Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Product News & Announcements
All the latest news and announcements about Splunk products. Subscribe and never miss an update!
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- News & Events
- :
- Blog & Announcements
- :
- Product News & Announcements
- :
- Enterprise Security Content Update (ESCU) | New Re...
Enterprise Security Content Update (ESCU) | New Releases
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark Topic
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
TyneDarke
Splunk Employee
02-07-2024
07:58 AM
Last month, the Splunk Threat Research Team had 5 releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.19.0., v4.20.0, v4.21.0, v4.22.0, and v.4.23.0). With these releases, there are 74 new analytics, 5 new analytic stories, 14 updated analytics, and 3 updated analytic stories now available in Splunk Enterprise Security via the ESCU application update process.
Content highlights include:
- The new "Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring" analytic story includes a range of detections that identify abnormal or unexpected container behavior in Kubernetes environments, using metrics from Splunk Observability Cloud.
- The new “CISA AA23-347A” analytic story includes a variety of detections that allow you to detect and investigate unusual activities that might be related to SVR cyber activity.
- The new “Ivanti Connect Secure VPN Vulnerabilities'' analytic story addresses critical vulnerabilities CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure and Ivanti Policy Secure Gateways. The team also published a blog with additional information about these vulnerabilities and how to use this new threat detection content.
New Analytics (74)
- Kubernetes Anomalous Inbound Outbound Network IO
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio
- Kubernetes Previously Unseen Container Image Name
- Kubernetes Previously Unseen Process
- Kubernetes Process Running From New Path
- Kubernetes Process with Anomalous Resource Utilisation
- Kubernetes Process with Resource Ratio Anomalies
- Kubernetes Shell Running on Worker Node with CPU Activity
- Kubernetes Shell Running on Worker Node
- Windows Account Discovery For None Disable User Account
- Windows Lsa Secrets Nolmhash Registry
- Windows Modify Registry Disable Restricted Admin
- Windows Account Discovery For Sam Account Name
- Windows Account Discovery With Netuser PreauthNotRequire
- Windows Archive Collected Data Via Powershell
- Windows Domain Account Discovery Via Get Netcomputer
- Windows Known Graphicalproton Loaded Modules
- Windows Process Commandline Discovery
- Windows System User Privilege Discovery
- Windows Modify Registry Nochangingwallpaper
- Windows Rundll32 Apply User Settings Changes
- Windows UAC Bypass Suspicious Child Process (External Contributor : @nterl0k)
- Windows UAC Bypass Suspicious Escalation Behavior (External Contributor : @nterl0k)
- Windows Alternate DataStream - Base64 Content (External Contributor : @nterl0k)
- Windows Alternate DataStream - Process Execution (External Contributor : @nterl0k)
- Windows Alternate DataStream - Executable Content (External Contributor : @nterl0k)
- O365 Concurrent Sessions From Different Ips
- Splunk ES DoS Investigations Manager via Investigation Creation
- Splunk ES DoS Through Investigation Attachments
- Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
- Ivanti Connect Secure Command Injection Attempts
- Ivanti Connect Secure System Information Access via Auth Bypass
- Splunk Enterprise KV Store Incorrect Authorization
- Splunk Enterprise Windows Deserialization File Partition
- Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
- Splunk Information Disclosure in Splunk Add-on Builder
- Kubernetes Anomalous Inbound Network Activity from Process
- Kubernetes Anomalous Outbound Network Activity from Process
- Kubernetes Anomalous Traffic on Network Edge
- Kubernetes Create or Update Privileged Pod
- Kubernetes Cron Job Creation
- Kubernetes DaemonSet Deployed
- Kubernetes Falco Shell Spawned
- Kubernetes newly seen TCP edge
- Kubernetes newly seen UDP edge
- Kubernetes Node Port Creation
- Kubernetes Pod Created in Default Namespace
- Kubernetes Pod With Host Network Attachment
- Kubernetes Scanning by Unauthenticated IP Address
- Windows Impair Defense Change Win Defender Health Check Intervals
- Windows Impair Defense Change Win Defender Quick Scan Interval
- Windows Impair Defense Change Win Defender Throttle Rate
- Windows Impair Defense Change Win Defender Tracing Level
- Windows Impair Defense Configure App Install Control
- Windows Impair Defense Define Win Defender Threat Action
- Windows Impair Defense Disable Controlled Folder Access
- Windows Impair Defense Disable Defender Firewall And Network
- Windows Impair Defense Disable Defender Protocol Recognition
- Windows Impair Defense Disable PUA Protection
- Windows Impair Defense Disable Realtime Signature Delivery
- Windows Impair Defense Disable Web Evaluation
- Windows Impair Defense Disable Win Defender App Guard
- Windows Impair Defense Disable Win Defender Compute File Hashes
- Windows Impair Defense Disable Win Defender Gen reports
- Windows Impair Defense Disable Win Defender Network Protection
- Windows Impair Defense Disable Win Defender Report Infection
- Windows Impair Defense Disable Win Defender Scan On Update
- Windows Impair Defense Disable Win Defender Signature Retirement
- Windows Impair Defense Overide Win Defender Phishing Filter
- Windows Impair Defense Override SmartScreen Prompt
- Windows Impair Defense Set Win Defender Smart Screen Level To Warn
- Windows MsiExec HideWindow Rundll32 Execution
- Windows Process Injection In Non-Service SearchIndexer
- Jenkins Arbitrary File Read CVE-2024-23897
New Analytic Stories (5)
- CISA AA23-347A
- Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
- Ivanti Connect Secure VPN Vulnerabilities
- Confluence Data Center and Confluence Server Vulnerabilities
- Jenkins Server Vulnerabilities
Updated Analytics (14)
- GCP Authentication Failed During MFA Challenge
- GCP Multi-Factor Authentication Disabled
- GCP Successful Single-Factor Authentication
- Windows Steal Authentication Certificates - ESC1 Abuse
- Allow Network Discovery In Firewall
- Msmpeng Application DLL Side Loading
- Confluence Data Center and Server Privilege Escalation
- Confluence Unauthenticated Remote Code Execution CVE-2022-26134
- Kubernetes Access Scanning
- Kubernetes AWS detect suspicious kubectl calls
- Disable Windows SmartScreen Protection
- Linux Service Started Or Enabled
- Unknown Process Using The Kerberos Protocol
- Windows Excessive Disabled Services Event
Updated Analytic Stories (3)
The team also published the following 6 blogs:
- Security Insights: Jenkins CVE-2024-23897 RCE
- Security Insights: Tracking Confluence CVE-2023-22527
- Security Insights: Investigating Ivanti Connect Secure Auth Bypass and RCE
- Enter the Gates: An Analysis of the DarkGate AutoIt Loader
- Hunting M365 Invaders: Blue Team's Guide to Initial Access Vectors
- Ghost in the Web Shell: Introducing ShellSweep
For all our tools and security content, please visit research.splunk.com.
— The Splunk Threat Research Team
Labels
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Get Updates on the Splunk Community!
ATTENTION!! We’re MOVING (not really)
Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...
Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions
Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
Labels
