What's new
Enterprise Security Content Updates v4.17.0 was released on December 6, 2023. It includes the following enhancements:
New analytics
- O365 Service Principal New Client Credentials
- O365 Mailbox Read Access Granted to Application
- O365 Tenant Wide Admin Consent Granted
- O365 Application Registration Owner Added
- O365 Mailbox Inbox Folder Shared with All Users
- O365 Advanced Audit Disabled
- O365 High Number of Failed Authentications for User
- O365 Multiple Users Failing to Authenticate from Ip
- O365 User Consent Blocked for Risky Application
- O365 User Consent Denied for OAuth Application
- O365 Mail Permissioned Application Consent Granted by User
- O365 Application Impersonation Role Assigned
- O365 File Permissioned Application Consent Granted by User
- O365 Multiple Failed MFA Requests For User
- O365 High Privilege Role Granted
- O365 New MFA Method Registered
- O365 Multiple AppIDs and User Agents Authentication Spike
- O365 Block User Consent For Risky Apps Disabled
- O365 Multi-Source Failed Authentications Spike
- PowerShell Remote Services Add Trusted Host
- Windows Modify Registry AuthenticationLevelOverride
- Windows Modify Registry DisableRemoteDesktopAntiAlias
- Windows Modify Registry DisableSecuritySettings
- Windows Modify Registry DontShowUI
- Windows Modify Registry ProxyEnable
- Windows Modify Registry ProxyServer
- Windows Archive Collected Data via Rar
- Windows Indicator Removal via Rmdir
- Windows Credentials from Password Stores Creation
- Windows Credentials from Password Stores Deletion
- Windows Defender ASR Rules Stacking
- Windows Defender ASR Rule Disabled
- Windows Defender ASR Registry Modification
- Windows Defender ASR Block Events
- Windows Defender ASR Audit Events
- Windows Masquerading Msdtc Process
- Windows Parent PID Spoofing with Explorer
- Web Remote ShellServlet Access
- Splunk RCE via User XSLT
Updated analytics
- High Number of Login Failures from a single source
- O365 Add App Role Assignment Grant User
- O365 Added Service Principal
- O365 Bypass MFA via Trusted IP
- O365 Disable MFA
- O365 Excessive Authentication Failures Alert
- O365 Excessive SSO log on errors
- O365 New Federated Domain Added
- O365 PST export alert
- O365 Suspicious Admin Email Forwarding*
- O365 Suspicious Rights Delegation
- O365 Suspicious User Email Forwarding
- Splunk App for Lookup File Editing RCE via User XSLT
New analytic stories
Updated analytic story
Other Updates
- Added Experimental to action.correlationsearch.label name for Content Management
- Updated the splunk_risky_command lookup
- Updated several detections to output accurate risk and threat objects
What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 4.17.0
Feedback submitted, thanks!