Release notes
New Analytics Story
Updated Analytics Story
New Analytics
- Okta Authentication Failed During MFA Challenge
- Okta IDP Lifecycle Modifications
- Okta Multi-Factor Authentication Disabled
- Okta Multiple Accounts Locked Out
- Okta Multiple Failed MFA Requests For User
- Okta Multiple Users Failing To Authenticate From Ip
- Okta Successful Single Factor Authentication
- Okta Unauthorized Access to Application
- O365 Compliance Content Search Exported
- O365 Compliance Content Search Started
- O365 Elevated Mailbox Permission Assigned
- O365 Mailbox Email Forwarding Enabled
- O365 Mailbox Folder Read Permission Assigned
- O365 Mailbox Folder Read Permission Granted
- O365 New Email Forwarding Rule Created
- O365 New Email Forwarding Rule Enabled
- O365 New Forwarding Mailflow Rule Created
- O365 Security And Compliance Alert Triggered
- Okta User Logins From Multiple Cities
- Windows AppLocker Block Events
- Windows AppLocker Execution from Uncommon Locations
- Windows AppLocker Privilege Escalation via Unauthorized Bypass
- Windows AppLocker Rare Application Launch Detection
- Windows Unsigned MS DLL Side-Loading
- Zscaler Adware Activities Threat Blocked
- Zscaler Behavior Analysis Threat Blocked
- Zscaler CryptoMiner Downloaded Threat Blocked
- Zscaler Employment Search Web Activity
- Zscaler Exploit Threat Blocked
- Zscaler Legal Liability Threat Blocked
- Zscaler Malware Activity Threat Blocked
- Zscaler Phishing Activity Threat Blocked
- Zscaler Potentially Abused File Download
- Zscaler Privacy Risk Destinations Threat Blocked
- Zscaler Scam Destinations Threat Blocked
- Zscaler Virus Download threat blocked
Updated Analytics
- Email Attachments With Lots Of Spaces
- Okta MFA Exhaustion Hunt
- Okta Mismatch Between Source and Response for Verify Push Request
- Okta Multiple Failed Requests to Access Applications
- Okta New API Token Created
- Okta New Device Enrolled on Account
- Okta Phishing Detection with FastPass Origin Check
- Okta Risk Threshold Exceeded
- Okta Suspicious Activity Reported
- Okta Suspicious Use of a Session Cookie
- Okta ThreatInsight Threat Detected
- Suspicious Email Attachment Extensions
- O365 Admin Consent Bypassed by Service Principal
- O365 ApplicationImpersonation Role Assigned
- O365 Mailbox Inbox Folder Shared with All Users
- O365 PST export alert
- Prohibited Software On Endpoint
- Detect Use of cmd exe to Launch Script Interpreters
- Detection of tools built by NirSoft
- Excessive File Deletion In WinDefender Folder
- Linux Account Manipulation Of SSH Config and Keys
- Linux Deletion of SSL Certificate
- Malicious Powershell Executed As A Service
- Registry Keys Used For Persistence
- SchCache Change By App Connect And Create ADSI Object
- Suspicious Regsvr32 Register Suspicious Path
- Windows Data Destruction Recursive Exec Files Deletion
- Windows High File Deletion Frequency
- Windows MSHTA Writing to World Writable Path
- Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
- SMB Traffic Spike
- SMB Traffic Spike - MLTK
- Web Remote ShellServlet Access
Macros Added
- applocker
- zscaler_proxy
Macros Updated
- okta
Lookups Added
- applockereventcodes
Other Updates
- Added a new dashboard ESCU - AppLocker, Navigate to your Dashboards and search for "ESCU - AppLocker" to assist with auditing and monitoring Windows AppLocker events for your endpoints (Splunk Enterprise 9.x.x version and above only)