v5.9.0

Key Highlights

• 🔍 Cisco Network Visibility Module Analytics: Introduced a new analytic story leveraging Cisco NVM telemetry to detect suspicious endpoint network behavior. This release includes 14 analytics covering threats such as insecure curl usage, typosquatted Python packages, abuse of native Windows tools like rundll32 and mshta, and anomalous network connections from uncommon or argument-less processes.

• 💣 Disk Wiper: Released a new analytic story focused on identifying destructive malware that irreversibly erases disk data, with tagged detections targeting recursive file deletion and raw access to disk volumes and the primary boot record.

• ⚙️ CrowdStrike EDR Playbook Pack for Splunk SOAR: Shipped a new playbook pack that enables automated investigation, enrichment, and response using CrowdStrike Falcon, helping security teams streamline endpoint operations with playbooks for actions like device isolation, process termination, file handling, and denylisting executables.

New Analytic Story - [2]

• Cisco Network Visibility Module Analytics
• Disk Wiper

New Analytics - [19]

• Cisco NVM - Curl Execution With Insecure Flags
• Cisco NVM - Installation of Typosquatted Python Package
• Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
• Cisco NVM - Non-Network Binary Making Network Connection
• Cisco NVM - Outbound Connection to Suspicious Port
• Cisco NVM - Rclone Execution With Network Activity
• Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
• Cisco NVM - Susp Script From Archive Triggering Network Activity
• Cisco NVM - Suspicious Download From File Sharing Website
• Cisco NVM - Suspicious File Download via Headless Browser
• Cisco NVM - Suspicious Network Connection From Process With No Args
• Cisco NVM - Suspicious Network Connection Initiated via MsXsl
• Cisco NVM - Suspicious Network Connection to IP Lookup Service API
• Cisco NVM - Webserver Download From File Sharing Website
• CrowdStrike Falcon Stream Alerts(Internal Contributor : @bpluta-splunk)
• Linux Auditd Auditd Daemon Abort
• Linux Auditd Auditd Daemon Shutdown
• Linux Auditd Auditd Daemon Start
• Windows File Download Via PowerShell

Updated Analytics - [2]

• Attacker Tools On Endpoint(External Contributor : @sventec )
• O365 BEC Email Hiding Rule Created(External Contributor @0xC0FFEEEE )

Macros Added - [1]

• cisco_network_visibility_module_flowdata

Macros Updated - [0]

Lookups Added - [2]

• suspicious_ports_list
• typo_squatted_python_packages

Lookups Updated - [1]

• attacker_tools

Other Updates

• Updated all content to use the latest links for Splunk Documentation - https://help.splunk.com/

Playbooks Added - [9]

(Internal Contributor : @ccl0utier )

• CrowdStrike OAuth API Endpoint Analysis
• CrowdStrike OAuth API Executable Denylisting
• CrowdStrike OAuth API File Collection
• CrowdStrike OAuth API File Eviction
• CrowdStrike OAuth API File Restore
• CrowdStrike OAuth API Get Device Info
• CrowdStrike OAuth API Network Isolation
• CrowdStrike OAuth API Network Restore
• CrowdStrike OAuth API Process Termination