Releases: splunk/security_content
v1.0.52
Enterprise Security Content Updates v1.0.52 was released on March 18, 2020. It includes the following enhancements:
Fixed issues:
- CRL-1746 - Added filter macros for several detection searches
- CRL-1744 - Fixed empty macro unauthorize_dns_services_filter and typo in name for smb_traffic_spike_mltk_filter
- CRL-1742 - Fixed broken "Search Summary" panel in the "Content Library" dashboard
- Fixed various issues with search syntax in the following detections:
Detect Outlook.exe writing a zip file
Create or delete windows shares using net.exe
Disabling Remote User Account Control
First time seen command line arg
Processes created by netsh
Overwriting accessibility binaries
Registry Keys Used For Privilege Escalation
Remote Registry Key Modifications
Full documentation: https://docs.splunk.com/Documentation/ESSOC/1.0.52
v1.0.51
Enterprise Security Content Updates v 1.0.51 was released on March 2, 2020. It includes the following enhancements:
New Analytic Story:
- Container Implantation Monitoring & Investigation
Fixed issues:
- Updated "Credential Dumping" story with new detection - "Dump LSASS via comsvcs DLL"
- Update to "Access LSASS Memory for Dump Creation"
Full documentation: https://docs.splunk.com/Documentation/ESSOC/1.0.51
v1.0.50
Enterprise Security Content Updates v 1.0.50 was released on February 13, 2020. It includes the following enhancements:
Fixed issues:
- CRL-1727 - Fixed bug in "AWS Activity in New Region" around converting the time to a readable format
- CRL-1726 - Some lookup files were inadvertently omitted from the last couple of builds. All lookups now properly included
- CRL-1725 - Updated search in "Detect Prohibited Applications Spawning cmd.exe" to use parent_process_name vs parent_process where appropriate
- CRL-1723 - Fixed search "Suspicious Writes to Windows Recycle Bin" to use Filesystem.file_path as opposed to Filesystem.filepath
- Closes issue 343
- Introduced a new detection
MacOS - Re-opened Applicationscontributed by @jwindley-splunk
Full documentation: https://docs.splunk.com/Documentation/ESSOC/1.0.50
v1.0.49
Updated Analytic Stories:
CRL-1711 - Updated "Credential Dumping" analytic story detections with corresponding MITRE technique IDs
CRL-1714 - Updated "Lateral Movement", "Windows Privilege Escalation", and "Disabling Security Tools" analytic stories.
- added a new detection "Unload Sysmon Filter Driver".
- added appropriate MITRE ATT&CK technique IDs to all detection searches.
- refreshed MITRE ATT&CK reference URLs where needed.
- added input and output filter macros where needed.
CRL-1718 - Updated DNS Hijack analytic story
- Added output filter macros to "Clients Connecting to Multiple DNS Servers", "DNS record changed", and "DNS Query Requests Resolved by Unauthorized DNS Servers" detections.
- Updated cis20 mappings in "Clients Connecting to Multiple DNS Servers" detection.
- Updated mitre_attack mappings in "DNS Query Requests Resolved by Unauthorized DNS Servers" detection.
- Added lookup 'discovered_dns_records' to "DNS record changed" detection.
- Updated entities output by "Detect hosts connecting to dynamic domain providers" detection.
Fixed issues:
- CRL-1715 - Updated "First Time Seen Running Windows Service" detection and "Previously Seen Running Windows Services" support search to use field names provided by Splunk Add-on for Microsoft Windows.
- CRL-1716 - Updated Malicious PowerShell Process With Obfuscation Techniques detection to address a false negative.
- CRL-1717 - Updated macro definitions to resolve error "Error in 'SearchParser' unable to find definition for macro 'X'. It is expected in the 'definition' conf key.]"
- CRL-1719 - Fixed URL reference in "Windows Privilege Escalation" analytic story
v1.0.48
RELEASE NOTES
Version 1.0.48 was released on December 20, 2019 and introduced input(pre-filter) and output(post-filter) macros for all new detection searches after v. 1.0.46. These macros let you update a macro definition once and then apply the new definition across all detections that leverage that macro. These changes will be local to your Splunk environment.
New detection searches added to the "Credential Dumping" Analytic Story:
- Access LSASS Memory for Dump Creation
- Create Remote Thread into LSASS
- Detect Credential Dumping through LSASS access
- Unsigned Image Loaded by LSASS
- Attempted Credential Dump From Registry via Reg.exe
- Detect Mimikatz Using Loaded Images
- Attempt To Set Default PowerShell Execution Policy To Unrestricted or Bypass
- Creation of Shadow Copy with ntdsutil
- Creation of Shadow Copy with vssadmin
- Creation of Shadow Copy with wmic and powershell
- Creation of Shadow Copy with wmicCredential Dumping via Copy Command from Shadowcopy
- Credential Dumping via Symlink to Shadowcopy
Fixed a bug in the security_content_ctime macro, which was not working as expected.
v1.0.47
Enterprise Security Content Updates v 1.0.47 included the following enhancements:
Fixed issues:
- CRL-1700 Remove ES macro dependency by introducing new macros security_content_ctime replacing the ctime macro across all content, and introducing security_content_summariesonly replacing the summariesonly macro across all content.
- Removed runstory macro definition .
- Removed comment macro for empty definition.
v1.0.46
Enterprise Security Content Updates v 1.0.46 included the following enhancements.
Fixed issues:
- CRL-1688 Ensure that ESCU is supported on Splunk Enterprise 8.0
- CRL-1686 Resolve broken hyperlinks in content files
- CRL-1609 Fix for validation check on Feedback Center page
v1.0.45
Enterprise Security Content Updates v 1.0.45 included the following enhancements.
Updated Analytic Stories:
- Added new searches "Abnormally High AWS Instances Launched by User - MLTK detection" and "Abnormally High AWS Instances Terminated by User - MLTK detection" to the "Suspicious AWS EC2 Activities" Analytic Story
- Added new search "Abnormally High AWS Instances Launched by User - MLTK detection" to the "Cloud Cryptomining" Analytic Story
Fixed issues:
- CRL-1493 ESCU Fraud Searches Are Mislabeled
- CRL-1697 Added: Cloud Compute Instance Created With Previously Unseen Image detection to Cloud Cryptomining story