The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v.3.52.0, which contains 27 new detections and 4 new analytic stories to help you stay ahead of threats. These detections are now available in Splunk Enterprise Security via the ESCU application update process or via Splunk Security Essentials (SSE).
Release highlights include:
- An update to the Splunk Vulnerabilities analytic story that contains 6 new detections for the latest CVEs published by Splunk in the Quarterly Security Patch Updates on November 2nd, 2022.
- Several new detection analytics that help you detect unusual activities that might relate to the Qakbot/QBot malware including parent-child process anomalies, persistence, initial access, recon and many more.
- A new story, CVE-2022-40684 Fortinet Appliance Auth bypass, to help detect the exploitation of a critical authentication bypass vulnerability recently patched by Fortinet in their FortiOS, FortiProxy, and FortiSwitchManager projects CVE-2022-40684.
- A new detection for Text4Shell (CVE-2022-42889), a new critical vulnerability similar to the old Spring4Shell and Log4Shell.
- Additional content for the Cloud Account Takeover use case with 6 new analytic stories to help detect GCP Account Takeover.
- New Detections:
- New Analytic Stories:
For all our tools and security content, please visit research.splunk.com.
— The Splunk Threat Research Team