New Analytic Story:
- Suspicious Cloud Auth Activities (uses updated Authentication Data Model on ES 6.2)
New Detection:
- Kerberoasting spn request with RC4 encryption
- Detect new user AWS Console Login - DM
Fixed Issues:
- Set the Macro for summariesonly to false by default
- Updated First Time Seen Running Windows Service Detection
- Updated Previously Seen Running Windows Services
- Updated Reg exe Manipulating Windows Services Registry Keys
- Updated Sc exe Manipulated Windows Services
- AWS Cross Account Activity From Previously Unseen Account
Full documentation: https://docs.splunk.com/Documentation/ESSOC/3.0.2