Splunk® Enterprise Security Content Update

Release Notes

What's new

Enterprise Security Content Updates version 5.2.0 was released on March 24, 2025 and includes the following enhancements:

Key highlights

We released new analytic stories and detections to enhance monitoring and security across GitHub, O365, and SQL Server environments. Here's a summary of the latest updates:

  • GitHub Malicious Activity: A new analytic story focused on detecting potential security risks and policy violations in GitHub Enterprise and GitHub Organizations. This includes detections for disabling 2FA requirements, modifying or pausing audit log event streams, deleting repositories, disabling security features like Dependabot and branch protection rules, and registering unauthorized self-hosted runners—helping organizations prevent unauthorized changes and account takeovers.
  • O365 Email Threat Monitoring: Expanded coverage for malicious email activity in O365 environments. New detections focus on identifying inbox rule modifications, excessive email deletions, suspicious exfiltration behavior, and attempts to compromise payroll or password information. These detections help security teams track and mitigate email-based attacks, account takeovers, and data exfiltration tactics.
  • SQL Server Abuse: Introduced a new analytic story targeting SQL Server exploitation tactics. These detections cover malicious SQLCMD execution, abuse of xp_cmdshell, unauthorized configuration changes, and the loading of potentially dangerous extended procedures. This enhanced monitoring helps organizations detect lateral movement and privilege escalation attempts in Windows-based SQL environments.
  • We have also mapped several of our existing detections to the Black Basta Ransomware, SnappyBee and SystemBC malware families as they continue to make headlines targeting various organizations.
  • As announced in ESCU v5.0.0 release, we are removing old and dated content from the app starting with ESCU v5.2.0, which includes several removal of detections in this release to improve quality of detections. Along with the deprecation assistant that is shipped in the application, you can also refer to this list of removed detections and replacement on Splunk docs.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

New analytic story

  1. Black Basta Ransomware
  2. China-Nexus Threat Activity
  3. GitHub Malicious Activity
  4. SQL Server Abuse
  5. SnappyBee
  6. SystemBC

New analytics

  1. Executables Or Script Creation In Temp Path
  2. GitHub Enterprise Delete Branch Ruleset
  3. GitHub Enterprise Disable 2FA Requirement
  4. GitHub Enterprise Disable Audit Log Event Stream
  5. GitHub Enterprise Disable Classic Branch Protection Rule
  6. GitHub Enterprise Disable Dependabot
  7. GitHub Enterprise Disable IP Allow List
  8. GitHub Enterprise Modify Audit Log Event Stream
  9. GitHub Enterprise Pause Audit Log Event Stream
  10. GitHub Enterprise Register Self Hosted Runner
  11. GitHub Enterprise Remove Organization
  12. GitHub Enterprise Repository Archived
  13. GitHub Enterprise Repository Deleted
  14. GitHub Organizations Delete Branch Ruleset
  15. GitHub Organizations Disable 2FA Requirement
  16. GitHub Organizations Disable Classic Branch Protection Rule
  17. GitHub Organizations Disable Dependabot
  18. GitHub Organizations Repository Archived
  19. GitHub Organizations Repository Deleted
  20. O365 BEC Email Hiding Rule Created (External Contributor: @0xC0FFEEEE)
  21. O365 Email Hard Delete Excessive Volume (External Contributor: @nterl0k)
  22. O365 Email New Inbox Rule Created (External Contributor: @nterl0k)
  23. O365 Email Password and Payroll Compromise Behavior
  24. O365 Email Receive and Hard Delete Takeover Behavior
  25. O365 Email Send Attachments Excessive Volume
  26. O365 Email Send and Hard Delete Exfiltration Behavior
  27. O365 Email Send and Hard Delete Suspicious Behavior
  28. O365 Email Suspicious Search Behavior
  29. Windows Anonymous Pipe Activity
  30. Windows PowerShell Invoke-Sqlcmd Execution
  31. Windows Process Execution From ProgramData
  32. Windows SQL Server Configuration Option Hunt
  33. Windows SQL Server Critical Procedures Enabled
  34. Windows SQL Server Extended Procedure DLL Loading Hunt
  35. Windows SQL Server Startup Procedure
  36. Windows SQL Server xp_cmdshell Config Change
  37. Windows SQLCMD Execution
  38. Windows Scheduled Task with Suspicious Command
  39. Windows Scheduled Task with Suspicious Name
  40. Windows SnappyBee Create Test Registry
  41. Windows Sqlservr Spawning Shell
  42. Windows Svchost.exe Parent Process Anomaly
  43. Windows Unusual SysWOW64 Process Run System32 Executable

Removed detections from ESCU version 5.2.0

The following is a list of removed detections and its potential replacements, where available.

List of detections scheduled for removal in ESCU version 5.4.0

  1. AWS SAML Access by Provider User and Principal
  2. GitHub Actions Disable Security Workflow
  3. aws detect permanent key creation
  4. Github Commit In Develop
  5. Suspicious Driver Loaded Path
  6. Known Services Killed by Ransomware
  7. Github Commit Changes In Master
  8. GitHub Pull Request from Unknown User
  9. Suspicious Event Log Service Behavior
  10. Suspicious Process File Path
  11. aws detect attach to role policy
  12. GitHub Dependabot Alert
  13. aws detect sts get session token abuse
  14. aws detect role creation
  15. aws detect sts assume role abuse
  16. AWS Cross Account Activity From Previously Unseen Account
  17. Remote Desktop Network Bruteforce

Other updates

Updated search outputs for all AWS and Azure AD detections

Last modified on 24 March, 2025
 

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 5.2.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters