Product News & Announcements
All the latest news and announcements about Splunk products. Subscribe and never miss an update!

Enterprise Security Content Update (ESCU) | New Releases

OliviaHenderson
Splunk Employee
Splunk Employee

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.15.0 and v4.16.0). With these releases, there are 20 new detections, 4 new analytic stories, 7 updated analytics, 2 updated behavioral analytics detections, 3 new behavioral analytics detections, 2 updated analytic stories, and  2 deprecated analytics now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

  • Malware story that groups 6 new analytics to help detect a new phishing-driven malware campaign distributing DarkGate malware, which utilizes stolen email threads to trick users into downloading malicious payloads via hyperlinks.
  • A new zero-day vulnerability in SysAid On-Prem Software (CVE-2023-47246) that allows attackers to upload a WebShell and other payloads, gaining unauthorized access and control.
  • A new analytic Risk Rule for Dev Sec Ops by Repository that detects by correlating repository and risk score to identify patterns and trends in the data based on the level of risk associated, to provide a comprehensive view of the risk landscape and helps to make informed decisions. Additionally, we released an updated Analytics Story, which groups 10 new analytics to help security operations teams identify the potential compromise of Azure Active Directory accounts.
  • A critical security update, CVE-2023-4966, for the NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. This vulnerability, if exploited, can lead to unauthorized data disclosure and possibly session hijacking. Along with "PlugX RAT" or "Kaba" known as the "silent infiltrator," it's the go-to tool for sophisticated hackers with one goal in mind: espionage. Additionally, we updated three existing analytics to identify suspicious file creation in the root drive observed in NjRAT, and two vulnerabilities privilege escalation flaws in Atlassian Confluence.

New Analytics (20)

New Analytic Stories (4) 

Updated Analytics (7)

Updated Behavioral Analytics Detections (2)

  • All BA detections updated to use IN command in SPLv2 instead of using multiple ORs in the detection analytic
  • Added a new key detection_type = STREAMING in the generated BA yaml files

New Behavioral Analytics Detections (3)

  • Detect Prohibited Applications Spawning cmd exe browsers (validation)
  • Detect Prohibited Applications Spawning cmd exe office (validation)
  • Detect Prohibited Applications Spawning cmd exe powershell (validation)

Updated Analytic Stories (2)

Deprecated Analytics (2)

 

 

The team has also published the following blogs:

For all our tools and security content, please visit research.splunk.com

— The Splunk Threat Research Team

 

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...