What's new
Enterprise Security Content Updates v4.43.0 was released on November 13, 2024 and includes the following enhancements:
Key highlights
- Critical alerts: This release introduces a new analytic to detect critical alerts from various security tools, thereby enhancing the ability to identify and respond to high-priority threats quickly originating from these vendors. This analytic helps to ensure prompt visibility and action on critical security events and reducing the time that attackers can remain undetected within environments and bolstering defenses across multiple security platforms from Splunk. We have tested this detection against MS365 Defender Incident Alerts and Windows Defender Alerts logs, but it also works for all vendor alert logs that map to the Alerts data model.
- Braodo Stealer: This analytic story introduces key detections to help identify malicious behaviors associated with information-stealing malware. The detections focus on indicators such as archived data stored in temporary folders, unauthorized access to credential stores and browser data, disabling browser processes, and screen captures saved in temporary directories, providing enhanced visibility into potential data exfiltration tactics.
- Tooling updates: This release includes a new version of contentctl (v4.4.5) that helps with building, inspecting and testing ESCU content:
- Enhanced drilldowns: Added two default drilldowns for all notable detections, enabling users to view detection results for specific risk objects and access risk events from the past 7 days. This improves investigation workflows and response efficiency.
- Version enforcement and datasource testing: Enhanced version enforcement for detection content, automatically updating search versions when YAML changes. Added new data source testing for detections, ensuring compatibility when new TAs are available.
Additionally, the Splunk Documentation and Github Wiki is also updated to include the latest features shipped in the Enterprise Security Content Update (ESCU). This update provides detailed guidance on using and testing these detections with Splunk Enterprise Security.
New analytic story
Updated analytics
All TTP or Anomaly and Correlation type detections have two drilldowns added to their yaml files.
New analytics
- Detect Critical Alerts from Security Tools
- High Volume of Bytes Out to Url
- Internal Horizontal Port Scan NMAP Top 20
- Plain HTTP POST Exfiltrated Data
- Windows Archived Collected Data In TEMP Folder
- Windows Credentials from Password Stores Chrome Copied in TEMP Dir
- Windows Credentials from Web Browsers Saved in TEMP Folder
- Windows Disable or Stop Browser Process
- Windows Screen Capture in TEMP folder
This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 4.43.0
Feedback submitted, thanks!