ESCU 4.17.0 Release branch
New Analytic Story
- Office 365 Account Takeover
- Office 365 Persistence Mechanisms
- Windows Attack Surface Reduction
Updated Analytic Story
- DarkGate Malware
New Analytics
- O365 Service Principal New Client Credentials
- O365 Mailbox Read Access Granted to Application
- O365 Tenant Wide Admin Consent Granted
- O365 Application Registration Owner Added
- O365 Mailbox Inbox Folder Shared with All Users
- O365 Advanced Audit Disabled
- O365 High Number Of Failed Authentications for User
- O365 Multiple Users Failing To Authenticate From Ip
- O365 User Consent Blocked for Risky Application
- O365 User Consent Denied for OAuth Application
- O365 Mail Permissioned Application Consent Granted by User
- O365 ApplicationImpersonation Role Assigned
- O365 File Permissioned Application Consent Granted by User
- O365 Multiple Failed MFA Requests For User
- O365 High Privilege Role Granted
- O365 New MFA Method Registered
- O365 Multiple AppIDs and UserAgents Authentication Spike
- O365 Block User Consent For Risky Apps Disabled
- O365 Multi-Source Failed Authentications Spike
- Powershell Remote Services Add TrustedHost
- Windows Modify Registry AuthenticationLevelOverride
- Windows Modify Registry DisableRemoteDesktopAntiAlias
- Windows Modify Registry DisableSecuritySettings
- Windows Modify Registry DontShowUI
- Windows Modify Registry ProxyEnable
- Windows Modify Registry ProxyServer
- Windows Archive Collected Data via Rar
- Windows Indicator Removal Via Rmdir
- Windows Credentials from Password Stores Creation
- Windows Credentials from Password Stores Deletion
- Windows Defender ASR Rules Stacking
- Windows Defender ASR Rule Disabled
- Windows Defender ASR Registry Modification
- Windows Defender ASR Block Events
- Windows Defender ASR Audit Events
- Windows Masquerading Msdtc Process
- Windows Parent PID Spoofing with Explorer
- Web Remote ShellServlet Access
- Splunk RCE via User XSLT
Updated Analytics
- High Number of Login Failures from a single source
- O365 Add App Role Assignment Grant User
- O365 Added Service Principal
- O365 Bypass MFA via Trusted IP
- O365 Disable MFA
- O365 Excessive Authentication Failures Alert
- O365 Excessive SSO logon errors
- O365 New Federated Domain Added
- O365 PST export alert
- O365 Suspicious Admin Email Forwarding*
- O365 Suspicious Rights Delegation
- O365 Suspicious User Email Forwarding
- Splunk App for Lookup File Editing RCE via User XSLT
Other Updates
- Added
Experiemental
toaction.correlationsearch.label
name for Content Management - Updated the
splunk_risky_command
lookup - Updated several detections to output accurate risk/threat objects