Skip to content

v4.32.0
Compare
Choose a tag to compare
@gowthamarajr gowthamarajr released this 22 May 20:00
· 1625 commits to develop since this release
v4.32.0
bb3788d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

What's new

Enterprise Security Content Updates v4.32.0 was released on May 22, 2024. It includes the following enhancements:

Key highlights

Splunk Threat Research team has added 6 new detections and updated 6 existing detection analytics focused on AWS, leveraging the Open Cybersecurity Schema Framework (OCSF) to support the recent GA release of Amazon Security Lake (ASL) and the Splunk Add-On for Amazon Web Services. Additionally, Enterprise Security Content Updates v4.32.0 updated 6 analytics based on testing on real-world data to enhance accuracy and effectiveness in identifying suspicious activities and potential threats.

Enterprise Security Content Updates v4.32.0 detects critical security events such as attempts to disable or modify CloudTrail logging, unauthorized container uploads to Amazon ECR, and suspicious IAM group deletions, ensuring comprehensive monitoring and rapid response to potential threats.

This release also introduced a new object called data_sources for each detection to improve mapping by associating detections with their corresponding Splunkbase TAs, sample events. In addition, this release lists fields extracted in the raw data.

New analytics

Updated Analytics

Macros added

aws_ecr_users_asl

Macros updated

amazon_security_lake

Deprecated detection

Windows DLL Search Order Hijacking Hunt

Other updates

  • Updates to several reference links that were no longer working.
  • Added dist/ files to .gitignore and added them back in the release.yml CI job to keep generated dist/ files up to date.
  • Added a new yml object called data_sources with information of each data source leveraged by the detection search.
Assets 3
Loading