For more information please visit the Splunk ES Content Update user documentation.
https://github.com/splunk/security_content/releases/tag/v3.25.0
https://github.com/splunk/security_content/releases/tag/v3.24.0
https://github.com/splunk/security_content/releases/tag/v3.23.0
https://github.com/splunk/security_content/releases/tag/v3.22.0
https://github.com/splunk/security_content/releases/tag/v3.21.0
https://github.com/splunk/security_content/releases/tag/v3.20.0
## New Analytic Stories
- Bits Jobs
- Domain Trust Discovery
## New Detections
- BITSAdmin Download File
- BITS Job Persistence
- PowerShell Start-BitsTransfer
- DSQuery Domain Discovery
- Disable Registry Tool
- Disable Show Hidden Files
- Disable Windows Behavior Monitoring
- Disable Windows SmartScreen Protection
- Disabling CMD Application
- Disabling ControlPanel
- Disabling Firewall with Netsh
- Disabling FolderOptions Windows Feature
- Disabling NoRun Windows App
- Disabling SystemRestore In Registry
- Disabling Task Manager
- AWS Excessive Security Scanning
- Malicious Powershell Executed As A Service (Thank you Ryan Becwar for contributing)
## Updates:
- Clop Common Exec Parameter detection updated
New Detections
* AWS detect users creating keys with encrypt policy without MFA
* BCDEdit Failure Recovery Modification
* AWS network access control list created with all open ports
* AWS network access control list deleted
* Detect new open S3 Buckets over AWS CLI
* O365 bypass MFA via trusted IP
* Detect hosts connecting to dynamic domain providers
Updates
* AWS detect users with kms keys performing encryption against S3 buckets
* Detect new open S3 buckets
Other
* Circle CI Config updates
* Increase in testing coverage
* Added notable alert action configurations to all savedsearches
New Detections:
* Multi-factor authentication disabled (o365)
* Excessive Authentication Failures Alert (o365)
* PST Export Alert (o365)
* Detect high number of login failures from a single source
* Detect Supernova Webshell (used in SUNBURST)
Updates:
* High number of login failures from a single source detection
* Deprecated AWS Searches that have been translated.
Other
* Circle CI Config updates
* Increase in testing coverage
New Stories
* Sunburst Malware
* Office 365 Detections
New Detections
* Windows AdFind Exe
* Sunburst Correlation DLL and Network Event
* O365 Suspicious Admin Email Forwarding
* O365 Suspicious Rights Delegation
* O365 Suspicious User Email Forwarding
Updates
* Updates to response tasks and backend to handle multi-token replacement
* Analytic Story name added to annotations
New Detections
* Ryuk Test Files Detected
* Windows connhost exe started forcefully
* Windows DisableAntiSpyware Registry
* Windows Security Account Manager Stopped
To view the all the release notes, please visit : https://github.com/splunk/security-content/releases/tag/v3.9.0
Note: We have also updated the app versioning of ESCU
https://docs.splunk.com/Documentation/ESSOC
https://docs.splunk.com/Documentation/ESSOC
Release notes: https://docs.splunk.com/Documentation/ESSOC
Release notes: https://docs.splunk.com/Documentation/ESSOC
Release notes: https://docs.splunk.com/Documentation/ESSOC
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.