What's new
Enterprise Security Content Updates v4.23.0 was released on January 30, 2024. It includes the following enhancements:
New analytics stories
Jenkins Server Vulnerabilities
New analytics
- Splunk Information Disclosure in Splunk Add-on Builder
- Kubernetes Anomalous Inbound Network Activity from Process
- Kubernetes Anomalous Outbound Network Activity from Process
- Kubernetes Anomalous Traffic on Network Edge
- Kubernetes Create or Update Privileged Pod
- Kubernetes Cron Job Creation
- Kubernetes DaemonSet Deployed
- Kubernetes Falco Shell Spawned
- Kubernetes Newly Seen TCP Edge
- Kubernetes Newly Seen UDP Edge
- Kubernetes Node Port Creation
- Kubernetes Pod Created in Default Namespace
- Kubernetes Pod with Host Network Attachment
- Kubernetes Scanning by Unauthenticated IP Address
- Windows Impair Defense Change Win Defender Health Check Intervals
- Windows Impair Defense Change Win Defender Quick Scan Interval
- Windows Impair Defense Change Win Defender Throttle Rate
- Windows Impair Defense Change Win Defender Tracing Level
- Windows Impair Defense Configure App Install Control
- Windows Impair Defense Define Win Defender Threat Action
- Windows Impair Defense Disable Controlled Folder Access
- Windows Impair Defense Disable Defender Firewall And Network
- Windows Impair Defense Disable Defender Protocol Recognition
- Windows Impair Defense Disable PUA Protection
- Windows Impair Defense Disable Realtime Signature Delivery
- Windows Impair Defense Disable Web Evaluation
- Windows Impair Defense Disable Win Defender App Guard
- Windows Impair Defense Disable Win Defender Compute File Hashes
- Windows Impair Defense Disable Win Defender Gen reports
- Windows Impair Defense Disable Win Defender Network Protection
- Windows Impair Defense Disable Win Defender Report Infection
- Windows Impair Defense Disable Win Defender Scan on Update
- Windows Impair Defense Disable Win Defender Signature Retirement
- Windows Impair Defense Overide Win Defender Phishing Filter
- Windows Impair Defense Override SmartScreen Prompt
- Windows Impair Defense Set Win Defender Smart Screen Level to Warn
- Windows MsiExec HideWindow Rundll32 Execution
- Windows Process Injection In Non-Service SearchIndexer
- Jenkins Arbitrary File Read CVE-2024-23897
Updated analytics
- Kubernetes Access Scanning
- Kubernetes Anomalous Inbound Outbound Network IO
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio
- Kubernetes AWS detect suspicious kubectl calls
- Kubernetes Previously Unseen Container Image Name
- Kubernetes Previously Unseen Process
- Kubernetes Process Running From New Path
- Kubernetes Process with Anomalous Resource Utilization
- Kubernetes Process with Resource Ratio Anomalies
- Kubernetes Shell Running on Worker Node
- Kubernetes Shell Running on Worker Node with CPU Activity
- Disable Windows SmartScreen Protection
- Linux Service Started Or Enabled
- Unknown Process Using The Kerberos Protocol
- Windows Excessive Disabled Services Event
Other updates
Added a new input macro sourcetype="kube:container:falco"
Playbook updates
This documentation applies to the following versions of Splunk® Security Content: 4.23.0
Feedback submitted, thanks!