Splunk® Security Content

Release Notes

This documentation does not apply to the most recent version of Splunk® Security Content. For documentation on the most recent version, go to the latest release.

What's new

Enterprise Security Content Updates v3.58.0 was released on February 8, 2023. It includes the following enhancements.

New analytic story

  • AsyncRAT
  • Compromised User Account
  • Swift Slicer
  • Windows Certificate Services

New analytics

  • AWS AD New MFA Method Registered for User
  • AWS Concurrent Sessions from Different Ips
  • AWS High Number of Failed Authentications for User
  • AWS High Number of Failed Authentications from Ip
  • AWS Password Policy Changes
  • AWS Successful Console Authentication from Multiple IPs
  • Azure AD Concurrent Sessions from Different Ips
  • Azure AD High Number of Failed Authentications for User
  • Azure AD High Number of Failed Authentications from Ip
  • Azure AD New MFA Method Registered for User
  • Azure AD Successful Authentication from Different Ips
  • Detect suspicious processnames using a pretrained model in DSDL
  • Driver Inventory
  • LOLBAS With Network Traffic (Thanks to @nterl0k)
  • Windows Data Destruction Recursive Exec Files Deletion
  • Windows Export Certificate
  • Windows PowerShell Cryptography Namespace
  • Windows PowerShell Export Certificate
  • Windows PowerShell Export PfxCertificate
  • Windows Scheduled Task with Highest Privileges
  • Windows Spearphishing Attachment Connect to None MS Office Domain
  • Windows Spearphishing Attachment Onenote Spawn Mshta
  • Windows Steal Authentication Certificates Certificate Issued
  • Windows Steal Authentication Certificates Certificate Request
  • Windows Steal Authentication Certificates CertUtil Backup
  • Windows Steal Authentication Certificates CS Backup
  • Windows Steal Authentication Certificates Export Certificate
  • Windows Steal Authentication Certificates Export PfxCertificate

Updated analytics

  • AWS Multiple Users Failing To Authenticate From Ip
  • Exploit Public Facing Application via Apache Commons Text
  • Office Application Drop Executable (Thanks to @TheLawsOfChaos)
  • Office Product Spawning MSHTA
  • Rundll32 with no Command Line Arguments with Network (Thanks to @nterl0k)
  • Windows Java Spawning Shells

Other updates

  • Moved 12 failing detections to experimental
  • Fixed a number of detections that use an incorrect sourcetype in their macro
  • Updated several endpoint detections from proc_guid to process_guid (Thanks to @nterl0k)
Last modified on 14 February, 2023
  What's in Splunk Security Content

This documentation applies to the following versions of Splunk® Security Content: 3.58.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters