Splunk® Security Content

Release Notes

This documentation does not apply to the most recent version of Splunk® Security Content. For documentation on the most recent version, go to the latest release.

What's new

Enterprise Security Content Updates v3.61.0 was released on March 9, 2023. It includes the following enhancements.

New analytic story

  • Sneaky Active Directory Persistence Tricks (Huge thanks and shoutout to Dean Luxton and Steven Dick for contributing detections)
  • BishopFox Sliver Adversary Emulation Framework

New analytics

  • Notepad with No Command-Line Arguments
  • Windows Process Injection into Notepad
  • Windows AD Same Domain SID History Addition
  • Windows AD Cross Domain SID History Addition
  • Windows AD Replication Request Initiated by User Account
  • Windows AD Replication Request Initiated from Unsanctioned Location
  • Windows AD Domain Replication ACL Addition
  • Windows AD DSRM Account Changes
  • Windows AD DSRM Password Reset
  • Windows AD Short Lived Domain Controller SPN Attribute
  • Windows AD Short Lived Server Object
  • Windows AD SID History Attribute Modified
  • Windows AD AdminSDHolder ACL Modified
  • Windows AD ServicePrincipalName Added to Domain Account
  • Windows AD Short Lived Domain Account ServicePrincipalName
  • Windows AD Rogue Domain Controller Network Activity
  • Windows AD Account SID History Addition
  • Windows AD Replication Service Traffic
  • Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
  • Windows Unusual Count of Disabled Users Failed Auth Using Kerberos
  • Windows Unusual Count of Invalid Users Fail to Auth Using Kerberos
  • Windows Unusual Count of Invalid Users Failed to Auth Using NTLM
  • Windows Unusual Count of Users Fail to Auth with Explicit Credentials
  • Windows Unusual Count of Users Failed to Auth Using Kerberos
  • Windows Unusual Count of Users Failed to Authenticate from Process
  • Windows Unusual Count of Users Failed to Authenticate Using NTLM
  • Windows Unusual Count of Users Remotely Failed to Auth from Host

Updated analytics

  • Impacket Lateral Movement Command-line Parameters (Thank you Chris Chantrey)
  • Suspicious Regsvr32 Register Suspicious Path (Thank you DipsyTipsy)
  • Suspicious Reg.exe Process (Thank you DipsyTipsy)
  • Linux SSH Remote Services Script Execute (Thank you DipsyTipsy)

Other updates

  • Removed Experimental/Deprecated Behavioral Analytics detections from the develop branch in the security_content GitHub repository and research.splunk.com
  • Migrated Password Spraying to XML
  • Updated all of the Splunkbase apps that are used for our automated testing framework
Last modified on 09 March, 2023
  What's in Splunk Security Content

This documentation applies to the following versions of Splunk® Security Content: 3.61.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters