splunk/security_content v4.23.0

on GitHub

Release notes for ESCU v4.23.0

New Analytics Story

• Jenkins Server Vulnerabilities

Updated Analytics Story

New Analytics

• Splunk Information Disclosure in Splunk Add-on Builder
• Kubernetes Anomalous Inbound Network Activity from Process
• Kubernetes Anomalous Outbound Network Activity from Process
• Kubernetes Anomalous Traffic on Network Edge
• Kubernetes Create or Update Privileged Pod
• Kubernetes Cron Job Creation
• Kubernetes DaemonSet Deployed
• Kubernetes Falco Shell Spawned
• Kubernetes newly seen TCP edge
• Kubernetes newly seen UDP edge
• Kubernetes Node Port Creation
• Kubernetes Pod Created in Default Namespace
• Kubernetes Pod With Host Network Attachment
• Kubernetes Scanning by Unauthenticated IP Address
• Windows Impair Defense Change Win Defender Health Check Intervals
• Windows Impair Defense Change Win Defender Quick Scan Interval
• Windows Impair Defense Change Win Defender Throttle Rate
• Windows Impair Defense Change Win Defender Tracing Level
• Windows Impair Defense Configure App Install Control
• Windows Impair Defense Define Win Defender Threat Action
• Windows Impair Defense Disable Controlled Folder Access
• Windows Impair Defense Disable Defender Firewall And Network
• Windows Impair Defense Disable Defender Protocol Recognition
• Windows Impair Defense Disable PUA Protection
• Windows Impair Defense Disable Realtime Signature Delivery
• Windows Impair Defense Disable Web Evaluation
• Windows Impair Defense Disable Win Defender App Guard
• Windows Impair Defense Disable Win Defender Compute File Hashes
• Windows Impair Defense Disable Win Defender Gen reports
• Windows Impair Defense Disable Win Defender Network Protection
• Windows Impair Defense Disable Win Defender Report Infection
• Windows Impair Defense Disable Win Defender Scan On Update
• Windows Impair Defense Disable Win Defender Signature Retirement
• Windows Impair Defense Overide Win Defender Phishing Filter
• Windows Impair Defense Override SmartScreen Prompt
• Windows Impair Defense Set Win Defender Smart Screen Level To Warn
• Windows MsiExec HideWindow Rundll32 Execution
• Windows Process Injection In Non-Service SearchIndexer
• Jenkins Arbitrary File Read CVE-2024-23897

Updated Analytics

• Kubernetes Access Scanning
• Kubernetes Anomalous Inbound Outbound Network IO
• Kubernetes Anomalous Inbound to Outbound Network IO Ratio
• Kubernetes AWS detect suspicious kubectl calls
• Kubernetes Previously Unseen Container Image Name
• Kubernetes Previously Unseen Process
• Kubernetes Process Running From New Path
• Kubernetes Process with Anomalous Resource Utilisation
• Kubernetes Process with Resource Ratio Anomalies
• Kubernetes Shell Running on Worker Node
• Kubernetes Shell Running on Worker Node with CPU Activity
• Disable Windows SmartScreen Protection
• Linux Service Started Or Enabled
• Unknown Process Using The Kerberos Protocol
• Windows Excessive Disabled Services Event

Other Updates

• Added a new input macro sourcetype="kube:container:falco"

Playbook Updates

• Splunk Attack Analyzer Dynamic Analysis
• Splunk Automated Email Investigation
• Splunk Identifier Activity Analysis
• Splunk Message Identifier Activity Analysis