side-Loading in Calc
- Windows DLL Side-Loading Process Child of Calc
- Windows Masquerading Explorer as Child Process
- Windows Modify Registry Qakbot Binary Data Registry
- Windows Process Injection of Wermgr to Known Browser
- Windows Process Injection Remote Thread
- Windows Process Injection Wermgr Child Process
- Windows Regsvr32 Renamed Binary
- Windows System Discovery Using ldap Nslookup
- Windows System Discovery Using Qwinsta
- Windows WMI Impersonate Token
Other updates
- Added a tag called
data_schema
that has the version used for CIM/OCSF
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.52.0
Feedback submitted, thanks!