This documentation does not apply to the most recent version of Splunk® Security Content.
Click here for the latest version.

What's new
Enterprise Security Content Updates v3.36.0 was released on March 16, 2022. It includes the following enhancements.
New analytic story
- Hermetic Wiper
- Living Off The Land
- Data Destruction
- Network Discovery
- Active Directory Kerberos Attacks
New analytics
- Windows Modify Show Compress Color And Info Tip Registry
- AWS Lambda UpdateFunctionCode
- Windows Disable Memory Crash Dump
- Windows File Without Extension In Critical Folder
- Windows Raw Access To Disk Volume Partition
- Windows Event For Service Disabled
- Windows Excessive Disabled Services Event
- Windows Process With NamedPipe CommandLine
- Windows Raw Access To Master Boot Record Drive
- Windows Service Creation Using Registry Entry
- Windows WMI Process Call Create
- Windows Diskshadow Proxy Execution
- Linux DD File Overwrite
- Linux System Network Discovery
- Kerberoasting spn request with RC4 encryption
- Mimikatz PassTheTicket CommandLine Parameters
- Rubeus Command Line Parameters
- Rubeus Kerberos Ticket Exports Through Winlogon Access
- Unusual Number of Kerberos Service Tickets Requested
- Disabled Kerberos Pre-Authentication Discovery With PowerView
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
- Kerberos Pre-Authentication Flag Disabled in UserAccountControl
- Kerberos Pre-Authentication Flag Disabled with PowerShell
Updated analytics
- Excessive number of distinct processes created in Windows Temp folder
- O365 Excessive Authentication Failures Alert (thanks to @schwedenmut)
- Excessive number of distinct processes created in Windows Temp folder (Issue #1526)
- Scheduled Task Deleted Or Created via
- Windows High File Deletion Frequency
- Linux At Application Execution
Other updates
- Updated lookups/ransomware_extensions.csv
- Updated functions in several playbooks and added a new type field in the ymls
- Updated detection testing CI job to report failure when the testing fails
- Updated the Application Baseline that we use for CI/CD in Github Actions for detection-testing
Last modified on 16 March, 2022
NEXT What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.36.0
Feedback submitted, thanks!