Splunk® Security Content

Release Notes

This documentation does not apply to the most recent version of Splunk® Security Content. For documentation on the most recent version, go to the latest release.

What's new

Enterprise Security Content Updates v4.0.0 was released on April 19, 2023. It includes the following enhancements.

This major version change to 4.0.0 includes improvements to the Sigma to Search Processing Language (SPL) converter, including back-end changes to testing and content generation. This change allows us to define signature-based detections in industry standard language. There is no impact on customer environments when the ESCU application is installed or upgraded.

New analytic story

  • Winter Vivern
  • Sandworm Tools
  • BlackLotus Campaign

New analytics

  • Windows Exfiltration Over C2 Via Invoke RestMethod
  • Windows Exfiltration Over C2 Via Powershell UploadString
  • Windows Scheduled Task Created Via XML
  • Windows Screen Capture Via Powershell
  • Windows DNS Gather Network Info
  • Windows Impair Defenses Disable HVCI
  • Windows BootLoader Inventory
  • Windows RDP Connection Successful

Other updates

  • Tagged several detections with Data Destruction
  • Fixed a number of deprecated and experimental searches that contained runtime syntactic/parsing/execution errors.
Last modified on 20 April, 2023
  What's in Splunk Security Content

This documentation applies to the following versions of Splunk® Security Content: 4.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters