Splunk® Security Content

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ESSOC. Click here for the latest version.
Acrobat logo Download topic as PDF

What's New

Enterprise Security Content Updates v3.15.0 was released on February 22, 2021. It includes the following enhancements.

New stories include the following:

  • Cloud Federated Credential Abuse
  • Suspicious Regsvr32 Activity
  • Suspicious Rundll32 Activity
  • Suspicious Compiled HTML Activity
  • Suspicious Regsvcs Regasm Activity
  • Cobalt Strike

New detections include the following:

  • Detect HTML Help URL in Command Line
  • Detect HTML Help Spawn Child Process
  • Detect HTML Help Renamed
  • Detect HTML Help Using InfoTech Storage Handlers
  • Detect Regasm Spawning a Child Process
  • Detect Regsvcs Spawning a Child Process
  • Detect Regsvcs With Network Connection
  • Detect Regasm with no Command Line Arguments
  • Detect Regasm With Network Connection
  • Detect regsvcs with no Command Line Arguments
  • Detect Regsvr32 Application Control Bypass
  • Suspicious regsvr32 register suspicious path
  • Ntdsutil Export NTDS
  • Dump lsass via procdump
  • Dump lsass via procdump rename
  • Creation of lsass dump with taskmgr
  • Suspicious rundll32 rename
  • Detect Rundll32 Application Control Bypass - advpack & ieadvpack
  • Detect Rundll32 Application Control Bypass - syssetup
  • Detect Rundll32 Application Control Bypass - setupapi
  • Suspicious Rundll32 StartW
  • Suspicious Rundll32 DllRegisterServer
  • Suspicious Rundll32 with no command line arguments
  • Certutil exe certification extraction
  • AWS SAML access by provider user and principal
  • AWS SAML update identity provider
  • O365 Excessive SSO logon errors
  • O365 added service principal
  • O365 new federated domain added
Last modified on 06 March, 2021
  NEXT
Fixed Issues

This documentation applies to the following versions of Splunk® Security Content: 3.15.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters