Release Branch for ESCU 4.19.0
New Analytic Story
- CISA AA23-347A
- Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
Updated Analytic Story
- Office 365 Account Takeover
- Office 365 Persistence Mechanisms
- Splunk Vulnerabilities
New Analytics
- Kubernetes Anomalous Inbound Outbound Network IO (Internal Contributor : Matthew Moore )
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio (Internal Contributor : Matthew Moore )
- Kubernetes Previously Unseen Container Image Name (Internal Contributor : Matthew Moore )
- Kubernetes Previously Unseen Process (Internal Contributor : Matthew Moore )
- Kubernetes Process Running From New Path (Internal Contributor : Matthew Moore )
- Kubernetes Process with Anomalous Resource Utilisation (Internal Contributor : Matthew Moore )
- Kubernetes Process with Resource Ratio Anomalies (Internal Contributor : Matthew Moore )
- Kubernetes Shell Running on Worker Node with CPU Activity (Internal Contributor : Matthew Moore )
- Kubernetes Shell Running on Worker Node (Internal Contributor : Matthew Moore )
- Windows Account Discovery For None Disable User Account
- Windows Lsa Secrets Nolmhash Registry
- Windows Modify Registry Disable Restricted Admin
- Windows Account Discovery For Sam Account Name
- Windows Account Discovery With Netuser Preauthnotrequire
- Windows Archive Collected Data Via Powershell
- Windows Domain Account Discovery Via Get Netcomputer
- Windows Known Graphicalproton Loaded Modules
- Windows Process Commandline Discovery
- Windows System User Privilege Discovery
- Windows Modify Registry Nochangingwallpaper
- Windows Rundll32 Apply User Settings Changes
- Windows UAC Bypass Suspicious Child Process (External Contributor : @nterl0k )
- Windows UAC Bypass Suspicious Escalation Behavior (External Contributor : @nterl0k )
- Windows Alternate DataStream - Base64 Content (External Contributor : @nterl0k )
- Windows Alternate DataStream - Process Execution (External Contributor : @nterl0k )
- Windows Alternate DataStream - Executable Content (External Contributor : @nterl0k )
- O365 Concurrent Sessions From Different Ips
- Splunk ES DoS Investigations Manager via Investigation Creation (Internal Contributor : Chase Franklin )
- Splunk ES DoS Through Investigation Attachments (Internal Contributor : Chase Franklin )
Updated Analytics
- GCP Authentication Failed During MFA Challenge
- GCP Multi-Factor Authentication Disabled
- GCP Successful Single-Factor Authentication
- Windows Steal Authentication Certificates - ESC1 Abuse
- Allow Network Discovery In Firewall
- Msmpeng Application DLL Side Loading
Other Updates
- Updated mitre attack navigator json files for detection coverage for RAT and Stealer analytic stories
- Updated ALL Azure AD analytics to use
sourcetype = azure:monitor:aad
for better CIM Compliance.