splunk/security_content v5.6.0 on GitHub

Key highlights

🛡️ Cisco Secure Firewall Intrusion Analytics
We developed six new analytic rules using Intrusion logs to detect high-priority intrusion events, group alerts by threat activity, identify Lumma Stealer behaviors (download and outbound attempts), and monitor Veeam CVE-2023-27532 exploitation by combining the presence of specific Snort IDs triggered in a short period of time.

📊 Threat Activity by Snort IDs Dashboard
A new dashboard leveraging Cisco Firewall logs from eStreamer and a curated lookup to correlate Snort intrusion identifiers with specific threat actors, visualize device-wide activity and file trends, and explore the overall risk profile of the host with events from Splunk Enterprise Security.

📝 New Analytic Story & Threat Mappings
We published a new analytic story on Fake CAPTCHA campaigns—mapping existing detections to observed TTPs and introducing a Windows PowerShell FakeCAPTCHA Clipboard Execution detection—and completed comprehensive Xworm RAT threat mapping to ensure broad detection coverage.

New Analytic Story - [2]

New Analytics - [8]

Other Updates

Added two new lookups cisco_snort_ids_to_threat_mapping and threat_snort_count that contain information about snort Ids that are mapped to specific threat actors
Updated several detections based on customer feedback and bug reports on Github issues.
As previously communicated in the ESCU v5.4.0 release, several detections have been removed. For a complete list of the detections removed in version v5.6.0, refer to the List of Removed Detections in v5.6.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.8.0, see the List of Detections Scheduled for Removal in ESCU v5.8.0