What's new
Enterprise Security Content Updates v4.19.0 was released on January 10, 2024. It includes the following enhancements:
New analytics
- Kubernetes Anomalous Inbound Outbound Network IO (Internal Contributor: Matthew Moore)
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio (Internal Contributor: Matthew Moore)
- Kubernetes Previously Unseen Container Image Name (Internal Contributor: Matthew Moore)
- Kubernetes Previously Unseen Process (Internal Contributor: Matthew Moore)
- Kubernetes Process Running From New Path (Internal Contributor: Matthew Moore)
- Kubernetes Process with Anomalous Resource Utilization (Internal Contributor: Matthew Moore)
- Kubernetes Process with Resource Ratio Anomalies (Internal Contributor: Matthew Moore)
- Kubernetes Shell Running on Worker Node with CPU Activity (Internal Contributor: Matthew Moore)
- Kubernetes Shell Running on Worker Node (Internal Contributor: Matthew Moore)
- Windows Account Discovery for None Disable User Account
- Windows Lsa Secrets Nolmhash Registry
- Windows Modify Registry Disable Restricted Admin
- Windows Account Discovery for Sam Account Name
- Windows Account Discovery with Netuser Preauthnotrequire
- Windows Archive Collected Data Via Powershell
- Windows Domain Account Discovery Via Get Netcomputer
- Windows Known Graphicalproton Loaded Modules
- Windows Process Commandline Discovery
- Windows System User Privilege Discovery
- Windows Modify Registry Nochangingwallpaper
- Windows Rundll32 Apply User Settings Changes
- Windows UAC Bypass Suspicious Child Process (External Contributor: @nterl0k)
- Windows UAC Bypass Suspicious Escalation Behavior (External Contributor: @nterl0k)
- Windows Alternate DataStream - Base64 Content (External Contributor: @nterl0k)
- Windows Alternate DataStream - Process Execution (External Contributor: @nterl0k)
- Windows Alternate DataStream - Executable Content (External Contributor: @nterl0k)
- O365 Concurrent Sessions From Different Ips
- Splunk ES DoS Investigations Manager via Investigation Creation (Internal Contributor: Chase Franklin)
- Splunk ES DoS Through Investigation Attachments (Internal Contributor: Chase Franklin)
Updated analytics
- GCP Authentication Failed During MFA Challenge
- GCP Multi-Factor Authentication Disabled
- GCP Successful Single-Factor Authentication
- Windows Steal Authentication Certificates - ESC1 Abuse
- Allow Network Discovery In Firewall
- Msmpeng Application DLL Side Loading
New analytic stories
Updated analytic stories
Other Updates
- Updated mitre attack navigator json files for detection coverage for RAT and Stealer analytic stories
- Updated all Azure AD analytics to use
sourcetype = azure:monitor:aad
for better CIM Compliance
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 4.19.0
Feedback submitted, thanks!