π Key Highlights
π΄ Linux Dirty Frag Privilege Escalation (CVE-2026-43284 & CVE-2026-43500) π΄
Added a new detection for the Dirty Frag Linux kernel privilege escalation vulnerabilities, identifying the exploit's characteristic high-frequency splice() syscall activity followed by execution of a setuid binary within the same audit session. This analytic provides early visibility into attempts to corrupt the kernel page cache and escalate privileges to root through abuse of the IPsec ESP or RxRPC subsystems.
π» Phantom Stealer π»
Expanded detection coverage for this Windows information stealer that targets browser credentials, FTP/SSH clients, cryptocurrency wallets, and other sensitive application data. This release adds a new detection for unauthorized access to WinSCP security configuration folders while tagging and enhancing existing analytics covering browser credential theft, PowerShell abuse, process injection, persistence, suspicious browser behavior, and data exfiltration, improving visibility into credential harvesting and post-compromise activity commonly associated with modern infostealers.
β« Sysmon Event ID 8 Detection Improvements β«
Refined detection coverage built on Sysmon Event ID 8 (CreateRemoteThread) by aligning the data source with native Sysmon field mappings, updating analytics to use the correct raw field names, and reducing false positives through rule consolidation and deprecation of noisy content. This release also introduces a new detection β Windows Uncommon Remote Thread Creation in Browser Process β strengthening visibility into process injection techniques while improving the accuracy and maintainability of existing CreateRemoteThread analytics.
πͺ¨ AWS Bedrock Claude AI Security Analytics πͺ¨
Introduced a new analytic story for AWS Bedrock Claude focused on detecting prompt injection, jailbreak attempts, and suspicious AI interactions targeting enterprise generative AI workloads. This release adds analytics to identify cross-region inference abuse, excessive token consumption, high-risk filesystem and execution tool invocation, hostile prompt sentiment, prompt injection attempts, sensitive data exposure in prompts, and unusually large prompt submissions, providing security teams with visibility into attempts to bypass AI safety controls, manipulate model behavior, or misuse Claude-powered applications.
New Analytic Story - [2]
New Analytics - [10]
- AWS Bedrock Claude Cross Region Possible Inference Abuse
- AWS Bedrock Claude High Risk Filesystem and Exec Tool Invocation
- AWS Bedrock Claude Hostile Prompt Sentiment
- AWS Bedrock Claude Possible Prompt Injection
- AWS Bedrock Claude Sensitive Data in Prompts
- AWS Bedrock Claude Unusually Large Prompts
- AWS Bedrock Claude excessive use of tokens
- Linux Dirty Frag Kernel Privilege Escalation
- Windows Uncommon Remote Thread Creation In Browser Process
- Windows WinSCP Configuration Security Access
Updated Analytics - [53]
Other Updates
π§± PowerShell ScriptBlock Analytics Refinement π§±
Updated the finding messages for detections leveraging the PowerShell ScriptBlock data source to improve readability by omitting oversized ScriptBlockText fields, while also converting these analytics to Anomaly detections and refining their descriptions for clearer triage.
Content Scheduled for Removal in Future Releases
| Content | Content Type | Removed in Version | Reason | Replacement Content |
|---|---|---|---|---|
| PowerShell - Connect To Internet With Hidden Window | Detection | 6.4.0 | Detection has been deprecated due to incorrect logic and bad performance. | None |
| Regsvr32 with Known Silent Switch Cmdline | Detection | 6.4.0 | Detection has been deprecated since its logic is already covered by another more improved detection. | Regsvr32 Silent and Install Param Dll Loading |
| Rundll32 CreateRemoteThread In Browser | Detection | 6.4.0 | Detection has been deprecated. The search is being replaced with a more generic detection that captures the behavior instead of relying on specific source processes. | Windows Uncommon Remote Thread Creation In Browser Process |
| Splunk App for Lookup File Editing RCE via User XSLT | Detection | 6.4.0 | Detection has been deprecated because it's too generic and does not provide the ability to detect the payload executed via this exploit. | None |
| Splunk Code Injection via custom dashboard leading to RCE | Detection | 6.4.0 | Detection has been deprecated. The affected Splunk software versions (8.1.12, 8.2.9, and 9.0.2) are no longer supported, having reached End of Life (EOL) between 2023 and 2024. Also, the logic is not perfectly capturing the malicious activity. | None |
| Splunk Enterprise KV Store Incorrect Authorization | Detection | 6.4.0 | Detection has been deprecated. The affected Splunk software versions (below 9.0.8 and 9.1.3)are no longer supported, having reached End of Life (EOL), and the logic is not accurately detecting the malicious activity. | None |
| Splunk Information Disclosure on Account Login | Detection | 6.4.0 | Detection has been deprecated. The logic is not accurately detecting the malicious activity. | None |
| Splunk Path Traversal In Splunk App For Lookup File Edit | Detection | 6.4.0 | Detection has been deprecated. The logic is not accurately detecting the malicious activity. | None |
| Splunk RCE PDFgen Render | Detection | 6.4.0 | Detection has been deprecated. The metadata along with the search are not accurately capturing the malicious activity. | None |
| Windows Process Injection Of Wermgr to Known Browser | Detection | 6.4.0 | Detection has been deprecated. The search is being replaced with a more generic detection that captures the behavior instead of relying on specific source processes. | Windows Uncommon Remote Thread Creation In Browser Process |
| Windows Process Injection With Public Source Path | Detection | 6.4.0 | Detection has been deprecated. The search is not helpful for the user to implement nor use, as it will generate too many false positives. | None |