v5.10.0

Key Highlights

• 🔐 Citrix NetScaler CVE-2025-5777 (CitrixBleed 2): Introduced a new analytic story addressing CitrixBleed 2, a critical memory disclosure vulnerability actively exploited in the wild since June 2025. This release includes a detection for identifying HTTP requests to the vulnerable /nf/auth/startwebview.do endpoint, helping security teams uncover scanning and exploitation activity targeting Citrix ADC and Gateway appliances.

• 🧱 Microsoft SharePoint Vulnerabilities: Introduced a new analytic story focused on detecting exploitation attempts related to CVE-2025-53770, a vulnerability in the ToolPane.aspx endpoint of Microsoft SharePoint. This story includes detections for suspicious requests to the vulnerable endpoint, GET activity to known malicious webshells like spinstall0.aspx, and file creation events indicative of webshell deployment—helping identify both initial exploitation and post-exploitation activity.

• 💻 ESXi Post-Compromise Activity: Shipped a new analytic story focused on detecting attacker behavior after initial access to ESXi environments. This story includes 24 detections for actions such as VM termination, reverse shells, SSH brute force, system clock tampering, audit log wiping, unauthorized user elevation, and malicious VIB installations—providing broad coverage for common post-compromise tactics.

• 🛡️ Cisco Duo Suspicious Activity: Released a new analytic story to detect unusual or risky administrative behavior and insecure policy configurations in Cisco Duo environments. This release includes 14 detections covering unusual admin logins by browser, OS, or country, generation of bypass codes, and policy settings that allow risky behavior like skipping 2FA, allowing tampered devices, or permitting outdated Java/Flash use.

• 🐀 Quasar RAT: Released a new analytic story focused on detecting activity related to Quasar RAT, a widely used open-source remote access Trojan known for credential theft, surveillance, and lateral movement. This story maps over 20 existing detections to Quasar techniques and adds three new detections targeting unusual access to sensitive configuration and credential storage locations such as FileZilla XML configs, IntelliForms registry entries, and Mozilla NSS libraries—enabling better visibility into post-exploitation behavior and stealthy credential harvesting.

New Analytic Story - [5]

• Cisco Duo Suspicious Activity
• Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
• ESXi Post Compromise
• Microsoft SharePoint Vulnerabilities
• Quasar RAT

New Analytics - [45]

• Cisco Duo Admin Login Unusual Browser
• Cisco Duo Admin Login Unusual Country
• Cisco Duo Admin Login Unusual Os
• Cisco Duo Bulk Policy Deletion
• Cisco Duo Bypass Code Generation
• Cisco Duo Policy Allow Devices Without Screen Lock
• Cisco Duo Policy Allow Network Bypass 2FA
• Cisco Duo Policy Allow Old Flash
• Cisco Duo Policy Allow Old Java
• Cisco Duo Policy Allow Tampered Devices
• Cisco Duo Policy Bypass 2FA
• Cisco Duo Policy Deny Access
• Cisco Duo Policy Skip 2FA for Other Countries
• Cisco Duo Set User Status to Bypass 2FA
• Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
• Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
• ESXi Account Modified
• ESXi Audit Tampering
• ESXi Bulk VM Termination
• ESXi Download Errors
• ESXi Encryption Settings Modified
• ESXi External Root Login Activity
• ESXi Firewall Disabled
• ESXi Lockdown Mode Disabled
• ESXi Loghost Config Tampering
• ESXi Malicious VIB Forced Install
• ESXi Reverse Shell Patterns
• ESXi SSH Brute Force
• ESXi SSH Enabled
• ESXi Sensitive Files Accessed
• ESXi Shared or Stolen Root Account
• ESXi Shell Access Enabled
• ESXi Syslog Config Change
• ESXi System Clock Manipulation
• ESXi System Information Discovery
• ESXi User Granted Admin Role
• ESXi VIB Acceptance Level Tampering
• ESXi VM Discovery
• ESXi VM Exported via Remote Tool
• Windows SharePoint Spinstall0 GET Request
• Windows SharePoint Spinstall0 Webshell File Creation
• Windows SharePoint ToolPane Endpoint Exploitation Attempt
• Windows Unusual FileZilla XML Config Access
• Windows Unusual Intelliform Storage Registry Access
• Windows Unusual Process Load Mozilla NSS-Mozglue Module

Other Updates

• Added a missing data source file for Cisco NVM and updated data source files to use PascalCase for XmlWinEventLog
• As previously communicated in the ESCU v5.8.0 release, several detections have been removed. For a complete list of the detections removed in version v5.10.0, refer to the List of Removed Detections in v5.10.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.12.0, see the List of Detections Scheduled for Removal in ESCU v5.12.0.

v5.9.0

Key Highlights

• 🔍 Cisco Network Visibility Module Analytics: Introduced a new analytic story leveraging Cisco NVM telemetry to detect suspicious endpoint network behavior. This release includes 14 analytics covering threats such as insecure curl usage, typosquatted Python packages, abuse of native Windows tools like rundll32 and mshta, and anomalous network connections from uncommon or argument-less processes.

• 💣 Disk Wiper: Released a new analytic story focused on identifying destructive malware that irreversibly erases disk data, with tagged detections targeting recursive file deletion and raw access to disk volumes and the primary boot record.

• ⚙️ CrowdStrike EDR Playbook Pack for Splunk SOAR: Shipped a new playbook pack that enables automated investigation, enrichment, and response using CrowdStrike Falcon, helping security teams streamline endpoint operations with playbooks for actions like device isolation, process termination, file handling, and denylisting executables.

New Analytic Story - [2]

• Cisco Network Visibility Module Analytics
• Disk Wiper

New Analytics - [19]

• Cisco NVM - Curl Execution With Insecure Flags
• Cisco NVM - Installation of Typosquatted Python Package
• Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
• Cisco NVM - Non-Network Binary Making Network Connection
• Cisco NVM - Outbound Connection to Suspicious Port
• Cisco NVM - Rclone Execution With Network Activity
• Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
• Cisco NVM - Susp Script From Archive Triggering Network Activity
• Cisco NVM - Suspicious Download From File Sharing Website
• Cisco NVM - Suspicious File Download via Headless Browser
• Cisco NVM - Suspicious Network Connection From Process With No Args
• Cisco NVM - Suspicious Network Connection Initiated via MsXsl
• Cisco NVM - Suspicious Network Connection to IP Lookup Service API
• Cisco NVM - Webserver Download From File Sharing Website
• CrowdStrike Falcon Stream Alerts(Internal Contributor : @bpluta-splunk)
• Linux Auditd Auditd Daemon Abort
• Linux Auditd Auditd Daemon Shutdown
• Linux Auditd Auditd Daemon Start
• Windows File Download Via PowerShell

Updated Analytics - [2]

• Attacker Tools On Endpoint(External Contributor : @sventec )
• O365 BEC Email Hiding Rule Created(External Contributor @0xC0FFEEEE )

Macros Added - [1]

• cisco_network_visibility_module_flowdata

Macros Updated - [0]

Lookups Added - [2]

• suspicious_ports_list
• typo_squatted_python_packages

Lookups Updated - [1]

• attacker_tools

Other Updates

• Updated all content to use the latest links for Splunk Documentation - https://help.splunk.com/

Playbooks Added - [9]

(Internal Contributor : @ccl0utier )

• CrowdStrike OAuth API Endpoint Analysis
• CrowdStrike OAuth API Executable Denylisting
• CrowdStrike OAuth API File Collection
• CrowdStrike OAuth API File Eviction
• CrowdStrike OAuth API File Restore
• CrowdStrike OAuth API Get Device Info
• CrowdStrike OAuth API Network Isolation
• CrowdStrike OAuth API Network Restore
• CrowdStrike OAuth API Process Termination

v5.8.0

Key Highlights

• 🥸Remote Employment Fraud Detections
  Remote Employment Fraud involves threat actors posing as job seekers or employers in order to gain unauthorized access to systems or employment through deceptive means. In many cases, it involves the use of fraudulent or stolen identity documents which are used to hide the true identity and/or location of an employee. This release includes a number of analytics that can help detect the digital footprint of employment fraud through the analysis of unexpected Network behaviors (such as VPN usage or anomalously high latency) or the presence of nonstandard audio or video devices.
• 📦Inno Setup Abuse
  Inno Setup is a widely used, legitimate packaging tool for the installation of software in Windows environments. Recently, it has seen increasingly common usage by malicious actors, hiding embedded malware payloads in otherwise benevolent software installers. These payloads, which are often encrypted or obfuscated, are then executed by a number of different means such as scripting or process injection. This story demonstrates a number of different techniques observed by malware abusing Inno Setup to gain execution and persistence.
• 🕸️Web Browser Abuse
  Locally installed malware may use Web Browsers to aid in the execution of malicious code, perform command and control, or transfer files. To decrease their footprint or provide flexibility in how they operate, this malware may supply a number of nonstandard command line flags when launching browsers. This release supplies a number of analytics which recognize these suspicious flags.

New Analytic Story - [2]

• Malicious Inno Setup Loader
• Remote Employment Fraud

New Analytics - [4]

• Windows Chromium Browser No Security Sandbox Process
• Windows Chromium Browser with Custom User Data Directory
• Windows DNS Query Request To TinyUrl
• Windows Disable Internet Explorer Addons

Updated Analytics - [63]

• A number of analytics have been updated with improved formatting and tagged with new analytic stories.
• Several analytics had their logic tuned, improved and updated.
  Cobalt Strike Named Pipes
  Detect Renamed WinRAR
  Excessive Usage Of Cacls App
  Icacls Deny Command
  ICACLS Grant Command
  Modify ACL permission To Files Or Folder
  Network Traffic to Active Directory Web Services Protocol
  Suspicious Copy on System32
  Windows Files and Dirs Access Rights Modification Via Icacls

Other Updates

• Added Macro - “zoom_index”
• Updated Macro “gsuite_drive”
• As previously communicated in the ESCU v5.6.0 release, several detections have been removed. For a complete list of the detections removed in version v5.8.0, refer to the List of Removed Detections in v5.8.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.10.0, see the List of Detections Scheduled for Removal in ESCU v5.10.0.

v5.7.0

Key highlights

ESCU 5.7.0 brings tighter integration with Cisco Security Products and a number of fixes and improvements to existing content:

🛡️ Cisco Secure Firewall Threat Defense Integration
Improved and tested several ESCU detections to work with Event Streamer (eStreamer) data collected by the Cisco Secure Firewall Threat Defense (FTD) platform. For more information about Cisco Secure Firewall, go to the Cisco Secure Firewall site or refer to the Cisco Secure Firewall Threat Defense Analytics analytic story.

🐛 Bugfixes based on community feedback
Feedback from community members and users continues to be one of the best paths to improve the quality and performance of ESCU content. This release includes a number of bug fixes that reduces false positives and improves the risk entities and fields returned from searches.

New Analytics - [1]

• Cisco Secure Firewall - Remote Access Software Usage Traffic

Updated Analytics - [12]

• AWS Defense Evasion Impair Security Services
• Detect Outbound LDAP Traffic
• Detect Remote Access Software Usage Traffic
• Internal Horizontal Port Scan NMAP Top 20
• Internal Horizontal Port Scan
• Internal Vertical Port Scan
• O365 Concurrent Sessions From Different Ips
• Prohibited Network Traffic Allowed
• Protocol or Port Mismatch
• Protocols passing authentication in cleartext
• TOR Traffic
• Windows Sensitive Registry Hive Dump Via CommandLine

Other Updates

• Added lookup cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools
• Updated lookups cisco_secure_firewall_filetype_lookup and cisco_snort_ids_to_threat_mapping
• No detections have been removed in the ESCU v5.7.0 release. As previously communicated in the ESCU v5.6.0 release, several detections will be removed in ESCU v5.8.0. For details on detections scheduled for removal in ESCU version v5.8.0, see the List of Detections Scheduled for Removal in ESCU v5.8.0

v5.6.0

Key highlights

🛡️ Cisco Secure Firewall Intrusion Analytics
We developed six new analytic rules using Intrusion logs to detect high-priority intrusion events, group alerts by threat activity, identify Lumma Stealer behaviors (download and outbound attempts), and monitor Veeam CVE-2023-27532 exploitation by combining the presence of specific Snort IDs triggered in a short period of time.

📊 Threat Activity by Snort IDs Dashboard
A new dashboard leveraging Cisco Firewall logs from eStreamer and a curated lookup to correlate Snort intrusion identifiers with specific threat actors, visualize device-wide activity and file trends, and explore the overall risk profile of the host with events from Splunk Enterprise Security.

📝 New Analytic Story & Threat Mappings
We published a new analytic story on Fake CAPTCHA campaigns—mapping existing detections to observed TTPs and introducing a Windows PowerShell FakeCAPTCHA Clipboard Execution detection—and completed comprehensive Xworm RAT threat mapping to ensure broad detection coverage.

New Analytic Story - [2]

• Fake CAPTCHA Campaigns
• XWorm

New Analytics - [8]

• Cisco Secure Firewall - High Priority Intrusion Classification
• Cisco Secure Firewall - Intrusion Events by Threat Activity
• Cisco Secure Firewall - Lumma Stealer Activity
• Cisco Secure Firewall - Lumma Stealer Download Attempt
• Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
• Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
• Windows PowerShell FakeCAPTCHA Clipboard Execution
• Windows Renamed Powershell Execution

Other Updates

• Added two new lookups cisco_snort_ids_to_threat_mapping and threat_snort_count that contain information about snort Ids that are mapped to specific threat actors

• Updated several detections based on customer feedback and bug reports on Github issues.

• As previously communicated in the ESCU v5.4.0 release, several detections have been removed. For a complete list of the detections removed in version v5.6.0, refer to the List of Removed Detections in v5.6.0. Users are expected to transition to the recommended replacements where applicable. Additionally, a new set of detections has been deprecated. For details on detections scheduled for removal in ESCU version v5.8.0, see the List of Detections Scheduled for Removal in ESCU v5.8.0

v5.5.0

✨ Highlights

• 🛡️ SAP NetWeaver Exploitation
  Released a new analytic story targeting CVE-2025-31324 in SAP NetWeaver, including a dedicated hunting detection for “SAP NetWeaver Visual Composer Exploitation Attempt” to catch early signs of exploitation. You can read more about this vulnerability here.

• 🍏 AMOS Stealer Analytics
  Added a new analytic story for AMOS Stealer and introduced the “macOS AMOS Stealer – Virtual Machine Check Activity” detection, which looks for the execution of the osascript command along with specific command-line strings.

• 🪟 Additional Windows Detections
  We shipped three new Windows-focused detections to improve visibility into post-compromise activity: one that identifies reconnaissance by monitoring built-in log query utilities against the Windows Event Log, another that alerts when an adversary clears the Event Log via Wevtutil, and a third that detects malicious file downloads executed through the CertUtil utility.

New Analytic Story - [2]

• AMOS Stealer
• SAP NetWeaver Exploitation

New Analytics - [5]

• MacOS AMOS Stealer - Virtual Machine Check Activity
• SAP NetWeaver Visual Composer Exploitation Attempt
• Windows EventLog Recon Activity Using Log Query Utilities
• Windows Eventlog Cleared Via Wevtutil
• Windows File Download Via CertUtil

Other Updates

• Updated theis_nirsoft_software lookup with additional nirsoft tooling
• Updated attack_data links for several detections.

v5.4.0

✨ Highlights

• 🔥 Cisco Secure Firewall Threat Defense Analytics: We published a new analytic story and added new detections for Cisco Secure Firewall focusing on three primary event types—file events, network connections, and intrusion alerts. These detections identify activity such as malicious or uncommon file downloads, connections over suspicious ports or to file-sharing domains, and Snort rule-based intrusion events across multiple hosts. This enables broader visibility into network-based threats and host-level indicators of compromise.

• 🤖 AWS Bedrock Security: Released a new analytic story to monitor for adversary techniques targeting AWS Bedrock, a managed service used to build and scale generative AI applications. This includes detections for the deletion of security guardrails, knowledge bases, and logging configurations, as well as high volumes of model invocation failures.

• 🕵️ Mapping Threat Campaigns: Several detections have been mapped to known threat actors and malware campaigns, including Cactus Ransomware, Earth Alux, Storm-2460 CLFS Zero Day Exploitation and Water Gamayun, to improve attribution to TTPs and provide insights into observed behaviors.

• 🆕 New Detections: Introduced additional detections for tactics such as directory path manipulation via MSC files, IP address collection using PowerShell Invoke-RestMethod, process spawning from CrushFTP, and deletion of Volume Shadow Copies via WMIC. These detections target adversary behavior related to discovery, lateral movement, and anti-forensics.

---

📚 New Analytic Stories – [6]

• AWS Bedrock Security
• Cactus Ransomware
• Cisco Secure Firewall Threat Defense Analytics
• Earth Alux
• Storm-2460 CLFS Zero Day Exploitation
• Water Gamayun

---

🧠 New Analytics – [27]

• AWS Bedrock Delete GuardRails
• AWS Bedrock Delete Knowledge Base
• AWS Bedrock Delete Model Invocation Logging Configuration
• AWS Bedrock High Number List Foundation Model Failures
• AWS Bedrock Invoke Model Access Denied
• Cisco Secure Firewall - Binary File Type Download
• Cisco Secure Firewall - Bits Network Activity
• Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
• Cisco Secure Firewall - Blocked Connection
• Cisco Secure Firewall - Communication Over Suspicious Ports
• Cisco Secure Firewall - Connection to File Sharing Domain
• Cisco Secure Firewall - File Download Over Uncommon Port
• Cisco Secure Firewall - High EVE Threat Confidence
• Cisco Secure Firewall - High Volume of Intrusion Events Per Host
• Cisco Secure Firewall - Malware File Downloaded
• Cisco Secure Firewall - Potential Data Exfiltration
• Cisco Secure Firewall - Rare Snort Rule Triggered
• Cisco Secure Firewall - Repeated Blocked Connections
• Cisco Secure Firewall - Repeated Malware Downloads
• Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
• Cisco Secure Firewall - Wget or Curl Download
• CrushFTP Authentication Bypass Exploitation
• CrushFTP Max Simultaneous Users From IP
• Windows MSC EvilTwin Directory Path Manipulation
• Windows PowerShell Invoke-RestMethod IP Information Collection
• Windows Shell Process from CrushFTP
• Windows WMIC Shadowcopy Delete

---

🛠 Other Updates

• 🔄 Reverted several searches to use | join instead of prestats = t due to bugs encountered in the search logic.
• ❌ Removed Detections – As notified in the ESCU v5.2.0 release, we have removed these detections. Please use replacements where appropriate.
• 🗓️ Deprecated more detections now scheduled for removal in ESCU v5.6.0.
• 📥 Updated deprecation_info lookup to reflect the latest list of deprecated and removed detections.

v5.3.0

Key Highlights

• ⚙️ Detection Output Standardization: Additionally, we’ve updated the majority of our detections to include a standardized set of output fields within each detection analytic and enhanced our tooling to consistently enforce this structure—improving usability, correlation, and integration across security workflows.

• 🚨 Apache Tomcat Session Deserialization Attacks: CVE-2025-24813 is an unauthenticated remote code execution vulnerability in Apache Tomcat’s partial PUT feature disclosed on March 10, 2025. We introduced a new analytic story targeting potential exploitation of Apache Tomcat servers. This story includes detections for suspicious session deserialization attempts and file uploads—techniques commonly used by attackers to gain remote access or execute arbitrary code.

• 🪟 Windows Shortcut Exploit Abuse: Released a new analytic story to detect emerging exploitation patterns involving Windows LNK files. This includes detections for abuse of SSH ProxyCommand, LNK files with abnormal padding, and Windows Explorer spawning suspicious processes like PowerShell or CMD. These analytics are designed to surface stealthy initial access and execution techniques leveraged in recent zero-day attacks. More details can be found here - (ZDI-CAN-25373)

• 💥 New Ransomware Campaigns: We’ve expanded our ransomware mapping to include detection coverage for emerging threats such as Medusa Ransomware, Termite, Van Helsing, Salt Typhoon, and Sea Shell Blizzard. These mappings help contextualize detections within current threat actor TTPs and provide better visibility into campaign-specific behaviors.

• 🔥 Windows Firewall Rule Monitoring: We also introduced new detections to monitor firewall-related security events on Windows systems, including: Windows Firewall Rule Added, Windows Firewall Rule Deletion, and Windows Firewall Rule Modification—helping security teams track unauthorized or suspicious changes to host-based firewall configurations.

New Analytic Stories - [8]

• Apache Tomcat Session Deserialization Attacks
• Medusa Ransomware
• PHP-CGI RCE Attack on Japanese Organizations
• Salt Typhoon
• Seashell Blizzard
• Termite Ransomware
• VanHelsing Ransomware
• ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day (Contributor: @ajkingio , @hunter-3)

New Analytics - [15]

• Detect Large ICMP Traffic
• Tomcat Session Deserialization Attempt
• Tomcat Session File Upload Attempt
• Windows AD Self DACL Assignment
• Windows ConsoleHost History File Deletion
• Windows Explorer LNK Exploit Process Launch With Padding (Contributor: @ajkingio, @hunter-3)
• Windows Explorer.exe Spawning PowerShell or Cmd (Contributor: @ajkingio, @hunter-3)
• Windows Firewall Rule Added
• Windows Firewall Rule Deletion
• Windows Firewall Rule Modification
• Windows MSTSC RDP Commandline
• Windows Powershell History File Deletion
• Windows Process Injection into Commonly Abused Processes (Contributor: @0xC0FFEEEE)
• Windows Remote Host Computer Management Access
• Windows SSH Proxy Command(Contributor: @ajkingio, @hunter-3)

Other Updates

• Updated ransomware_extensions and remote_access_software lookup with new values. (Contributor @sventec)
• Updated a majority of detections to output improved field names, which should enhance how they appear in Enterprise Security. We also added output_fields to the data source objects to enforce output validation for detection analytics
• Fixed a minor bug that prevented the deprecated and removed content warning banner from displaying correctly on the landing page

v5.2.0

Key highlights

We released new analytic stories and detections to enhance monitoring and security across GitHub, O365, and SQL Server environments. Here’s a summary of the latest updates:

• 👨‍💻 GitHub Malicious Activity: A new analytic story focused on detecting potential security risks and policy violations in GitHub Enterprise and GitHub Organizations. This includes detections for disabling 2FA requirements, modifying or pausing audit log event streams, deleting repositories, disabling security features like Dependabot and branch protection rules, and registering unauthorized self-hosted runners—helping organizations prevent unauthorized changes and account takeovers.

• 📧 O365 Email Threat Monitoring: Expanded coverage for malicious email activity in O365 environments. New detections focus on identifying inbox rule modifications, excessive email deletions, suspicious exfiltration behavior, and attempts to compromise payroll or password information. These detections help security teams track and mitigate email-based attacks, account takeovers, and data exfiltration tactics.

• 🗒️ SQL Server Abuse: Introduced a new analytic story targeting SQL Server exploitation tactics. These detections cover malicious SQLCMD execution, abuse of xp_cmdshell, unauthorized configuration changes, and the loading of potentially dangerous extended procedures. This enhanced monitoring helps organizations detect lateral movement and privilege escalation attempts in Windows-based SQL environments.

• 🔍 We have also mapped several of our existing detections to the Black Basta Ransomware, SnappyBee and SystemBC malware families as they continue to make headlines targeting various organizations.

• 🎗️ As announced in ESCU v5.0.0 release, we are removing old and dated content from the app starting with ESCU v5.2.0, which includes several removal of detections in this release to improve quality of detections. Along with the deprecation assistant that is shipped in the application, you can also refer to this list of removed detections and replacements on Splunk docs.

New Analytic Story - [6]

• Black Basta Ransomware
• China-Nexus Threat Activity
• GitHub Malicious Activity
• SQL Server Abuse
• SnappyBee
• SystemBC

New Analytics - [43]

• Executables Or Script Creation In Temp Path
• GitHub Enterprise Delete Branch Ruleset
• GitHub Enterprise Disable 2FA Requirement
• GitHub Enterprise Disable Audit Log Event Stream
• GitHub Enterprise Disable Classic Branch Protection Rule
• GitHub Enterprise Disable Dependabot
• GitHub Enterprise Disable IP Allow List
• GitHub Enterprise Modify Audit Log Event Stream
• GitHub Enterprise Pause Audit Log Event Stream
• GitHub Enterprise Register Self Hosted Runner
• GitHub Enterprise Remove Organization
• GitHub Enterprise Repository Archived
• GitHub Enterprise Repository Deleted
• GitHub Organizations Delete Branch Ruleset
• GitHub Organizations Disable 2FA Requirement
• GitHub Organizations Disable Classic Branch Protection Rule
• GitHub Organizations Disable Dependabot
• GitHub Organizations Repository Archived
• GitHub Organizations Repository Deleted
• O365 BEC Email Hiding Rule Created (External Contributor: @0xC0FFEEEE )
• O365 Email Hard Delete Excessive Volume (External Contributor: @nterl0k)
• O365 Email New Inbox Rule Created (External Contributor: @nterl0k)
• O365 Email Password and Payroll Compromise Behavior (External Contributor: @nterl0k)
• O365 Email Receive and Hard Delete Takeover Behavior (External Contributor: @nterl0k)
• O365 Email Send Attachments Excessive Volume(External Contributor: @nterl0k)
• O365 Email Send and Hard Delete Exfiltration Behavior(External Contributor: @nterl0k)
• O365 Email Send and Hard Delete Suspicious Behavior(External Contributor: @nterl0k)
• O365 Email Suspicious Search Behavior(External Contributor: @nterl0k)
• Windows Anonymous Pipe Activity
• Windows PowerShell Invoke-Sqlcmd Execution
• Windows Process Execution From ProgramData
• Windows SQL Server Configuration Option Hunt
• Windows SQL Server Critical Procedures Enabled
• Windows SQL Server Extended Procedure DLL Loading Hunt
• Windows SQL Server Startup Procedure
• Windows SQL Server xp_cmdshell Config Change
• Windows SQLCMD Execution
• Windows Scheduled Task with Suspicious Command
• Windows Scheduled Task with Suspicious Name
• Windows SnappyBee Create Test Registry
• Windows Sqlservr Spawning Shell
• Windows Svchost.exe Parent Process Anomaly
• Windows Unusual SysWOW64 Process Run System32 Executable

Macros Added - [5]

• github_enterprise
• github_organizations
• o365_messagetrace
• o365_suspect_search_terms_regex
• process_sqlcmd

Macros Updated - [1]

• linux_auditd

Lookups Added - [2]

• deprecation_info
• windows_suspicious_tasks

Lookups Updated - [1]

• ransomware_notes_lookup

Removed detections from v5.2.0

• The list of removed detections and its potential replacements(where available)

Marked for Deprecation in v5.4.0

• AWS SAML Access by Provider User and Principal
• GitHub Actions Disable Security Workflow
• aws detect permanent key creation
• Github Commit In Develop
• Suspicious Driver Loaded Path
• Known Services Killed by Ransomware
• Github Commit Changes In Master
• GitHub Pull Request from Unknown User
• [Suspicious Event Log Service Behavior](https://research.splunk.com/deprecated/2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e...

v5.1.1

Release notes -v5.1.1 (Patch build)

• Minor text update to malicious_powershell_strings.csv lookup file that caused MS Defender to falsely flag ESCU v5.1.0 as a malware.