This documentation does not apply to the most recent version of Splunk® Security Content.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
What's new
Enterprise Security Content Updates v4.17.0 was released on December 6, 2023. It includes the following enhancements:
New analytics
- O365 Service Principal New Client Credentials
- O365 Mailbox Read Access Granted to Application
- O365 Tenant Wide Admin Consent Granted
- O365 Application Registration Owner Added
- O365 Mailbox Inbox Folder Shared with All Users
- O365 Advanced Audit Disabled
- O365 High Number of Failed Authentications for User
- O365 Multiple Users Failing to Authenticate from Ip
- O365 User Consent Blocked for Risky Application
- O365 User Consent Denied for OAuth Application
- O365 Mail Permissioned Application Consent Granted by User
- O365 Application Impersonation Role Assigned
- O365 File Permissioned Application Consent Granted by User
- O365 Multiple Failed MFA Requests For User
- O365 High Privilege Role Granted
- O365 New MFA Method Registered
- O365 Multiple AppIDs and User Agents Authentication Spike
- O365 Block User Consent For Risky Apps Disabled
- O365 Multi-Source Failed Authentications Spike
- PowerShell Remote Services Add Trusted Host
- Windows Modify Registry AuthenticationLevelOverride
- Windows Modify Registry DisableRemoteDesktopAntiAlias
- Windows Modify Registry DisableSecuritySettings
- Windows Modify Registry DontShowUI
- Windows Modify Registry ProxyEnable
- Windows Modify Registry ProxyServer
- Windows Archive Collected Data via Rar
- Windows Indicator Removal via Rmdir
- Windows Credentials from Password Stores Creation
- Windows Credentials from Password Stores Deletion
- Windows Defender ASR Rules Stacking
- Windows Defender ASR Rule Disabled
- Windows Defender ASR Registry Modification
- Windows Defender ASR Block Events
- Windows Defender ASR Audit Events
- Windows Masquerading Msdtc Process
- Windows Parent PID Spoofing with Explorer
- Web Remote ShellServlet Access
- Splunk RCE via User XSLT
Updated analytics
- High Number of Login Failures from a single source
- O365 Add App Role Assignment Grant User
- O365 Added Service Principal
- O365 Bypass MFA via Trusted IP
- O365 Disable MFA
- O365 Excessive Authentication Failures Alert
- O365 Excessive SSO log on errors
- O365 New Federated Domain Added
- O365 PST export alert
- O365 Suspicious Admin Email Forwarding*
- O365 Suspicious Rights Delegation
- O365 Suspicious User Email Forwarding
- Splunk App for Lookup File Editing RCE via User XSLT
New analytic stories
Updated analytic story
Other Updates
- Added Experimental to action.correlationsearch.label name for Content Management
- Updated the splunk_risky_command lookup
- Updated several detections to output accurate risk and threat objects
Last modified on 19 December, 2023
NEXT What's in Splunk Security Content |
This documentation applies to the following versions of Splunk® Security Content: 4.17.0
Feedback submitted, thanks!