Splunk ES Content Update
Overview
Details
Security Content consists of tactics, techniques, and methodologies that help with detection, investigation, and response. Security Content enables security teams to directly operationalize detection searches, investigative searches, and other supporting details. ESCU can generate Notable Events in Splunk Enterprise Security. Security Content also contains easy-to-read background information and guidance, for key context on motivations and risks associated with attack techniques, as well as pragmatic advice on how to combat those techniques.
Requires Splunk Enterprise Security version 4.5 or greater.
For more information please visit the Splunk ES Content Update user documentation.
Release Notes
Version 1.0.42
Enterprise Security Content Updates v 1.0.42 was released on August 28, 2019, and included the following bug fixes:
* Excessive WARN messages due to incorrect default.meta
* Error with DNS Query Length With High Standard Deviation detection
* Add MITRE tactic where only technique is listed
* Errors with analyticstories.conf when running btool
For complete documentation, please visit: https://docs.splunk.com/Documentation/ESSOC/1.0.42
Version 1.0.41
Splunk Enterprise Security Content Updates (ESCU) 1.0.41 Copyright (C) 2019 Splunk Inc. All rights reserved.
ESCU 1.0.41 was released on July 31, 2019. It introduced the following improvement:
The Analytic Story "Suspicious Email" was updated to incorporate the output from the "Suspicious Email" anomaly from Splunk User Behavior Analytics (UBA).
Fixed Issues:
CRL-1587 Broken search: Sc.exe manipulating Windows services
CRL-1577 Usage Details dashboard not rendering
CRL-1586 Detection for "Process Execution via WMI" has incorrect search
CRL-1555 Analytic Stories not rendering
For complete documentation, please visit: https://docs.splunk.com/Documentation/ESSOC/1.0.41