New Analytic Stories
- Bits Jobs
- Domain Trust Discovery
New Detections
- BITSAdmin Download File
- BITS Job Persistence
- PowerShell Start-BitsTransfer
- DSQuery Domain Discovery
- Disable Registry Tool
- Disable Show Hidden Files
- Disable Windows Behavior Monitoring
- Disable Windows SmartScreen Protection
- Disabling CMD Application
- Disabling ControlPanel
- Disabling Firewall with Netsh
- Disabling FolderOptions Windows Feature
- Disabling NoRun Windows App
- Disabling SystemRestore In Registry
- Disabling Task Manager
- AWS Excessive Security Scanning
- Malicious Powershell Executed As A Service (Thank you Ryan Becwar for contributing)
Updates:
- Clop Common Exec Parameter detection updated
Upcoming changes to Enterprise Security Content Updates (ESCU) App
As we move towards a more unified content experience across a plethora of our products (ESCU, SSE, ES Use Case Library, Splunk Docs, and GitHub), the ESCU App will be changing its user interface, effective on version 3.22. Specifically removing the analytic details page and heavily modifying the ESCU summaries page to provide general metrics of content and point the user to SSE and or ES use case library for security content management (scheduling and metadata analysis). We recently removed the killchain phase graphics and replaced it with the most commonly used MITRE techniques bar chart.