What's new
Enterprise Security Content Updates v4.10.0 was released on August 28, 2023. It includes the following enhancements.
New analytics
- Windows Bypass UAC via Pkgmgr Tool
- Windows Mark of The Web Bypass
- Windows Modify Registry MaxConnectionPerServer
- Windows Unsigned DLL Side-Loading
- Detect Certify Command Line Arguments (External Contributor @nterl0k)
- Detect Certify with PowerShell Script Block Logging (External Contributor @nterl0k)
- Windows Steal Authentication Certificates - ESC1 Authentication (External Contributor @nterl0k)
- Windows Suspect Process with Authentication Traffic (External Contributor @nterl0k)
New analytic story
Updated analytics
- Azure AD Global Administrator Role Assigned
- Azure AD Multiple Users Failing to Authenticate from IP
- Azure AD Service Principal Owner Added
- Azure AD Unusual Number of Failed Authentications from IP
- Azure AD Service Principal Created
- Azure AD Privileged Role Assigned
- Azure AD Privileged Authentication Administrator Role Assigned
- Azure AD Application Administrator Role Assigned
- Azure AD Multi-Factor Authentication Disabled
- Azure AD External Guest User Invited
- Azure AD User Enabled and Password Reset
- Azure AD Service Principal New Client Credentials
- Azure AD New Federated Domain Added
- Azure AD New Custom Domain Added
- Azure AD Successful Single-Factor Authentication
- Azure AD Authentication Failed During MFA Challenge
- Azure AD Successful PowerShell Authentication
- Azure AD Multiple Failed MFA Requests for User
- Azure AD User Immutable ID Attribute Updated
- Azure Active Directory High Risk Sign-in
- Unusually Long Command Line
- Suspicious Copy on System32
New Playbooks
- AD LDAP Account Unlocking
- AWS IAM Account Unlocking
- Azure AD Account Unlocking
- Active Directory Enable Account Dispatch
Updated playbook
Other updates
- Updated several detections for better output and risk objects
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 4.10.0
Feedback submitted, thanks!