Splunk® Security Content

Release Notes

This documentation does not apply to the most recent version of Splunk® Security Content. For documentation on the most recent version, go to the latest release.

What's new

Enterprise Security Content Updates v3.51.0 was released on October 18, 2022. It includes the following enhancements.

New analytic story

  • CISA AA22-277A
  • ProxyNotShell

New analytics

  • AWS Console Login Failed During MFA Challenge
  • AWS Multi-Factor Authentication Disabled
  • AWS Multiple Failed MFA Requests For User
  • AWS Successful Single-Factor Authentication
  • Detect Exchange Web Shell
  • ProxyShell ProxyNotShell Behavior Detected
  • Windows Create Local Account
  • Windows Exchange Autodiscover SSRF Abuse (Thank you Nathaniel Stearns!)
  • Windows Mshta Execution In Registry

Updated analytics

  • Detect SharpHound File Modifications
  • Exchange PowerShell Abuse via SSRF
  • Exchange PowerShell Module Usage
  • Unified Messaging Service Spawning a Process

Other updates

  • Added a new tool lolbas_enrichment.py when executed builds a csv of all the lolbas paths: ./lolbas_file_path.csv and auto generated the BA detection with the latest lolbas paths: ./ssa___windows_lolbin_binary_in_non_standard_path.yml and its required supporting testing artifacts.
  • Updated Attacker Tools lookup with Mimikatz and Advanced IP Scanner
Last modified on 18 October, 2022
  What's in Splunk Security Content

This documentation applies to the following versions of Splunk® Security Content: 3.51.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters