splunk/security_content v5.2.0

on GitHub

Key highlights

We released new analytic stories and detections to enhance monitoring and security across GitHub, O365, and SQL Server environments. Here’s a summary of the latest updates:

• 👨‍💻 GitHub Malicious Activity: A new analytic story focused on detecting potential security risks and policy violations in GitHub Enterprise and GitHub Organizations. This includes detections for disabling 2FA requirements, modifying or pausing audit log event streams, deleting repositories, disabling security features like Dependabot and branch protection rules, and registering unauthorized self-hosted runners—helping organizations prevent unauthorized changes and account takeovers.

• 📧 O365 Email Threat Monitoring: Expanded coverage for malicious email activity in O365 environments. New detections focus on identifying inbox rule modifications, excessive email deletions, suspicious exfiltration behavior, and attempts to compromise payroll or password information. These detections help security teams track and mitigate email-based attacks, account takeovers, and data exfiltration tactics.

• 🗒️ SQL Server Abuse: Introduced a new analytic story targeting SQL Server exploitation tactics. These detections cover malicious SQLCMD execution, abuse of xp_cmdshell, unauthorized configuration changes, and the loading of potentially dangerous extended procedures. This enhanced monitoring helps organizations detect lateral movement and privilege escalation attempts in Windows-based SQL environments.

• 🔍 We have also mapped several of our existing detections to the Black Basta Ransomware, SnappyBee and SystemBC malware families as they continue to make headlines targeting various organizations.

• 🎗️ As announced in ESCU v5.0.0 release, we are removing old and dated content from the app starting with ESCU v5.2.0, which includes several removal of detections in this release to improve quality of detections. Along with the deprecation assistant that is shipped in the application, you can also refer to this list of removed detections and replacements on Splunk docs.

New Analytic Story - [6]

• Black Basta Ransomware
• China-Nexus Threat Activity
• GitHub Malicious Activity
• SQL Server Abuse
• SnappyBee
• SystemBC

New Analytics - [43]

• Executables Or Script Creation In Temp Path
• GitHub Enterprise Delete Branch Ruleset
• GitHub Enterprise Disable 2FA Requirement
• GitHub Enterprise Disable Audit Log Event Stream
• GitHub Enterprise Disable Classic Branch Protection Rule
• GitHub Enterprise Disable Dependabot
• GitHub Enterprise Disable IP Allow List
• GitHub Enterprise Modify Audit Log Event Stream
• GitHub Enterprise Pause Audit Log Event Stream
• GitHub Enterprise Register Self Hosted Runner
• GitHub Enterprise Remove Organization
• GitHub Enterprise Repository Archived
• GitHub Enterprise Repository Deleted
• GitHub Organizations Delete Branch Ruleset
• GitHub Organizations Disable 2FA Requirement
• GitHub Organizations Disable Classic Branch Protection Rule
• GitHub Organizations Disable Dependabot
• GitHub Organizations Repository Archived
• GitHub Organizations Repository Deleted
• O365 BEC Email Hiding Rule Created (External Contributor: @0xC0FFEEEE )
• O365 Email Hard Delete Excessive Volume (External Contributor: @nterl0k)
• O365 Email New Inbox Rule Created (External Contributor: @nterl0k)
• O365 Email Password and Payroll Compromise Behavior (External Contributor: @nterl0k)
• O365 Email Receive and Hard Delete Takeover Behavior (External Contributor: @nterl0k)
• O365 Email Send Attachments Excessive Volume(External Contributor: @nterl0k)
• O365 Email Send and Hard Delete Exfiltration Behavior(External Contributor: @nterl0k)
• O365 Email Send and Hard Delete Suspicious Behavior(External Contributor: @nterl0k)
• O365 Email Suspicious Search Behavior(External Contributor: @nterl0k)
• Windows Anonymous Pipe Activity
• Windows PowerShell Invoke-Sqlcmd Execution
• Windows Process Execution From ProgramData
• Windows SQL Server Configuration Option Hunt
• Windows SQL Server Critical Procedures Enabled
• Windows SQL Server Extended Procedure DLL Loading Hunt
• Windows SQL Server Startup Procedure
• Windows SQL Server xp_cmdshell Config Change
• Windows SQLCMD Execution
• Windows Scheduled Task with Suspicious Command
• Windows Scheduled Task with Suspicious Name
• Windows SnappyBee Create Test Registry
• Windows Sqlservr Spawning Shell
• Windows Svchost.exe Parent Process Anomaly
• Windows Unusual SysWOW64 Process Run System32 Executable

Macros Added - [5]

• github_enterprise
• github_organizations
• o365_messagetrace
• o365_suspect_search_terms_regex
• process_sqlcmd

Macros Updated - [1]

• linux_auditd

Lookups Added - [2]

• deprecation_info
• windows_suspicious_tasks

Lookups Updated - [1]

• ransomware_notes_lookup

Removed detections from v5.2.0

• The list of removed detections and its potential replacements(where available)

Marked for Deprecation in v5.4.0

• AWS SAML Access by Provider User and Principal
• GitHub Actions Disable Security Workflow
• aws detect permanent key creation
• Github Commit In Develop
• Suspicious Driver Loaded Path
• Known Services Killed by Ransomware
• Github Commit Changes In Master
• GitHub Pull Request from Unknown User
• Suspicious Event Log Service Behavior
• Suspicious Process File Path
• aws detect attach to role policy
• GitHub Dependabot Alert
• aws detect sts get session token abuse
• aws detect role creation
• aws detect sts assume role abuse
• AWS Cross Account Activity From Previously Unseen Account
• Remote Desktop Network Bruteforce