github splunk/security_content v4.17.0
on GitHub

latest releases: v4.40.0, v4.39.1, v4.39.0...
9 months ago

ESCU 4.17.0 Release branch

New Analytic Story
  • Office 365 Account Takeover
  • Office 365 Persistence Mechanisms
  • Windows Attack Surface Reduction
Updated Analytic Story
  • DarkGate Malware
New Analytics
  • O365 Service Principal New Client Credentials
  • O365 Mailbox Read Access Granted to Application
  • O365 Tenant Wide Admin Consent Granted
  • O365 Application Registration Owner Added
  • O365 Mailbox Inbox Folder Shared with All Users
  • O365 Advanced Audit Disabled
  • O365 High Number Of Failed Authentications for User
  • O365 Multiple Users Failing To Authenticate From Ip
  • O365 User Consent Blocked for Risky Application
  • O365 User Consent Denied for OAuth Application
  • O365 Mail Permissioned Application Consent Granted by User
  • O365 ApplicationImpersonation Role Assigned
  • O365 File Permissioned Application Consent Granted by User
  • O365 Multiple Failed MFA Requests For User
  • O365 High Privilege Role Granted
  • O365 New MFA Method Registered
  • O365 Multiple AppIDs and UserAgents Authentication Spike
  • O365 Block User Consent For Risky Apps Disabled
  • O365 Multi-Source Failed Authentications Spike
  • Powershell Remote Services Add TrustedHost
  • Windows Modify Registry AuthenticationLevelOverride
  • Windows Modify Registry DisableRemoteDesktopAntiAlias
  • Windows Modify Registry DisableSecuritySettings
  • Windows Modify Registry DontShowUI
  • Windows Modify Registry ProxyEnable
  • Windows Modify Registry ProxyServer
  • Windows Archive Collected Data via Rar
  • Windows Indicator Removal Via Rmdir
  • Windows Credentials from Password Stores Creation
  • Windows Credentials from Password Stores Deletion
  • Windows Defender ASR Rules Stacking
  • Windows Defender ASR Rule Disabled
  • Windows Defender ASR Registry Modification
  • Windows Defender ASR Block Events
  • Windows Defender ASR Audit Events
  • Windows Masquerading Msdtc Process
  • Windows Parent PID Spoofing with Explorer
  • Web Remote ShellServlet Access
  • Splunk RCE via User XSLT
Updated Analytics
  • High Number of Login Failures from a single source
  • O365 Add App Role Assignment Grant User
  • O365 Added Service Principal
  • O365 Bypass MFA via Trusted IP
  • O365 Disable MFA
  • O365 Excessive Authentication Failures Alert
  • O365 Excessive SSO logon errors
  • O365 New Federated Domain Added
  • O365 PST export alert
  • O365 Suspicious Admin Email Forwarding*
  • O365 Suspicious Rights Delegation
  • O365 Suspicious User Email Forwarding
  • Splunk App for Lookup File Editing RCE via User XSLT
Other Updates
  • Added Experiemental to action.correlationsearch.label name for Content Management
  • Updated the splunk_risky_command lookup
  • Updated several detections to output accurate risk/threat objects
Check out latest releases or
releases around splunk/security_content v4.17.0

Don't miss a new security_content release

NewReleases is sending notifications on new releases.

Get notifications