New Analytic Story
- AgentTesla
- AWS Identity and Access Management Account Takeover
- CISA AA22-264A
- Okta MFA Exhaustion
New Analytics
- AWS Multiple Users Failing To Authenticate From Ip
- AWS Unusual Number of Failed Authentications From Ip
- Detect DGA domains using pretrained model in DSDL
- Okta Account Locked Out
- Okta MFA Exhaustion Hunt
- Okta New API Token Created
- Okta New Device Enrolled on Account
- Okta Suspicious Activity Reported
- Okta ThreatInsight Threat Detected
- Okta Two or More Rejected Okta Pushes
- Okta Risk Threshold Exceeded
- Office Product Spawning Windows Script Host
- Powershell COM Hijacking InprocServer32 Modification
- Windows COM Hijacking InprocServer32 Modification
- Windows File Transfer Protocol In Non-Common Process Path
- Windows ISO LNK File Creation
- Windows Mail Protocol In Non-Common Process Path
- Windows Multi hop Proxy TOR Website Query
- Windows System Script Proxy Execution Syncappvpublishingserver
Updated Analytics
- Multiple Okta Users With Invalid Credentials From The Same IP
- Okta Account Lockout Events
- Okta Failed SSO Attempts
- Exchange PowerShell Module Usage
- Registry Keys Used For Persistence
- Windows Phishing Recent ISO Exec Registry
BA Updates
- source field updated to
XmlWinEventLog
forWindows System Binary Proxy Execution Compiled HTML File Decompile
(released in 3.49.1)
Other updates
- Removed slim dependency in Github Actions, skip detection testing on tag creation and token updated
- Fixed bugs in the
init
functionality for creating a security_content custom application - Added advanced_port_scanner.exe to Attacker Tools Lookup
- Updated the Github Actions workflow steps to create and push files for the SSE API
NOTE
This release contains a new type of analytic( Detect DGA domains using pretrained model in DSDL) that leverages the Splunk App for Data Science and Deep Learning to detect DNS connections to domains generated by Domain Generation Algorithms. This detection uses a pre-trained deep learning model and you can find the steps to deploy this model in our GitHub Wiki.