Splunk Enterprise Security Content Update version 5.6.0 releases new analytics, dashboard, and threat mappings to strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

Here's a summary of the latest updates:

• Cisco Secure Firewall Intrusion Analytics: We developed six new analytic rules using the Intrusion logs to detect high-priority intrusion events, group alerts by threat activity, identify Lumma stealer behaviors (download and outbound attempts), and monitor Veeam CVE-2023-27532 exploitation by combining the presence of specific snort IDs that are triggered in a short period of time.

• Threat Activity by Snort IDs Dashboard: A new dashboard utilizing the Cisco Firewall logs from Estreamer and a carefully crafted lookup that enables the correlation of Snort intrusion identifiers with specific threat-actor, the visualization of device-wide activity and file trends trends, and explores the overall risk profile of the host with events from Splunk Enterprise Security.

• New Analytic Story and Threat Mappings: We published a new analytic story on Fake CAPTCHA campaigns—mapping existing detections to observed TTPs and introducing a Windows PowerShell FakeCAPTCHA Clipboard Execution detection—and completed comprehensive Xworm RAT threat mapping to ensure good detection coverage.

1. Fake CAPTCHA Campaigns
2. XWorm

1. Cisco Secure Firewall - High Priority Intrusion Classification
2. Cisco Secure Firewall - Intrusion Events by Threat Activity
3. Cisco Secure Firewall - Lumma Stealer Activity
4. Cisco Secure Firewall - Lumma Stealer Download Attempt
5. Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
6. Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
7. Windows PowerShell FakeCAPTCHA Clipboard Execution
8. Windows Renamed Powershell Execution

Threat Activity by Snort IDs

• Added two new lookups cisco_snort_ids_to_threat_mapping and threat_snort_count that contain information about snort Ids that are mapped to specific threat actors.
• Updated several detections based on customer feedback and bug reports on Github issues.
• Removed Detections: We removed some detection as notified in the ESCU v5.4.0 release. For a full list of removed detections in 5.6.0, see List of removed detections in 5.6.0. You must use the replacements, where appropriate. We have also deprecated a new set of detections. For a list of detections that are scheduled to be removed from the ESCU version 5.8.0, see List of detections scheduled for removal in ESCU version 5.8.0.