v4.34.0

Release notes for ESCU release_v4.34.0

Total New and Updated Content: [1256]

New Analytic Story - [1]

• Gomir

Updated Analytic Story - [0]

New Analytics - [2]

• Windows Debugger Tool Execution
• Windows Unsigned DLL Side-Loading In Same Process Path

Updated Analytics - [1238]

Over 1200+ descriptions updated.

Macros Added - [3]

• fillnull_config
• oldsummaries_config
• summariesonly_config

Macros Updated - [2]

• prohibited_softwares
• security_content_summariesonly

Updated the security_content_summariesonly macro to use macros for each of the configuration settings that were previously hardcoded. There's no change in the values of those macros and the previous configuration of the security_content_summariesonly macro

Lookups Added - [0]

Lookups Updated - [0]

Playbooks Added - [0]

Playbooks Updated - [0]

Deprecated Analytics - [10]

• Clients Connecting to Multiple DNS Servers
• DNS Query Requests Resolved by Unauthorized DNS Servers
• First time seen command line argument
• GCP Kubernetes cluster scan detection
• Multiple Okta Users With Invalid Credentials From The Same IP
• Okta Failed SSO Attempts
• Prohibited Software On Endpoint
• Suspicious Changes to File Associations
• Uncommon Processes On Endpoint
• Unsigned Image Loaded by LSASS

Other Updates

• Updated descriptions and _filter macro for several analytics to have a consistent standard and formatting.
• Updated distsearch.conf to remove bias language.
• Updated testing to run against the official Splunk Sysmon for Linux Add-on.

Full Changelog: v4.33.0...v4.34.0