Splunk® Security Content

Release Notes

This documentation does not apply to the most recent version of Splunk® Security Content. For documentation on the most recent version, go to the latest release.

What's new

Enterprise Security Content Updates v3.33.0 was released on January 18, 2022. It includes the following enhancements.

New analytic story

  • Linux Privilege Escalation
  • Linux Persistence Techniques
  • sAMAccountName Spoofing and Domain Controller Impersonation

Updated analytic story

New analytics

  • Windows Hunting System Account Targeting Lsass
  • Windows Non-System Account Targeting Lsass
  • Suspicious Computer Account Name Change
  • Suspicious Kerberos Service Ticket Request
  • Suspicious Ticket Granting Ticket Request
  • Linux NOPASSWD Entry In Sudoers File
  • Linux Possible Access Or Modification Of sshd Config File
  • Linux Possible Append Command To Profile Config File
  • Linux Possible Ssh Key File Creation
  • Linux Add User Account
  • Linux Common Process For Elevation Control
  • Linux Doas Conf File Creation
  • Linux Doas Tool Execution
  • Linux Possible Access To Credential Files
  • Linux Possible Access To Sudoers File
  • Linux Sudo OR Su Execution
  • Linux Change File Owner To Root
  • Linux File Created In Kernel Driver Directory
  • Linux Insert Kernel Module Using Insmod Utility
  • Linux Install Kernel Module Using Modprobe Utility
  • Linux Preload Hijack Library Calls
  • Linux Sudoers Tmp File Creation
  • Linux Visudo Utility Execution
  • Linux File Creation In Init Boot Directory
  • Linux File Creation In Profile Directory
  • Linux Service File Created In Systemd Directory
  • Linux Service Restarted
  • Linux Service Started Or Enabled
  • Linux Setuid Using Chmod Utility
  • Linux Setuid Using Setcap Utility
  • Linux Add Files In Known Crontab Directories
  • Linux At Allow Config File Creation
  • Linux At Application Execution
  • Linux Edit Cron Table Parameter
  • Linux Possible Append Command To At Allow Config File
  • Linux Possible Append Cronjob Entry on Existing Cronjob File
  • Linux Possible Cronjob Modification With Editor
  • Linux Java Spawning Shell

Updated analytics

  • Outbound Network Connection from Java Using Default Ports
  • Hunting for Log4Shell

New playbooks

  • Block Indicators
  • Email Notification for Malware
  • Malware Hunt and Contain

Other updates

  • Deprecated SAAWS (DA-ESS_AmazonWebServices_Content) package from dist/
  • Renamed Malicious PowerShell Process - Connect To Internet With Hidden Window to PowerShell - Connect To Internet With Hidden Window
  • Added a warning message to experimental detections. These detections are not supported.
Last modified on 08 February, 2022
  What's in Splunk Security Content

This documentation applies to the following versions of Splunk® Security Content: 3.33.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters