This documentation does not apply to the most recent version of Splunk® Security Content.
For documentation on the most recent version, go to the latest release.
What's new
Enterprise Security Content Updates v3.53.0 was released on November 16, 2022. It includes the following enhancements.
New analytic story
- OpenSSL CVE-2022-3602
Updated analytic story
- IcedID
- Remcos
- Qakbot
New analytics
- Azorult
- SSL Certificates with Punycode
- Windows App Layer Protocol Qakbot NamedPipe
- Zeek x509 Certificate with Punycode
Updated analytics
- Attempted Credential Dump From Registry via Reg exe
- AWS Detect Users with KMS keys performing encryption S3 (thank you Antony Bowesman)
- AWS ECR Container Upload Outside Business Hours (thank you Antony Bowesman)
- BITSAdmin Download File
- BITS Job Persistence
- Common Ransomware Extensions (thank you Steven Dick)
- Creation of Shadow Copy
- Detect Rare Executables (thank you Antony Bowesman)
- Dump LSASS via procdump
- Executables Or Script Creation In Suspicious Path
- Kubernetes AWS detect suspicious kubectl calls (thank you Antony Bowesman)
- O365 Disable MFA (thank you Jamie Windley)
- Office Document Executing Macro Code
- Office Product Spawn CMD Process
- Office Product Spawning Windows Script Host
- Process Creating LNK file in Suspicious Location
- RunDLL Loading DLL By Ordinal
- Suspicious Process File Path
Other updates
- The names of a few analytics tests were updated
- Added a CI check to validate NIST and CIS20 tags
Last modified on 16 November, 2022
| What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 3.53.0
Download manual
Feedback submitted, thanks!