Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Product News & Announcements
All the latest news and announcements about Splunk products. Subscribe and never miss an update!
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- News & Events
- :
- Blog & Announcements
- :
- Product News & Announcements
- :
- Enterprise Security Content Update (ESCU) | New Re...
Enterprise Security Content Update (ESCU) | New Releases
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark Topic
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
TyneDarke
Splunk Employee
05-03-2024
08:39 AM
Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise Security Content Update (ESCU) app (v4.29.0 and v4.30.0). With these releases, there are 41 new analytics, 5 new analytic stories, 32 updated analytics, and 3 updated analytic stories now available in Splunk Enterprise Security via the ESCU application update process.
Content highlights include:
- The new Okta Account Takeover analytic story features detections covering suspicious activities within an Okta tenant, including failed multi-factor authentication attempts and unauthorized Identity Provider modifications.
- The new Windows AppLocker analytic story features detections covering WindowsAppLocker event logs to help detect attempts to bypass application restrictions.
- The new Zscaler Browser Proxy Threats analytic story features detections covering threats blocked by Zscaler, including malware, crypto-miners, virus downloads, and more.
New Analytics (41)
- Windows InProcServer32 New Outlook Form
- Windows MSHTA Writing to World Writable Path
- Windows New InProcServer32 Added
- Windows Phishing Outlook Drop Dll In FORM Dir
- Windows SqlWriter SQLDumper DLL Sideload
- Okta Authentication Failed During MFA Challenge
- Okta IDP Lifecycle Modifications
- Okta Multi-Factor Authentication Disabled
- Okta Multiple Accounts Locked Out
- Okta Multiple Failed MFA Requests For User
- Okta Multiple Users Failing To Authenticate From Ip
- Okta Successful Single Factor Authentication
- Okta Unauthorized Access to Application
- O365 Compliance Content Search Exported
- O365 Compliance Content Search Started
- O365 Elevated Mailbox Permission Assigned
- O365 Mailbox Email Forwarding Enabled
- O365 Mailbox Folder Read Permission Assigned
- O365 Mailbox Folder Read Permission Granted
- O365 New Email Forwarding Rule Created
- O365 New Email Forwarding Rule Enabled
- O365 New Forwarding Mailflow Rule Created
- O365 Security And Compliance Alert Triggered
- Okta User Logins From Multiple Cities
- Windows AppLocker Block Events
- Windows AppLocker Execution from Uncommon Locations
- Windows AppLocker Privilege Escalation via Unauthorized Bypass
- Windows AppLocker Rare Application Launch Detection
- Windows Unsigned MS DLL Side-Loading
- Zscaler Adware Activities Threat Blocked
- Zscaler Behavior Analysis Threat Blocked
- Zscaler CryptoMiner Downloaded Threat Blocked
- Zscaler Employment Search Web Activity
- Zscaler Exploit Threat Blocked
- Zscaler Legal Liability Threat Blocked
- Zscaler Malware Activity Threat Blocked
- Zscaler Phishing Activity Threat Blocked
- Zscaler Potentially Abused File Download
- Zscaler Privacy Risk Destinations Threat Blocked
- Zscaler Scam Destinations Threat Blocked
- Zscaler Virus Download threat blocked
New Analytic Stories (5)
- APT29 Diplomatic Deceptions with WINELOADER
- Outlook RCE CVE-2024-21378
- Okta Account Takeover
- Windows AppLocker
- Zscaler Browser Proxy Threats
Updated Analytics (32)
- CertUtil With Decode Argument
- Email Attachments With Lots Of Spaces
- Okta MFA Exhaustion Hunt
- Okta Mismatch Between Source and Response for Verify Push Request
- Okta Multiple Failed Requests to Access Applications
- Okta New API Token Created
- Okta New Device Enrolled on Account
- Okta Phishing Detection with FastPass Origin Check
- Okta Risk Threshold Exceeded
- Okta Suspicious Activity Reported
- Okta Suspicious Use of a Session Cookie
- Okta ThreatInsight Threat Detected
- Suspicious Email Attachment Extensions
- O365 Admin Consent Bypassed by Service Principal
- O365 Application Impersonation Role Assigned
- O365 Mailbox Inbox Folder Shared with All Users
- O365 PST export alert
- Detect Use of cmd exe to Launch Script Interpreters
- Detection of tools built by NirSoft
- Excessive File Deletion In WinDefender Folder
- Linux Account Manipulation Of SSH Config and Keys
- Linux Deletion of SSL Certificate
- Malicious Powershell Executed As A Service
- Registry Keys Used For Persistence
- SchCache Change By App Connect And Create ADSI Object
- Suspicious Regsvr32 Register Suspicious Path
- Windows Data Destruction Recursive Exec Files Deletion
- Windows High File Deletion Frequency
- Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
- SMB Traffic Spike
- SMB Traffic Spike - MLTK
- Web Remote ShellServlet Access
Updated Analytic Stories (3)
The team also published the blog From Water to Wine: An Analysis of WINELOADER.
For all our tools and security content, please visit research.splunk.com.
— The Splunk Threat Research Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Get Updates on the Splunk Community!
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Splunk AppDynamics Agents Webinar Series
Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open!
If you ...
Labels
