What's new
Enterprise Security Content Updates v4.16.0 was released on November 16, 2023. It includes the following enhancements:
New analytics
- Azure AD Device Code Authentication
- Azure AD Tenant Wide Admin Consent Granted
- Azure AD Multiple App IDs and User Agents Authentication Spike
- Azure AD Block User Consent For Risky Apps Disabled
- Azure AD User Consent Blocked for Risky Application
- Azure AD OAuth Application Consent Granted By User
- Azure AD User Consent Denied for OAuth Application
- Azure AD New MFA Method Registered
- Azure AD Multiple Denied MFA Requests For User
- Azure AD Multi-Source Failed Authentications Spike
- Risk Rule for Dev Sec Ops by Repository
- Windows ConHost with Headless Argument
- Windows CAB File on Disk
- Windows WinDBG Spawning AutoIt3
- Windows MSIExec Spawn WinDBG
- Windows Modify Registry Default Icon Setting
- Windows AutoIt3 Execution
- Splunk App for Lookup File Editing RCE via User XSLT
- Splunk XSS in Highlighted JSON Events
Updated analytics
- AWS ECR Container Scanning Findings High
- AWS ECR Container Scanning Findings Medium
- AWS ECR Container Scanning Findings Low Informational Unknown
- AWS ECR Container Upload Outside Business Hours
New analytic stories
Updated analytic stories
Deprecated analytics
Other Updates
- CI updates to release.yml
- Added downstream trigger to security_content_automation repo to facilitate automated integration testing
- Updated Github CI workflow to use contentctl
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 4.16.0
Feedback submitted, thanks!