This documentation does not apply to the most recent version of Splunk® Security Content.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
What's new
Enterprise Security Content Updates v4.16.0 was released on November 16, 2023. It includes the following enhancements:
New analytics
- Azure AD Device Code Authentication
- Azure AD Tenant Wide Admin Consent Granted
- Azure AD Multiple App IDs and User Agents Authentication Spike
- Azure AD Block User Consent For Risky Apps Disabled
- Azure AD User Consent Blocked for Risky Application
- Azure AD OAuth Application Consent Granted By User
- Azure AD User Consent Denied for OAuth Application
- Azure AD New MFA Method Registered
- Azure AD Multiple Denied MFA Requests For User
- Azure AD Multi-Source Failed Authentications Spike
- Risk Rule for Dev Sec Ops by Repository
- Windows ConHost with Headless Argument
- Windows CAB File on Disk
- Windows WinDBG Spawning AutoIt3
- Windows MSIExec Spawn WinDBG
- Windows Modify Registry Default Icon Setting
- Windows AutoIt3 Execution
- Splunk App for Lookup File Editing RCE via User XSLT
- Splunk XSS in Highlighted JSON Events
Updated analytics
- AWS ECR Container Scanning Findings High
- AWS ECR Container Scanning Findings Medium
- AWS ECR Container Scanning Findings Low Informational Unknown
- AWS ECR Container Upload Outside Business Hours
New analytic stories
Updated analytic stories
Deprecated analytics
Other Updates
- CI updates to release.yml
- Added downstream trigger to security_content_automation repo to facilitate automated integration testing
- Updated Github CI workflow to use contentctl
Last modified on 07 December, 2023
NEXT What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 4.16.0
Feedback submitted, thanks!