Splunk® Security Content

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ESSOC. Click here for the latest version.
Acrobat logo Download topic as PDF

What's new

Enterprise Security Content Updates v3.36.0 was released on March 16, 2022. It includes the following enhancements.

New analytic story

  • Hermetic Wiper
  • Living Off The Land
  • Data Destruction
  • Network Discovery
  • Active Directory Kerberos Attacks

New analytics

  • Windows Modify Show Compress Color And Info Tip Registry
  • AWS Lambda UpdateFunctionCode
  • Windows Disable Memory Crash Dump
  • Windows File Without Extension In Critical Folder
  • Windows Raw Access To Disk Volume Partition
  • Windows Event For Service Disabled
  • Windows Excessive Disabled Services Event
  • Windows Process With NamedPipe CommandLine
  • Windows Raw Access To Master Boot Record Drive
  • Windows Service Creation Using Registry Entry
  • Windows WMI Process Call Create
  • Windows Diskshadow Proxy Execution
  • Linux DD File Overwrite
  • Linux System Network Discovery
  • Kerberoasting spn request with RC4 encryption
  • Mimikatz PassTheTicket CommandLine Parameters
  • Rubeus Command Line Parameters
  • Rubeus Kerberos Ticket Exports Through Winlogon Access
  • Unusual Number of Kerberos Service Tickets Requested
  • Disabled Kerberos Pre-Authentication Discovery With PowerView
  • Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
  • Kerberos Pre-Authentication Flag Disabled in UserAccountControl
  • Kerberos Pre-Authentication Flag Disabled with PowerShell

Updated analytics

  • Excessive number of distinct processes created in Windows Temp folder
  • O365 Excessive Authentication Failures Alert (thanks to @schwedenmut)
  • Excessive number of distinct processes created in Windows Temp folder (Issue #1526)
  • Scheduled Task Deleted Or Created via
  • Windows High File Deletion Frequency
  • Linux At Application Execution

Other updates

  • Updated lookups/ransomware_extensions.csv
  • Updated functions in several playbooks and added a new type field in the ymls
  • Updated detection testing CI job to report failure when the testing fails
  • Updated the Application Baseline that we use for CI/CD in Github Actions for detection-testing
Last modified on 16 March, 2022
  NEXT
What's in Splunk Security Content

This documentation applies to the following versions of Splunk® Security Content: 3.36.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters