What's new
Enterprise Security Content Updates v3.37.0 was released on April 5, 2022. It includes the following enhancements.
New analytic story
- Splunk Vulnerabilities
- Double Zero Destructor
- Windows Registry Abuse
New analytics
- Splunk DoS via Malformed S2S Request
- Windows Deleted Registry By A Non Critical Process File Path
- Windows Terminating Lsass Process
- MacOS LOLbin
Updated analytics
- SQL Injection with Long URLs
- Modify ACL permission To Files Or Folder
- Windows InstallUtil Remote Network Connection
- Windows InstallUtil Uninstall Option with Network
- Detect Regasm with no Command Line Arguments
- Detect Regsvcs with no Command Line Arguments
- DLLHost with no Command Line Arguments with Network
- GPUpdate with no Command Line Arguments with Network
- Rundll32 with no Command Line Arguments with Network
- SearchProtocolHost with no Command Line with Network
- Suspicious DLLHost no Command Line Arguments
- Suspicious GPUpdate no Command Line Arguments
- Suspicious Rundll32 no Command Line Arguments
- Suspicious SearchProtocolHost no Command Line
- AWS CreateAccessKey
- AWS UpdateLoginProfile
Other updates
- MAJOR UPDATE: Overhauled old tooling in
bin/
and replaced all functionality inbin/contentctl_project
- Updated playbook
playbooks/custom_functions/indicator_collect.py
andartifact_create.py
- Added Supported TAs to research.splunk.com
- Several updates to the detection_testing backend
- Tagged several detections with story name:
Windows Registry Abuse
,Data Destruction
,Living Off The Land Story
- Updated detection names to have a max length of 67 characters
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.37.0
Feedback submitted, thanks!