Download topic as PDF
What's new
Enterprise Security Content Updates v4.30.0 was released on April 18, 2024. It includes the following enhancements:
New analytic stories
Updated Analytics Story
New analytics
- Okta Authentication Failed During MFA Challenge
- Okta IDP Lifecycle Modifications
- Okta Multi-Factor Authentication Disabled
- Okta Multiple Accounts Locked Out
- Okta Multiple Failed MFA Requests For User
- Okta Multiple Users Failing To Authenticate From Ip
- Okta Successful Single Factor Authentication
- Okta Unauthorized Access to Application
- O365 Compliance Content Search Exported
- O365 Compliance Content Search Started
- O365 Elevated Mailbox Permission Assigned
- O365 Mailbox Email Forwarding Enabled
- O365 Mailbox Folder Read Permission Assigned
- O365 Mailbox Folder Read Permission Granted
- O365 New Email Forwarding Rule Created
- O365 New Email Forwarding Rule Enabled
- O365 New Forwarding Mailflow Rule Created
- O365 Security And Compliance Alert Triggered
- Okta User Logins From Multiple Cities
- Windows AppLocker Block Events
- Windows AppLocker Execution from Uncommon Locations
- Windows AppLocker Privilege Escalation via Unauthorized Bypass
- Windows AppLocker Rare Application Launch Detection
- Windows Unsigned MS DLL Side-Loading
- Zscaler Adware Activities Threat Blocked
- Zscaler Behavior Analysis Threat Blocked
- Zscaler CryptoMiner Downloaded Threat Blocked
- Zscaler Employment Search Web Activity
- Zscaler Exploit Threat Blocked
- Zscaler Legal Liability Threat Blocked
- Zscaler Malware Activity Threat Blocked
- Zscaler Phishing Activity Threat Blocked
- Zscaler Potentially Abused File Download
- Zscaler Privacy Risk Destinations Threat Blocked
- Zscaler Scam Destinations Threat Blocked
- Zscaler Virus Download threat blocked
Updated analytics
- Email Attachments With Lots Of Spaces
- Okta MFA Exhaustion Hunt
- Okta Mismatch Between Source and Response for Verify Push Request
- Okta Multiple Failed Requests to Access Applications
- Okta New API Token Created
- Okta New Device Enrolled on Account
- Okta Phishing Detection with FastPass Origin Check
- Okta Risk Threshold Exceeded
- Okta Suspicious Activity Reported
- Okta Suspicious Use of a Session Cookie
- Okta ThreatInsight Threat Detected
- Suspicious Email Attachment Extensions
- O365 Admin Consent Bypassed by Service Principal
- O365 Application Impersonation Role Assigned
- O365 Mailbox Inbox Folder Shared with All Users
- O365 PST export alert
- Prohibited Software On Endpoint
- Detect Use of cmd exe to Launch Script Interpreters
- Detection of tools built by NirSoft
- Excessive File Deletion In WinDefender Folder
- Linux Account Manipulation Of SSH Config and Keys
- Linux Deletion of SSL Certificate
- Malicious Powershell Executed As A Service
- Registry Keys Used For Persistence
- SchCache Change By App Connect And Create ADSI Object
- Suspicious Regsvr32 Register Suspicious Path
- Windows Data Destruction Recursive Exec Files Deletion
- Windows High File Deletion Frequency
- Windows MSHTA Writing to World Writable Path
- Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
- SMB Traffic Spike
- SMB Traffic Spike - MLTK
- Web Remote ShellServlet Access
Macros added
applocker
zscaler_proxy
Macros updated
okta
Lookups added
applockereventcodes
Other updates
- Added a new dashboard ESCU - AppLocker. Navigate to your dashboards and search for ESCU - AppLocker to assist with auditing and monitoring Windows AppLocker events for your endpoints. Applies to Splunk Enterprise version 9.x.x and higher.
Deprecated analytics
- Multiple Okta Users With Invalid Credentials From The Same IP
- Okta Account Locked Out
- Okta Account Lockout Events
- Okta Failed SSO Attempts
- Okta ThreatInsight Login Failure with High Unknown users
- Okta ThreatInsight Suspected PasswordSpray Attack
- Okta Two or More Rejected Okta Pushes
- O365 Suspicious User Email Forwarding
- O365 Suspicious Admin Email Forwarding
- O365 Suspicious Rights Delegation
Last modified on 18 April, 2024
This documentation applies to the following versions of Splunk® Security Content: 4.30.0
Feedback submitted, thanks!