Release v4.43.0 · splunk/security_content

Release notes - v4.43.0

Total New and Updated Content: [1645]

Key highlights

Detection Analytics Updates

Critical Alerts: Introduced a new analytic to detect critical alerts from multiple security tools, enhancing quick identification and response for high-priority threats. Tested with MS365 Defender and Windows Defender Alerts, compatible with any vendor alerts mapped to the Alerts data model.
Braodo Stealer: Added detections focused on identifying malicious behaviors associated with information-stealing malware.

Tooling Updates

We have released new version of contentctl (v4.4.5) that help with build and test ESCU content:

Enhanced Drilldowns: Added two default drilldowns for all notable detections, enabling users to view detection results for specific risk objects and access risk events from the past 7 days. This improves investigation workflows and response efficiency.
Version Enforcement & Datasource Testing: Enhanced version enforcement for detection content, automatically updating search versions when YAML changes. Added new datasource testing for detections, ensuring compatibility when new TAs are available.

Documentation Update

Additionally, the Splunk documentation and Github Wiki is also updated to include the latest features shipped in the Enterprise Security Content Update (ESCU). This update provides detailed guidance on using and testing these detections with Splunk Enterprise Security.

New Analytic Story - [2]

New Analytics - [9]

Updated Analytics - [1532]

All TTP/Anomaly and Correlation type detections now have two drilldowns added to their yaml files.

Huge thanks to @dluxtron for contributing new detections and enhancing existing ones!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v4.43.0