splunk/security_content v4.39.0

on GitHub

Key Highlights

Enterprise Security Content Update version 4.39.0 introduces critical detections aimed at addressing vulnerabilities in Ivanti Virtual Traffic Manager (CVE-2024-7593), with a particular focus on detecting SQL injection remote code execution and unauthorized account creation activities.This update also significantly enhances Office 365 security by incorporating advanced detections that monitor data loss prevention triggers, identify suspicious email behaviors, and track critical security feature changes across email and SharePoint environments, ensuring a more robust defense against potential threats. Additionally, a comprehensive set of new detections for Windows Active Directory is included, targeting potential threats related to privilege escalation, dangerous ACL modifications, GPO changes, and suspicious attribute modifications, thereby strengthening the overall identity and access management defenses within the enterprise. This release also introduces a new RMM Software Tracking Dashboard, designed to assist with the auditing and monitoring of Remote Monitoring and Management (RMM) software. This dashboard provides comprehensive visibility into RMM alert content, enabling more effective tracking and analysis of RMM-related activities and potential security risks within your environment.

New Analytic Story - [2]

• Ivanti Virtual Traffic Manager CVE-2024-7593
• MoonPeak

New Analytics - [29]

• Detect Password Spray Attack Behavior From Source (External Contributor: @nterl0k )
• Detect Password Spray Attack Behavior On User(External Contributor: @nterl0k )
• Ivanti EPM SQL Injection Remote Code Execution
• Ivanti VTM New Account Creation
• O365 DLP Rule Triggered(External Contributor: @nterl0k )
• O365 Email Access By Security Administrator(External Contributor: @nterl0k )
• O365 Email Reported By Admin Found Malicious(External Contributor: @nterl0k )
• O365 Email Reported By User Found Malicious(External Contributor: @nterl0k )
• O365 Email Security Feature Changed(External Contributor: @nterl0k )
• O365 Email Suspicious Behavior Alert(External Contributor: @nterl0k )
• O365 Safe Links Detection(External Contributor: @nterl0k )
• O365 SharePoint Allowed Domains Policy Changed(External Contributor: @nterl0k )
• O365 SharePoint Malware Detection(External Contributor: @nterl0k )
• O365 Threat Intelligence Suspicious Email Delivered(External Contributor: @nterl0k )
• O365 Threat Intelligence Suspicious File Detected(External Contributor: @nterl0k )
• O365 ZAP Activity Detection(External Contributor: @nterl0k )
• Windows AD DCShadow Privileges ACL Addition(External Contributor: @dluxtron)
• Windows AD Dangerous Deny ACL Modification(External Contributor: @dluxtron)
• Windows AD Dangerous Group ACL Modification(External Contributor: @dluxtron)
• Windows AD Dangerous User ACL Modification(External Contributor: @dluxtron)
• Windows AD Domain Root ACL Deletion(External Contributor: @dluxtron)
• Windows AD Domain Root ACL Modification(External Contributor: @dluxtron)
• Windows AD GPO Deleted(External Contributor: @dluxtron)
• Windows AD GPO Disabled(External Contributor: @dluxtron)
• Windows AD GPO New CSE Addition(External Contributor: @dluxtron)
• Windows AD Hidden OU Creation(External Contributor: @dluxtron)
• Windows AD Object Owner Updated(External Contributor: @dluxtron)
• Windows AD Self DACL Assignment(External Contributor: @dluxtron)
• Windows AD Suspicious Attribute Modification(External Contributor: @dluxtron)

Updated Analytics - [2]

• Azure AD Concurrent Sessions From Different Ips
• Azure AD High Number Of Failed Authentications From Ip

New Dashboards

• RMM Software Tracking: Utilize this dashboard to assist with auditing and monitoring of Remote Monitoring and Management (RMM) alert content. (External Contributor: @nterl0k )

Other Updates

• Updated observables for 300+ analytics to improve creation accuracy of risk and threat objects
• contentctl was updated to v4.3.3, expanding the validation of content which leverages risk-based alerting (RBA). All production ESCU content, which uses RBA is now tested to ensure that threat objects, risk objects, and risk messages are generated accurately. These additional validations have resulted in the improvement of over 300 pieces of content in ESCU 4.39.0.