✨ Highlights
-
🔥 Cisco Secure Firewall Threat Defense Analytics: We published a new analytic story and added new detections for Cisco Secure Firewall focusing on three primary event types—file events, network connections, and intrusion alerts. These detections identify activity such as malicious or uncommon file downloads, connections over suspicious ports or to file-sharing domains, and Snort rule-based intrusion events across multiple hosts. This enables broader visibility into network-based threats and host-level indicators of compromise.
-
🤖 AWS Bedrock Security: Released a new analytic story to monitor for adversary techniques targeting AWS Bedrock, a managed service used to build and scale generative AI applications. This includes detections for the deletion of security guardrails, knowledge bases, and logging configurations, as well as high volumes of model invocation failures.
-
🕵️ Mapping Threat Campaigns: Several detections have been mapped to known threat actors and malware campaigns, including Cactus Ransomware, Earth Alux, Storm-2460 CLFS Zero Day Exploitation and Water Gamayun, to improve attribution to TTPs and provide insights into observed behaviors.
-
🆕 New Detections: Introduced additional detections for tactics such as directory path manipulation via MSC files, IP address collection using PowerShell Invoke-RestMethod, process spawning from CrushFTP, and deletion of Volume Shadow Copies via WMIC. These detections target adversary behavior related to discovery, lateral movement, and anti-forensics.
📚 New Analytic Stories – [6]
- AWS Bedrock Security
- Cactus Ransomware
- Cisco Secure Firewall Threat Defense Analytics
- Earth Alux
- Storm-2460 CLFS Zero Day Exploitation
- Water Gamayun
🧠 New Analytics – [27]
- AWS Bedrock Delete GuardRails
- AWS Bedrock Delete Knowledge Base
- AWS Bedrock Delete Model Invocation Logging Configuration
- AWS Bedrock High Number List Foundation Model Failures
- AWS Bedrock Invoke Model Access Denied
- Cisco Secure Firewall - Binary File Type Download
- Cisco Secure Firewall - Bits Network Activity
- Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
- Cisco Secure Firewall - Blocked Connection
- Cisco Secure Firewall - Communication Over Suspicious Ports
- Cisco Secure Firewall - Connection to File Sharing Domain
- Cisco Secure Firewall - File Download Over Uncommon Port
- Cisco Secure Firewall - High EVE Threat Confidence
- Cisco Secure Firewall - High Volume of Intrusion Events Per Host
- Cisco Secure Firewall - Malware File Downloaded
- Cisco Secure Firewall - Potential Data Exfiltration
- Cisco Secure Firewall - Rare Snort Rule Triggered
- Cisco Secure Firewall - Repeated Blocked Connections
- Cisco Secure Firewall - Repeated Malware Downloads
- Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
- Cisco Secure Firewall - Wget or Curl Download
- CrushFTP Authentication Bypass Exploitation
- CrushFTP Max Simultaneous Users From IP
- Windows MSC EvilTwin Directory Path Manipulation
- Windows PowerShell Invoke-RestMethod IP Information Collection
- Windows Shell Process from CrushFTP
- Windows WMIC Shadowcopy Delete
🛠 Other Updates
- 🔄 Reverted several searches to use
| joininstead ofprestats = tdue to bugs encountered in the search logic. - ❌ Removed Detections – As notified in the ESCU v5.2.0 release, we have removed these detections. Please use replacements where appropriate.
- 🗓️ Deprecated more detections now scheduled for removal in ESCU v5.6.0.
- 📥 Updated
deprecation_infolookup to reflect the latest list of deprecated and removed detections.