What's new
Enterprise Security Content Updates v3.50.0 was released on October 5, 2022. It includes the following enhancements.
New analytic story
- AgentTesla
- AWS Identity and Access Management Account Takeover
- CISA AA22-264A
- Okta MFA Exhaustion
New analytics
- AWS Multiple Users Failing to Authenticate From Ip
- AWS Unusual Number of Failed Authentications From Ip
- Detect DGA domains using pre-trained model in DSDL
- Okta Account Locked Out
- Okta MFA Exhaustion Hunt
- Okta New API Token Created
- Okta New Device Enrolled on Account
- Okta Suspicious Activity Reported
- Okta ThreatInsight Threat Detected
- Okta Two or More Rejected Okta Pushes
- Okta Risk Threshold Exceeded
- Office Product Spawning Windows Script Host
- Powershell COM Hijacking InprocServer32 Modification
- Windows COM Hijacking InprocServer32 Modification
- Windows File Transfer Protocol in Non-Common Process Path
- Windows ISO LNK File Creation
- Windows Mail Protocol in Non-Common Process Path
- Windows Multi hop Proxy TOR Website Query
- Windows System Script Proxy Execution Syncappvpublishingserver
Updated analytics
- Multiple Okta Users with Invalid Credentials From The Same IP
- Okta Account Lockout Events
- Okta Failed SSO Attempts
- Exchange PowerShell Module Usage
- Registry Keys Used for Persistence
- Windows Phishing Recent ISO Exec Registry
Other updates
- Removed slim dependency in Github Actions, skip detection testing on tag creation and token updated
- Fixed bugs in the
init
functionality for creating a security_content custom application - Added
advanced_port_scanner.exe
to Attacker Tools Lookup
NOTE: This release contains a new type of analytic (Detect DGA domains using a pre-trained model in DSDL) that leverages the Splunk App for Data Science and Deep Learning to detect DNS connections to domains generated by Domain Generation Algorithms. This detection uses a pre-trained deep learning model, and you can find the steps to deploy this model in our GitHub Wiki.
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.50.0
Feedback submitted, thanks!