E-Book: Top 50 Cybersecurity Threats
Get a complete look at the top most critical security threats of the year.
Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details.
This blog post covers all the security content developed November 2023 - January 2024. Jump straight to the updates below, or read on to learn more about:
See the latest Splunk Security Content >
Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.
Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:
Splunk’s out-of-the-box machine learning-, behavioral-, and AI-driven detection searches are created to help identify patterns and alert you to threats and anomalous behavior.
All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).
A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.
Take advantage of security content through the Enterprise Security Content Update (ESCU) app or the Splunk Security Essentials (SSE) app. Both apps allow you to deploy the over 1,600 out-of-the-box searches to start detecting, investigating and responding to threats. You can also view the full security content repository by visiting research.splunk.com.
And with that information, we can move onto the latest content. Let's take a look!
Below you will find a brief table of contents, followed by an overview of all the security content developed from November 2023 - January 2024. (Prefer a video update? Watch our on-demand Tech Talk “Using the Splunk Threat Research Team’s Latest Security Content.”)
DarkGate is a malware that employs multi-stage payloads and leverages obfuscated AutoIt scripting to exfiltrate sensitive data and establish command and control communications. This analytic story includes detections to help uncover and investigate activities that could be indicative of DarkGate’s presence. Check out “Enter The Gates: An Analysis of the DarkGate AutoIt Loader” to learn more.
PlugX, also known as “PlugX RAT” or “Kaba,” is a covert malware that’s known for its ability to elude detection and its association with cyber espionage activities. You can read the Splunk Threat Research Team’s analysis of a specific PlugX variant here and find detections in the PlugX analytic story to search for activities related to:
The Rhysida Ransomware analytic story includes detections designed to identify unusual behaviors potentially associated with Rhysidia, a ransomware that stealthily infiltrates systems and employs sophisticated encryption tactics to lock access to critical files and databases.
The Office 365 Account Takeover and Office 365 Persistence Mechanisms analytic stories include detections to monitor for activities and anomalies indicative of potential initial access techniques and persistence techniques within Office 365 environments. These detections can also be used to help detect attacks similar to the recent Midnight Blizzard incident that the Splunk Threat Research Team covered in this blog.
The Windows Attack Surface Reduction (ASR) analytic story contains detections for events related to Windows ASR (a feature of Windows Defender Exploit Guard) that are generated when a process or application attempts to perform an action that is blocked by an ASR rule. Learn more about this content in “Deploy, Test, Monitor: Mastering Microsoft Defender ASR with Atomic Techniques in Splunk.”
Lastly, the team created two new analytic stories to help detect tactics and techniques adversaries may use in an effort to exploit Kubernetes environments: the Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring and Kubernetes Security analytic stories.
In November, CVE-2023-47246 was identified to affect on-premise versions of SysAid prior to 23.3.36. The Splunk Threat Research Team tagged detections into a new SysAid On-Prem Software CVE-2023-47246 Vulnerability analytic story to support the identification of initial access and some post-exploitation activities.
Additionally, the team created the CISA AA23-347A analytic story to help detect and investigate activities that may be related to cyber tactics and techniques employed by Russia’s Foreign Intelligence Service (SVR).
January saw the creation of three new analytic stories related to newly-identified exploits. First, the Ivanti Connect Secure VPN Vulnerabilities analytic story includes analytics and hunting queries to support defenders against CVE-2023-46805 (an authentication-bypass vulnerability) and CVE-2024-21887 (a command-injection vulnerability).
Next, the Confluence Data Center and Confluence Server Vulnerabilities analytic story covers use cases for detecting and investigating potential attacks against Confluence Data Center and Confluence Server, such as CVE-2023-22527.
Lastly, the Jenkins Server Vulnerabilities analytic story includes detections to help defend against Jenkins server vulnerabilities, including CVE-2024-2389.
To learn more about these vulnerabilities and detection content, check out the following blogs:
Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one — we're updating them every quarter!
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.