This documentation does not apply to the most recent version of Splunk® Security Content.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
What's new
Enterprise Security Content Updates v4.19.0 was released on January 10, 2024. It includes the following enhancements:
New analytics
- Kubernetes Anomalous Inbound Outbound Network IO (Internal Contributor: Matthew Moore)
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio (Internal Contributor: Matthew Moore)
- Kubernetes Previously Unseen Container Image Name (Internal Contributor: Matthew Moore)
- Kubernetes Previously Unseen Process (Internal Contributor: Matthew Moore)
- Kubernetes Process Running From New Path (Internal Contributor: Matthew Moore)
- Kubernetes Process with Anomalous Resource Utilization (Internal Contributor: Matthew Moore)
- Kubernetes Process with Resource Ratio Anomalies (Internal Contributor: Matthew Moore)
- Kubernetes Shell Running on Worker Node with CPU Activity (Internal Contributor: Matthew Moore)
- Kubernetes Shell Running on Worker Node (Internal Contributor: Matthew Moore)
- Windows Account Discovery for None Disable User Account
- Windows Lsa Secrets Nolmhash Registry
- Windows Modify Registry Disable Restricted Admin
- Windows Account Discovery for Sam Account Name
- Windows Account Discovery with Netuser Preauthnotrequire
- Windows Archive Collected Data Via Powershell
- Windows Domain Account Discovery Via Get Netcomputer
- Windows Known Graphicalproton Loaded Modules
- Windows Process Commandline Discovery
- Windows System User Privilege Discovery
- Windows Modify Registry Nochangingwallpaper
- Windows Rundll32 Apply User Settings Changes
- Windows UAC Bypass Suspicious Child Process (External Contributor: @nterl0k)
- Windows UAC Bypass Suspicious Escalation Behavior (External Contributor: @nterl0k)
- Windows Alternate DataStream - Base64 Content (External Contributor: @nterl0k)
- Windows Alternate DataStream - Process Execution (External Contributor: @nterl0k)
- Windows Alternate DataStream - Executable Content (External Contributor: @nterl0k)
- O365 Concurrent Sessions From Different Ips
- Splunk ES DoS Investigations Manager via Investigation Creation (Internal Contributor: Chase Franklin)
- Splunk ES DoS Through Investigation Attachments (Internal Contributor: Chase Franklin)
Updated analytics
- GCP Authentication Failed During MFA Challenge
- GCP Multi-Factor Authentication Disabled
- GCP Successful Single-Factor Authentication
- Windows Steal Authentication Certificates - ESC1 Abuse
- Allow Network Discovery In Firewall
- Msmpeng Application DLL Side Loading
New analytic stories
Updated analytic stories
Other Updates
- Updated mitre attack navigator json files for detection coverage for RAT and Stealer analytic stories
- Updated all Azure AD analytics to use
sourcetype = azure:monitor:aad
for better CIM Compliance
Last modified on 17 January, 2024
NEXT What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 4.19.0
Feedback submitted, thanks!