What's new

Enterprise Security Content Updates v3.50.0 was released on October 5, 2022. It includes the following enhancements.

New analytic story

• AgentTesla
• AWS Identity and Access Management Account Takeover
• CISA AA22-264A
• Okta MFA Exhaustion

New analytics

• AWS Multiple Users Failing to Authenticate From Ip
• AWS Unusual Number of Failed Authentications From Ip
• Detect DGA domains using pre-trained model in DSDL
• Okta Account Locked Out
• Okta MFA Exhaustion Hunt
• Okta New API Token Created
• Okta New Device Enrolled on Account
• Okta Suspicious Activity Reported
• Okta ThreatInsight Threat Detected
• Okta Two or More Rejected Okta Pushes
• Okta Risk Threshold Exceeded
• Office Product Spawning Windows Script Host
• Powershell COM Hijacking InprocServer32 Modification
• Windows COM Hijacking InprocServer32 Modification
• Windows File Transfer Protocol in Non-Common Process Path
• Windows ISO LNK File Creation
• Windows Mail Protocol in Non-Common Process Path
• Windows Multi hop Proxy TOR Website Query
• Windows System Script Proxy Execution Syncappvpublishingserver

Updated analytics

• Multiple Okta Users with Invalid Credentials From The Same IP
• Okta Account Lockout Events
• Okta Failed SSO Attempts
• Exchange PowerShell Module Usage
• Registry Keys Used for Persistence
• Windows Phishing Recent ISO Exec Registry

Other updates

• Removed slim dependency in Github Actions, skip detection testing on tag creation and token updated
• Fixed bugs in the init functionality for creating a security_content custom application
• Added advanced_port_scanner.exe to Attacker Tools Lookup

NOTE: This release contains a new type of analytic (Detect DGA domains using a pre-trained model in DSDL) that leverages the Splunk App for Data Science and Deep Learning to detect DNS connections to domains generated by Domain Generation Algorithms. This detection uses a pre-trained deep learning model, and you can find the steps to deploy this model in our GitHub Wiki.