v4.30.0

Release notes

New Analytics Story

• Okta Account Takeover
• Windows AppLocker
• Zscaler Browser Proxy Threats

Updated Analytics Story

• Azure Active Directory Account Takeover
• Compromised User Account
• GCP Account Takeover

New Analytics

• Okta Authentication Failed During MFA Challenge
• Okta IDP Lifecycle Modifications
• Okta Multi-Factor Authentication Disabled
• Okta Multiple Accounts Locked Out
• Okta Multiple Failed MFA Requests For User
• Okta Multiple Users Failing To Authenticate From Ip
• Okta Successful Single Factor Authentication
• Okta Unauthorized Access to Application
• O365 Compliance Content Search Exported
• O365 Compliance Content Search Started
• O365 Elevated Mailbox Permission Assigned
• O365 Mailbox Email Forwarding Enabled
• O365 Mailbox Folder Read Permission Assigned
• O365 Mailbox Folder Read Permission Granted
• O365 New Email Forwarding Rule Created
• O365 New Email Forwarding Rule Enabled
• O365 New Forwarding Mailflow Rule Created
• O365 Security And Compliance Alert Triggered
• Okta User Logins From Multiple Cities
• Windows AppLocker Block Events
• Windows AppLocker Execution from Uncommon Locations
• Windows AppLocker Privilege Escalation via Unauthorized Bypass
• Windows AppLocker Rare Application Launch Detection
• Windows Unsigned MS DLL Side-Loading
• Zscaler Adware Activities Threat Blocked
• Zscaler Behavior Analysis Threat Blocked
• Zscaler CryptoMiner Downloaded Threat Blocked
• Zscaler Employment Search Web Activity
• Zscaler Exploit Threat Blocked
• Zscaler Legal Liability Threat Blocked
• Zscaler Malware Activity Threat Blocked
• Zscaler Phishing Activity Threat Blocked
• Zscaler Potentially Abused File Download
• Zscaler Privacy Risk Destinations Threat Blocked
• Zscaler Scam Destinations Threat Blocked
• Zscaler Virus Download threat blocked

Updated Analytics

• Email Attachments With Lots Of Spaces
• Okta MFA Exhaustion Hunt
• Okta Mismatch Between Source and Response for Verify Push Request
• Okta Multiple Failed Requests to Access Applications
• Okta New API Token Created
• Okta New Device Enrolled on Account
• Okta Phishing Detection with FastPass Origin Check
• Okta Risk Threshold Exceeded
• Okta Suspicious Activity Reported
• Okta Suspicious Use of a Session Cookie
• Okta ThreatInsight Threat Detected
• Suspicious Email Attachment Extensions
• O365 Admin Consent Bypassed by Service Principal
• O365 ApplicationImpersonation Role Assigned
• O365 Mailbox Inbox Folder Shared with All Users
• O365 PST export alert
• Prohibited Software On Endpoint
• Detect Use of cmd exe to Launch Script Interpreters
• Detection of tools built by NirSoft
• Excessive File Deletion In WinDefender Folder(External Contributor : @nterl0k )
• Linux Account Manipulation Of SSH Config and Keys
• Linux Deletion of SSL Certificate
• Malicious Powershell Executed As A Service
• Registry Keys Used For Persistence
• SchCache Change By App Connect And Create ADSI Object
• Suspicious Regsvr32 Register Suspicious Path
• Windows Data Destruction Recursive Exec Files Deletion (External Contributor : @nterl0k )
• Windows High File Deletion Frequency External Contributor : @nterl0k )
• Windows MSHTA Writing to World Writable Path
• Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
• SMB Traffic Spike
• SMB Traffic Spike - MLTK
• Web Remote ShellServlet Access

Macros Added

• applocker
• zscaler_proxy

Macros Updated

• okta

Lookups Added

• applockereventcodes

Other Updates

• Added a new dashboard ESCU - AppLocker, Navigate to your Dashboards and search for "ESCU - AppLocker" to assist with auditing and monitoring Windows AppLocker events for your endpoints (Splunk Enterprise 9.x.x version and above only)