What's new
Enterprise Security Content Updates version 5.0.0 was released on December 4, 2024 and includes the following enhancements:
Key highlights
- A new Deprecation Assistant dashboard: This release introduces a Deprecation Assistant dashboard to identify and manage deprecated detection analytics that are enabled in your Splunk environment. Deprecated detections are marked for removal in ESCU version 5.2.0 and can disrupt your environment. For more information on the deprecated detections and their replacements, see [Documentation:ESCU:5.0.0:user:DeprecatedAnalytics Deprecated analytics].
- Analytic Story Onboarding Assistant: A redesigned home page with an enhanced user interface that offers direct access to release notes, analytics counts, and the latest version on Splunkbase complemented by a detailed timeline of STRT blogs and updates. Additionally, the Analytic Story Onboarding Assistant, which is a new preview feature designed to streamline the process of enabling several detections from multiple analytics stories for which data is available in your Splunk Environment, is also available.
- New analytics: Threat detection capabilities are now expanded by mapping existing analytics and creating new detections for a range of threats, including Backdoor Pingpong, Cleo File Transfer Software, Crypto Stealer, SDDL Tampering Defense Evasion, Derusbi, Earth Estries, Nexus APT Threat Activity, WinDealer RAT, and XorDDos. These detections are already available in Splunk Enterprise Security using an ESCU application update process built into the product and in Splunk Security Essentials (SSE) using an API update.
New analytic stories
- Backdoor Pingpong
- Cleo File Transfer Software
- Crypto Stealer
- Defense Evasion or Unauthorized Access Via SDDL Tampering
- Derusbi
- Earth Estries
- Nexus APT Threat Activity
- WinDealer RAT
- XorDDos
New analytics
- ASL AWS Create Access Key
- ASL AWS Create Policy Version to allow all resources
- ASL AWS Credential Access GetPasswordData
- ASL AWS Credential Access RDS Password reset
- ASL AWS Defense Evasion PutBucketLifecycle
- ASL AWS Detect Users creating keys with encrypt policy without MFA
- ASL AWS Disable Bucket Versioning
- ASL AWS EC2 Snapshot Shared Externally
- ASL AWS IAM AccessDenied Discovery Events
- ASL AWS IAM Assume Role Policy Brute Force
- ASL AWS Network Access Control List Created with All Open Ports
- ASL AWS Network Access Control List Deleted
- ASL AWS SAML Update identity provider
- ASL AWS UpdateLoginProfile
- Account Discovery With Net App
- Attempt To Stop Security Service
- Azure AD AzureHound UserAgent Detected
- Azure AD Service Principal Enumeration
- Azure AD Service Principal Privilege Escalation
- Change Default File Association
- Cmdline Tool Not Executed In CMD Shell
- Create local admin accounts using net exe
- Deleting Of Net Users
- Detect Remote Access Software Usage Registry
- Detect processes used for System Network Configuration Discovery
- Disabling Net User Account
- Domain Account Discovery With Net App
- Domain Group Discovery With Net
- Elevated Group Discovery With Net
- Excessive Service Stop Attempt
- Excessive Usage Of Net App
- Extraction of Registry Hives
- Linux Auditd Find Private Keys
- Local Account Discovery with Net
- MSHTML Module Load in Office Product
- Microsoft Intune Device Health Scripts
- Microsoft Intune DeviceManagementConfigurationPolicies
- Microsoft Intune Manual Device Management
- Net Localgroup Discovery
- Network Connection Discovery With Net
- O365 Service Principal Privilege Escalation
- Office Document Creating Schedule Task
- Office Document Executing Macro Code
- Office Document Spawned Child Process To Download
- Office Product Spawn CMD Process
- Password Policy Discovery with Net
- Windows Account Access Removal via Logoff Exec
- Windows CertUtil Download With URL Argument
- Windows Command Shell Fetch Env Variables
- Windows DNS Query Request by Telegram Bot API
- Windows Detect Network Scanner Behavior
- Windows File and Directory Enable ReadOnly Permissions
- Windows File and Directory Permissions Enable Inheritance
- Windows File and Directory Permissions Remove Inheritance
- Windows Impair Defenses Disable Auto Logger Session
- Windows Lateral Tool Transfer RemCom
- Windows MSIExec With Network Connections
- Windows Modify Registry Reg Restore
- Windows Network Share Interaction With Net
- Windows New Custom Security Descriptor Set On EventLog Channel
- Windows New Deny Permission Set On Service SD Via Sc.EXE
- Windows New EventLog ChannelAccess Registry Value Set
- Windows New Service Security Descriptor Set Via Sc.EXE
- Windows Obfuscated Files or Information via RAR SFX
- Windows Office Product Dropped Cab or Inf File
- Windows Office Product Dropped Uncommon File
- Windows Office Product Spawned Control
- Windows Office Product Spawned MSDT
- Windows Office Product Spawned Rundll32 With No DLL
- Windows Office Product Spawned Uncommon Process
- Windows Powershell Logoff User via Quser
- Windows Process With NetExec Command Line Parameters
- Windows Query Registry Reg Save
- Windows Registry Dotnet ETW Disabled Via ENV Variable
- Windows Remote Management Execute Shell
- Windows ScManager Security Descriptor Tampering Via Sc.EXE
- Windows Service Execution RemCom
- Windows Service Stop Attempt
- Windows Service Stop Via Net and SC Application
- Windows Set Account Password Policy To Unlimited Via Net
- Windows SubInAcl Execution
- Windows Suspicious Child Process Spawned From WebServer
- Windows User Discovery Via Net
Other updates
Updates to YAML configurations by enhancing validation, improving accuracy and consistency, and replacing the observables key with an RBA key to better align with Splunk Enterprise Security standards and simplify risk attribution.
Last modified on 30 January, 2025
This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 5.0.0
Download manual
Feedback submitted, thanks!