What's new
Enterprise Security Content Updates v3.35.0 was released on February 16, 2022. It includes the following enhancements.
New analytics
- Windows Rasautou DLL Execution
- Linux pkexec Privilege Escalation
- Potentially malicious code on command line (MLTK-based detection that works with a pre-shipped model file)
Updated analytics
- Linux pkexec Privilege Escalation
- Windows Possible Credential Dumping
- Windows Remote Assistance Spawning Process
- Windows Schtasks Create Run As System
- RunDLL Loading DLL By Ordinal
- CertUtil Download With URLCache and Split Arguments
- CertUtil Download With VerifyCtl and Split Arguments
- O365 Added Service Principal (Bug fix contributed by @ionsor)
- O365 Bypass MFA via Trusted IP (Bug fix contributed by @ionsor)
- O365 Disable MFA (Bug fix contributed by @ionsor)
- Powershell Remove Windows Defender Directory (Bug fix contributed by @BlackB0lt)
- GetWmiObject Ds Computer with PowerShell Script Block (Bug fix contributed by @sanjay900)
- GetWmiObject Ds Group with PowerShell Script Block (Bug fix contributed by @sanjay900)
New playbooks
- TruSTAR Enrich Indicators
- Threat Intel Investigate
- Start Investigation
- AWS Disable User Accounts
- AWS Find Inactive Users
Other updates
- Updated 20+ detections based on Endpoint.Registry and tested with the latest Splunk Add-on for Sysmon
- Updated `Detect GCP Storage access from a new IP` based on customer reported bug.
- Updated deprecation note in `Detection of DNS Tunnels` with reference to new detection.
- Updated
savedsearches.conf
with a risk parameter that previously did not allow a search to be saved from the UI - Updated
generate.py
to output correct UTF-8 renderedsavedsearches.conf
stanzas for `Malicious PowerShell Process - Encoded Command` and `PowerShell - Connect To Internet With Hidden Window`
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.35.0
Feedback submitted, thanks!