What's new
Enterprise Security Content Updates v3.47.0 was released on August 16, 2022. It includes the following enhancements.
New analytic story
- AWS Credential Access
Updated analytic story
- Splunk Vulnerabilities
- DarkCrystal RAT
- Living Off The Land
- Linux Privilege Escalation
New analytics
- AWS Credential Access Failed Login
- AWS Credential Access GetPasswordData
- AWS Credential Access RDS Password Reset
- Linux AWK Privilege Escalation
- Linux Docker Privilege Escalation
- Linux Node Privilege Escalation
- Linux Curl Upload File
- Linux Ingress Tool Transfer Hunting
- Linux Ingress Tool Transfer with Curl
- Linux Proxy Socks Curl
- Windows DLL Search Order Hijacking with
iscsicpl
- Windows Gather Victim Host Information Camera
- Windows Ingress Tool Transfer Using Explorer
- Splunk Endpoint Denial of Service DoS Zip Bomb
- Splunk Account Discovery Drilldown Dashboard Disclosure
Updated analytics
- Executables or Script Creation in Suspicious Path
- Windows Hunting System Account Targeting LSASS
- Scheduled Task Deleted or Created via CMD
- Suspicious Scheduled Task from Public Directory
- Windows Command Shell DCRat ForkBomb Payload
- Windows System LogOff CommandLine
- Windows System Shutdown CommandLine
- Windows System Reboot CommandLine
- Windows System Time Discovery W32tm Delay
- Potential password in username
Other updates
- Added an optional enrichment to the BA detections that include a
research_site_url
tag. - Added new
init
,inspect
, andcloud_deploy
arguments to thecontentctl
project. To initialize a new repo and easily add your own content to a custom application, runappinspect
locally and deploy the application to Splunk Cloud.
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.47.0
Feedback submitted, thanks!