What's new
Enterprise Security Content Updates v3.58.0 was released on February 8, 2023. It includes the following enhancements.
New analytic story
- AsyncRAT
- Compromised User Account
- Swift Slicer
- Windows Certificate Services
New analytics
- AWS AD New MFA Method Registered for User
- AWS Concurrent Sessions from Different Ips
- AWS High Number of Failed Authentications for User
- AWS High Number of Failed Authentications from Ip
- AWS Password Policy Changes
- AWS Successful Console Authentication from Multiple IPs
- Azure AD Concurrent Sessions from Different Ips
- Azure AD High Number of Failed Authentications for User
- Azure AD High Number of Failed Authentications from Ip
- Azure AD New MFA Method Registered for User
- Azure AD Successful Authentication from Different Ips
- Detect suspicious processnames using a pretrained model in DSDL
- Driver Inventory
- LOLBAS With Network Traffic (Thanks to @nterl0k)
- Windows Data Destruction Recursive Exec Files Deletion
- Windows Export Certificate
- Windows PowerShell Cryptography Namespace
- Windows PowerShell Export Certificate
- Windows PowerShell Export PfxCertificate
- Windows Scheduled Task with Highest Privileges
- Windows Spearphishing Attachment Connect to None MS Office Domain
- Windows Spearphishing Attachment Onenote Spawn Mshta
- Windows Steal Authentication Certificates Certificate Issued
- Windows Steal Authentication Certificates Certificate Request
- Windows Steal Authentication Certificates CertUtil Backup
- Windows Steal Authentication Certificates CS Backup
- Windows Steal Authentication Certificates Export Certificate
- Windows Steal Authentication Certificates Export PfxCertificate
Updated analytics
- AWS Multiple Users Failing To Authenticate From Ip
- Exploit Public Facing Application via Apache Commons Text
- Office Application Drop Executable (Thanks to @TheLawsOfChaos)
- Office Product Spawning MSHTA
- Rundll32 with no Command Line Arguments with Network (Thanks to @nterl0k)
- Windows Java Spawning Shells
Other updates
- Moved 12 failing detections to experimental
- Fixed a number of detections that use an incorrect sourcetype in their macro
- Updated several endpoint detections from proc_guid to process_guid (Thanks to @nterl0k)
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.58.0
Feedback submitted, thanks!