Splunk® Enterprise Security Content Update

Release Notes

What's new

Enterprise Security Content Updates version 5.1.0 was released on February 24, 2025 and includes the following enhancements:

Key highlights

Enterprise Security Content Updates version 5.1.0 released four analytic stories, 41 detection analytics, and one new baseline. Following are some high level details of the new analytic stories in this release:

  • Remote Monitoring and Management Software Monitoring: Added a new story file to help users analyze unauthorized remote monitoring & management (RMM) tool usage, including detection of 3rd-party software installations like AnyDesk and TeamViewer through phishing or drive-by compromises.
  • AWS S3 Bucket Security Monitoring: A new analytic story which addresses the risks associated with S3 bucket misconfigurations and potential hijacking of decommissioned buckets. This story includes baselines and detections that track public S3 buckets before deletion, monitor access attempts to these bucket names, and identify potential hijacking activities, leveraging AWS CloudTrail logs, DNS queries, and web proxy data to ensure robust monitoring and security.
  • Security Solution Tampering: A new analytic story, which includes new detections focused on identifying tampering activities with Cisco Secure Endpoint services. These detections cover techniques such as inhibiting system recovery and disabling or modifying security tools, enhancing our ability to detect and respond to potential security threats.
  • Windows Audit Policy Tampering: We also added detections for Windows audit policies, which are crucial for logging key system activities for monitoring and forensic analysis. This analytic story provides a framework to detect suspicious activities involving audit policy manipulation, such as the use of auditpol.exe with specific flags, helping to uncover potential malicious activity and maintain the integrity of security monitoring mechanisms.

In addition, external contributor @nterl0k has significantly enhanced our detection capabilities with six new Office 365 security detections and several other detections. These include monitoring changes to email transport rules, various methods of data exfiltration, and suspicious authentication and search behaviors, providing robust protection against potential threats.

New analytic stories

  1. Remote Monitoring and Management Software (External Contributor: @nterl0k)
  2. AWS S3 Bucket Security Monitoring
  3. Security Solution Tampering
  4. Windows Audit Policy Tampering

New analytics

  1. Cisco Secure Application Alerts
  2. Cisco AI Defense Security Alerts by Application Name
  3. Detect Web Access to Decommissioned S3 Bucket
  4. Detect DNS Query to Decommissioned S3 Bucket
  5. O365 Email Transport Rule Changed (External Contributor: @nterl0k)
  6. O365 Exfiltration via File Access (External Contributor: @nterl0k)
  7. O365 Exfiltration via File Download (External Contributor: @nterl0k)
  8. O365 Exfiltration via File Sync Download (External Contributor: @nterl0k)
  9. O365 Multiple OS Vendors Authenticating From User (External Contributor: @nterl0k)
  10. O365 SharePoint Suspicious Search Behavior (External Contributor: @nterl0k)
  11. Potential Telegram API Request Via CommandLine (External Contributor: @zake1god)
  12. Windows Audit Policy Auditing Option Disabled via Auditpol
  13. Windows Audit Policy Auditing Option Modified - Registry
  14. Windows Audit Policy Cleared via Auditpol
  15. Windows Audit Policy Disabled via Auditpol
  16. Windows Audit Policy Disabled via Legacy Auditpol
  17. Windows Audit Policy Excluded Category via Auditpol
  18. Windows Audit Policy Restored via Auditpol
  19. Windows Audit Policy Security Descriptor Tampering via Auditpol
  20. Windows BitLocker Suspicious Command Usage (External Contributor: @nterl0k)
  21. Windows Cisco Secure Endpoint Related Service Stopped
  22. Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
  23. Windows Cisco Secure Endpoint Unblock File Via Sfc
  24. Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
  25. Windows Compatibility Telemetry Suspicious Child Process (External Contributor: @nterl0k)
  26. Windows Compatibility Telemetry Tampering Through Registry (External Contributor: @nterl0k)
  27. Windows Event Logging Service Has Shutdown
  28. Windows Global Object Access Audit List Cleared Via Auditpol
  29. Windows Important Audit Policy Disabled
  30. Windows PowerShell Process With Malicious String (External Contributor: @nterl0k)
  31. Windows PowerShell Script Block With Malicious String (External Contributor: @nterl0k)
  32. Windows Process Executed From Removable Media (External Contributor: @nterl0k)
  33. Windows Process Execution in Temp Dir
  34. Windows Remote Desktop Network Bruteforce Attempt
  35. Windows Security And Backup Services Stop
  36. Windows Service Created with Suspicious Service Name
  37. Windows Suspicious Driver Loaded Path
  38. Windows Suspicious Process File Path
  39. Windows System Remote Discovery With Query
  40. Windows USBSTOR Registry Key Modification (External Contributor: @nterl0k)
  41. Windows WPDBusEnum Registry Key Modification (External Contributor: @nterl0k)

Macros added

  • important_audit_policy_subcategory_guids
  • normalized_service_binary_field
  • process_auditpol
  • windows_exchange_iis

Macros updated

  • ms_defender
  • powershell
  • printservice
  • remoteconnectionmanager
  • sysmon
  • wineventlog_application
  • wineventlog_rdp
  • wineventlog_security
  • wineventlog_system
  • wineventlog_task_scheduler
  • wmi

Lookups added

  • malicious_powershell_strings
  • windows_suspicious_services

Lookups updated

  • asr_rules
  • builtin_groups_lookup
  • dynamic_dns_providers_default
  • remote_access_software
  • security_services_lookup

Other updates

  • New baselines: Baseline Of Open S3 Bucket Decommissioning
  • Added a dropdown for dashboards to the navigation bar
Last modified on 24 February, 2025
 

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 5.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters