What's new
Enterprise Security Content Updates v4.26.0 was released on March 5, 2024. It includes the following enhancements:
New analytics story
New analytics
- Cloud Security Groups Modifications by User
- Detect Remote Access Software Usage File (External Contributor : @nterl0k)
- Detect Remote Access Software Usage FileInfo (External Contributor : @nterl0k)
- Detect Remote Access Software Usage Process(External Contributor : @nterl0k)
- Windows Multiple Account Passwords Changed
- Windows Multiple Accounts Deleted
- Windows Multiple Accounts Disabled
- Detect Remote Access Software Usage DNS(External Contributor : @nterl0k)
- Detect Remote Access Software Usage Traffic(External Contributor : @nterl0k)
- High Volume of Bytes Out to Url
- Detect Remote Access Software Usage URL(External Contributor : @nterl0k)
- JetBrains TeamCity Authentication Bypass CVE-2024-27198
- JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
- JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
- Nginx ConnectWise ScreenConnect Authentication Bypass
Updated analytics
- AWS IAM Delete Policy
- O365 Multiple Users Failing To Authenticate From Ip
- ConnectWise ScreenConnect Authentication Bypass
- JetBrains TeamCity RCE Attempt
Macros added
nginx_access_logs
suricata
Lookups updated
remote_access_software
Playbooks added
- G Suite for Gmail Message Eviction
- G Suite for Gmail Search and Purge
- MS Graph for Office 365 Message Eviction
- MS Graph for Office 365 Message Identifier Activity Analysis
- MS Graph for Office 365 Message Restore
- MS Graph for Office365 Search and Purge
- MS Graph for Office365 Search and Restore
Other updates
- Added a new script and a CI job to automatically upload the package to Splunkbase using a service account
- Create SSA-Content-latest.tar.gz in the generate_ba CI job
This documentation applies to the following versions of Splunk® Security Content: 4.26.0
Feedback submitted, thanks!