v4.26.0

New Analytics Story

• JetBrains TeamCity Vulnerabilities

Updated Analytics Story

New Analytics

• Cloud Security Groups Modifications by User
• Detect Remote Access Software Usage File(External Contributor : @nterl0k )
• Detect Remote Access Software Usage FileInfo(External Contributor : @nterl0k )
• Detect Remote Access Software Usage Process(External Contributor : @nterl0k )
• Windows Multiple Account Passwords Changed
• Windows Multiple Accounts Deleted
• Windows Multiple Accounts Disabled
• Detect Remote Access Software Usage DNS(External Contributor : @nterl0k )
• Detect Remote Access Software Usage Traffic(External Contributor : @nterl0k )
• High Volume of Bytes Out to Url
• Detect Remote Access Software Usage URL(External Contributor : @nterl0k )
• JetBrains TeamCity Authentication Bypass CVE-2024-27198
• JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
• JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
• Nginx ConnectWise ScreenConnect Authentication Bypass

Updated Analytics

• AWS IAM Delete Policy (External Contributor: @ep3p )
• O365 Multiple Users Failing To Authenticate From Ip
• ConnectWise ScreenConnect Authentication Bypass
• JetBrains TeamCity RCE Attempt

Macros Added

• nginx_access_logs
• suricata

Macros Updated

Lookups Added

Lookups Updated

• remote_access_software

Playbooks Added

• G Suite for Gmail Message Eviction
• G Suite for Gmail Search and Purge
• MS Graph for Office 365 Message Eviction
• MS Graph for Office 365 Message Identifier Activity Analysis
• MS Graph for Office 365 Message Restore
• MS Graph for Office365 Search and Purge
• MS Graph for Office365 Search and Restore

Playbooks Updated

Other Updates

• Added a new script and a CI job to automatically upload the package to Splunkbase using a service account
• Create SSA-Content-latest.tar.gz in the generate_ba CI job