For more information please visit the Splunk ES Content Update user documentation.
New Detections
* AWS detect users creating keys with encrypt policy without MFA
* BCDEdit Failure Recovery Modification
* AWS network access control list created with all open ports
* AWS network access control list deleted
* Detect new open S3 Buckets over AWS CLI
* O365 bypass MFA via trusted IP
* Detect hosts connecting to dynamic domain providers
Updates
* AWS detect users with kms keys performing encryption against S3 buckets
* Detect new open S3 buckets
Other
* Circle CI Config updates
* Increase in testing coverage
* Added notable alert action configurations to all savedsearches
New Detections:
* Multi-factor authentication disabled (o365)
* Excessive Authentication Failures Alert (o365)
* PST Export Alert (o365)
* Detect high number of login failures from a single source
* Detect Supernova Webshell (used in SUNBURST)
Updates:
* High number of login failures from a single source detection
* Deprecated AWS Searches that have been translated.
Other
* Circle CI Config updates
* Increase in testing coverage
New Stories
* Sunburst Malware
* Office 365 Detections
New Detections
* Windows AdFind Exe
* Sunburst Correlation DLL and Network Event
* O365 Suspicious Admin Email Forwarding
* O365 Suspicious Rights Delegation
* O365 Suspicious User Email Forwarding
Updates
* Updates to response tasks and backend to handle multi-token replacement
* Analytic Story name added to annotations
New Detections
* Ryuk Test Files Detected
* Windows connhost exe started forcefully
* Windows DisableAntiSpyware Registry
* Windows Security Account Manager Stopped
To view the all the release notes, please visit : https://github.com/splunk/security-content/releases/tag/v3.9.0
Note: We have also updated the app versioning of ESCU
https://docs.splunk.com/Documentation/ESSOC
https://docs.splunk.com/Documentation/ESSOC
Release notes: https://docs.splunk.com/Documentation/ESSOC
Release notes: https://docs.splunk.com/Documentation/ESSOC
Release notes: https://docs.splunk.com/Documentation/ESSOC
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.