Splunk® Enterprise Security Content Update

Release Notes

What's new

Enterprise Security Content Updates version 5.0.0 was released on December 4, 2024 and includes the following enhancements:

Key highlights

  • A new Deprecation Assistant dashboard: This release introduces a Deprecation Assistant dashboard to identify and manage deprecated detection analytics that are enabled in your Splunk environment. Deprecated detections are marked for removal in ESCU version 5.2.0 and can disrupt your environment. For more information on the deprecated detections and their replacements, see Deprecated analytics.
  • Analytic Story Onboarding Assistant: A redesigned home page with an enhanced user interface that offers direct access to release notes, analytics counts, and the latest version on Splunkbase complemented by a detailed timeline of STRT blogs and updates. Additionally, the Analytic Story Onboarding Assistant, which is a new preview feature designed to streamline the process of enabling several detections from multiple analytics stories for which data is available in your Splunk Environment, is also available.
  • New analytics: Threat detection capabilities are now expanded by mapping existing analytics and creating new detections for a range of threats, including Backdoor Pingpong, Cleo File Transfer Software, Crypto Stealer, SDDL Tampering Defense Evasion, Derusbi, Earth Estries, Nexus APT Threat Activity, WinDealer RAT, and XorDDos. These detections are already available in Splunk Enterprise Security using an ESCU application update process built into the product and in Splunk Security Essentials (SSE) using an API update.

New analytic stories


New analytics

  1. ASL AWS Create Access Key
  2. ASL AWS Create Policy Version to allow all resources
  3. ASL AWS Credential Access GetPasswordData
  4. ASL AWS Credential Access RDS Password reset
  5. ASL AWS Defense Evasion PutBucketLifecycle
  6. ASL AWS Detect Users creating keys with encrypt policy without MFA
  7. ASL AWS Disable Bucket Versioning
  8. ASL AWS EC2 Snapshot Shared Externally
  9. ASL AWS IAM AccessDenied Discovery Events
  10. ASL AWS IAM Assume Role Policy Brute Force
  11. ASL AWS Network Access Control List Created with All Open Ports
  12. ASL AWS Network Access Control List Deleted
  13. ASL AWS SAML Update identity provider
  14. ASL AWS UpdateLoginProfile
  15. Azure AD AzureHound UserAgent Detected
  16. Azure AD Service Principal Enumeration
  17. Azure AD Service Principal Privilege Escalation
  18. Detect Remote Access Software Usage Registry
  19. Microsoft Intune Device Health Scripts
  20. Microsoft Intune DeviceManagementConfigurationPolicies
  21. Microsoft Intune Manual Device Management
  22. O365 Service Principal Privilege Escalation
  23. Windows Account Access Removal via Logoff Exec
  24. Windows CertUtil Download With URL Argument
  25. Windows DNS Query Request by Telegram Bot API
  26. Windows Detect Network Scanner Behavior
  27. Windows File and Directory Enable ReadOnly Permissions
  28. Windows File and Directory Permissions Enable Inheritance
  29. Windows File and Directory Permissions Remove Inheritance
  30. Windows Impair Defenses Disable Auto Logger Session
  31. Windows New Custom Security Descriptor Set On EventLog Channel
  32. Windows New Deny Permission Set On Service SD Via Sc.EXE
  33. Windows New EventLog ChannelAccess Registry Value Set
  34. Windows New Service Security Descriptor Set Via Sc.EXE
  35. Windows Obfuscated Files or Information via RAR SFX
  36. Windows Office Product Dropped Cab or Inf File
  37. Windows Office Product Dropped Uncommon File
  38. Windows Office Product Spawned Control
  39. Windows Office Product Spawned MSDT
  40. Windows Office Product Spawned Rundll32 With No DLL
  41. Windows Office Product Spawned Uncommon Process
  42. Windows Powershell Logoff User via Quser
  43. Windows Process With NetExec Command Line Parameters
  44. Windows Registry Dotnet ETW Disabled Via ENV Variable
  45. Windows Remote Management Execute Shell
  46. Windows ScManager Security Descriptor Tampering Via Sc.EXE
  47. Windows Service Execution RemCom
  48. Windows Service Stop Attempt
  49. Windows Set Account Password Policy To Unlimited Via Net
  50. Windows SubInAcl Execution
  51. Windows Suspicious Child Process Spawned From WebServer
  52. Windows User Discovery Via Net

Other updates

Updates to YAML configurations by enhancing validation, improving accuracy and consistency, and replacing the observables key with an RBA key to better align with Splunk Enterprise Security standards and simplify risk attribution.

Last modified on 21 February, 2025
 

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 5.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters