Splunk Security Content for Threat Detection & Response: June Recap

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security Content Update (ESCU) app (v5.7.0 and v5.8.0). With these releases, there are 16 new analytics and 3 new analytic stories now available in Splunk Enterprise Security via the ESCU application update process.

Content highlights include:

Remote Employment Fraud Detections: Remote Employment Fraud involves threat actors posing as job seekers or employers in order to gain unauthorized access to systems or employment through deceptive means. In many cases, it involves the use of fraudulent or stolen identity documents which are used to hide the true identity and/or location of an employee. We released a number of analytics that can help detect the digital footprint of employment fraud through the analysis of unexpected Network behaviors (such as VPN usage or anomalously high latency) or the presence of nonstandard audio or video devices.

The MITRE ATT&CK Detection Coverage Overview is now live! This visualization shows the real-time detection coverage across all MITRE ATT&CK tactics and can be used to identify specific detections for a given Tactic.

Inno Setup Abuse: Inno Setup is a widely used, legitimate packaging tool for the installation of software in Windows environments. It has seen increasingly common usage by malicious actors, hiding embedded malware payloads in otherwise benevolent software installers. These payloads, which are often encrypted or obfuscated, are then executed by a number of different means such as scripting or process injection. We released a story analytic story that demonstrates a number of different techniques observed by malware abusing Inno Setup to gain execution and persistence.

Web Browser Abuse: Locally installed malware may use Web Browsers to aid in the execution of malicious code, perform command and control, or transfer files. To decrease their footprint or provide flexibility in how they operate, this malware may supply a number of nonstandard command line flags when launching browsers. We release a number of analytics which recognize these suspicious flags.

Cisco Secure Firewall Threat Defense Integration: A number of ESCU Detections have been improved and tested to work with Event Streamer (eStreamer) data collected by the Cisco Secure Firewall Threat Defense (FTD) platform. For more information about Cisco Secure Firewall, please go here or refer to the Analytic Story Cisco Secure Firewall Threat Defense Analytics.

Bugfixes based on Community Feedback: Feedback from community members and users continues to be one of the best paths to improve the quality and performance of ESCU content. We released a number of bug fixes that reduce false positives and improve the risk objects and fields returned from searches.

For all our tools and security content, please visit research.splunk.com.

Splunk Threat Research Team

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

World Economic Forum In Davos - Growth in Global Technology Risk

Taking a look at the World Economic Forum (WEF) in Davos 2020 from a cybersecurity angle. What technology risks should we be prepared for according to the WEF?

Security 5 Min Read

Security Insights: Jenkins CVE-2024-23897 RCE

In response to CVE-2024-23897, the Splunk Threat Research Team has developed new security detections and hunting queries to support defenders.

Security 2 Min Read

Which of Gartner’s 2019 Top 7 Security and Risk Management Trends Are Impacting Your Business?

In this 3-part series, we take a closer look into Gartner's trends and share how you can address these issues.

About Splunk

The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.

Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.

Learn more about Splunk

Subscribe to our blog

Get the latest articles from Splunk straight to your inbox.

Connect with Splunk on X

Follow @Splunk

Connect with Splunk on Instagram