v4.23.0
Release notes for ESCU v4.23.0
New Analytics Story
Updated Analytics Story
New Analytics
- Splunk Information Disclosure in Splunk Add-on Builder
- Kubernetes Anomalous Inbound Network Activity from Process
- Kubernetes Anomalous Outbound Network Activity from Process
- Kubernetes Anomalous Traffic on Network Edge
- Kubernetes Create or Update Privileged Pod
- Kubernetes Cron Job Creation
- Kubernetes DaemonSet Deployed
- Kubernetes Falco Shell Spawned
- Kubernetes newly seen TCP edge
- Kubernetes newly seen UDP edge
- Kubernetes Node Port Creation
- Kubernetes Pod Created in Default Namespace
- Kubernetes Pod With Host Network Attachment
- Kubernetes Scanning by Unauthenticated IP Address
- Windows Impair Defense Change Win Defender Health Check Intervals
- Windows Impair Defense Change Win Defender Quick Scan Interval
- Windows Impair Defense Change Win Defender Throttle Rate
- Windows Impair Defense Change Win Defender Tracing Level
- Windows Impair Defense Configure App Install Control
- Windows Impair Defense Define Win Defender Threat Action
- Windows Impair Defense Disable Controlled Folder Access
- Windows Impair Defense Disable Defender Firewall And Network
- Windows Impair Defense Disable Defender Protocol Recognition
- Windows Impair Defense Disable PUA Protection
- Windows Impair Defense Disable Realtime Signature Delivery
- Windows Impair Defense Disable Web Evaluation
- Windows Impair Defense Disable Win Defender App Guard
- Windows Impair Defense Disable Win Defender Compute File Hashes
- Windows Impair Defense Disable Win Defender Gen reports
- Windows Impair Defense Disable Win Defender Network Protection
- Windows Impair Defense Disable Win Defender Report Infection
- Windows Impair Defense Disable Win Defender Scan On Update
- Windows Impair Defense Disable Win Defender Signature Retirement
- Windows Impair Defense Overide Win Defender Phishing Filter
- Windows Impair Defense Override SmartScreen Prompt
- Windows Impair Defense Set Win Defender Smart Screen Level To Warn
- Windows MsiExec HideWindow Rundll32 Execution
- Windows Process Injection In Non-Service SearchIndexer
- Jenkins Arbitrary File Read CVE-2024-23897
Updated Analytics
- Kubernetes Access Scanning
- Kubernetes Anomalous Inbound Outbound Network IO
- Kubernetes Anomalous Inbound to Outbound Network IO Ratio
- Kubernetes AWS detect suspicious kubectl calls
- Kubernetes Previously Unseen Container Image Name
- Kubernetes Previously Unseen Process
- Kubernetes Process Running From New Path
- Kubernetes Process with Anomalous Resource Utilisation
- Kubernetes Process with Resource Ratio Anomalies
- Kubernetes Shell Running on Worker Node
- Kubernetes Shell Running on Worker Node with CPU Activity
- Disable Windows SmartScreen Protection
- Linux Service Started Or Enabled
- Unknown Process Using The Kerberos Protocol
- Windows Excessive Disabled Services Event
Other Updates
- Added a new input macro
sourcetype="kube:container:falco"
Playbook Updates
- Splunk Attack Analyzer Dynamic Analysis
- Splunk Automated Email Investigation
- Splunk Identifier Activity Analysis
- Splunk Message Identifier Activity Analysis