github splunk/security_content v4.19.0
on GitHub

latest releases: v4.40.0, v4.39.1, v4.39.0...
8 months ago

Release Branch for ESCU 4.19.0

New Analytic Story
  • CISA AA23-347A
  • Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
Updated Analytic Story
  • Office 365 Account Takeover
  • Office 365 Persistence Mechanisms
  • Splunk Vulnerabilities
New Analytics
  • Kubernetes Anomalous Inbound Outbound Network IO (Internal Contributor : Matthew Moore )
  • Kubernetes Anomalous Inbound to Outbound Network IO Ratio (Internal Contributor : Matthew Moore )
  • Kubernetes Previously Unseen Container Image Name (Internal Contributor : Matthew Moore )
  • Kubernetes Previously Unseen Process (Internal Contributor : Matthew Moore )
  • Kubernetes Process Running From New Path (Internal Contributor : Matthew Moore )
  • Kubernetes Process with Anomalous Resource Utilisation (Internal Contributor : Matthew Moore )
  • Kubernetes Process with Resource Ratio Anomalies (Internal Contributor : Matthew Moore )
  • Kubernetes Shell Running on Worker Node with CPU Activity (Internal Contributor : Matthew Moore )
  • Kubernetes Shell Running on Worker Node (Internal Contributor : Matthew Moore )
  • Windows Account Discovery For None Disable User Account
  • Windows Lsa Secrets Nolmhash Registry
  • Windows Modify Registry Disable Restricted Admin
  • Windows Account Discovery For Sam Account Name
  • Windows Account Discovery With Netuser Preauthnotrequire
  • Windows Archive Collected Data Via Powershell
  • Windows Domain Account Discovery Via Get Netcomputer
  • Windows Known Graphicalproton Loaded Modules
  • Windows Process Commandline Discovery
  • Windows System User Privilege Discovery
  • Windows Modify Registry Nochangingwallpaper
  • Windows Rundll32 Apply User Settings Changes
  • Windows UAC Bypass Suspicious Child Process (External Contributor : @nterl0k )
  • Windows UAC Bypass Suspicious Escalation Behavior (External Contributor : @nterl0k )
  • Windows Alternate DataStream - Base64 Content (External Contributor : @nterl0k )
  • Windows Alternate DataStream - Process Execution (External Contributor : @nterl0k )
  • Windows Alternate DataStream - Executable Content (External Contributor : @nterl0k )
  • O365 Concurrent Sessions From Different Ips
  • Splunk ES DoS Investigations Manager via Investigation Creation (Internal Contributor : Chase Franklin )
  • Splunk ES DoS Through Investigation Attachments (Internal Contributor : Chase Franklin )
Updated Analytics
  • GCP Authentication Failed During MFA Challenge
  • GCP Multi-Factor Authentication Disabled
  • GCP Successful Single-Factor Authentication
  • Windows Steal Authentication Certificates - ESC1 Abuse
  • Allow Network Discovery In Firewall
  • Msmpeng Application DLL Side Loading
Other Updates
  • Updated mitre attack navigator json files for detection coverage for RAT and Stealer analytic stories
  • Updated ALL Azure AD analytics to use sourcetype = azure:monitor:aad for better CIM Compliance.
Check out latest releases or
releases around splunk/security_content v4.19.0

Don't miss a new security_content release

NewReleases is sending notifications on new releases.

Get notifications