New Analytic Story
- DarkGate Malware
- SysAid On-Prem Software CVE-2023-47246 Vulnerability
Updated Analytic Story
- Azure Active Directory Account Takeover
- Splunk Vulnerabilities
New Analytics
- Azure AD Device Code Authentication
- Azure AD Tenant Wide Admin Consent Granted
- Azure AD Multiple AppIDs and UserAgents Authentication Spike
- Azure AD Block User Consent For Risky Apps Disabled
- Azure AD User Consent Blocked for Risky Application
- Azure AD OAuth Application Consent Granted By User
- Azure AD User Consent Denied for OAuth Application
- Azure AD New MFA Method Registered
- Azure AD Multiple Denied MFA Requests For User
- Azure AD Multi-Source Failed Authentications Spike
- Risk Rule for Dev Sec Ops by Repository
- Windows ConHost with Headless Argument
- Windows CAB File on Disk
- Windows WinDBG Spawning AutoIt3
- Windows MSIExec Spawn WinDBG
- Windows Modify Registry Default Icon Setting
- Windows AutoIt3 Execution
- Splunk App for Lookup File Editing RCE via User XSLT
- Splunk XSS in Highlighted JSON Events
Updated Analytics
- AWS ECR Container Scanning Findings High
- AWS ECR Container Scanning Findings Medium
- AWS ECR Container Scanning Findings Low Informational Unknown
- AWS ECR Container Upload Outside Business Hours
Deprecated Analytics
- Correlation by Repository and Risk
- Correlation by User and Risk
Other Updates
- CI updates to release.yml
- Added downstream trigger to
security_content_automationrepo to facilitate automated integration testing - Updated Github CI workflow to use contentctl