v5.7.0
Key highlights
ESCU 5.7.0 brings tighter integration with Cisco Security Products and a number of fixes and improvements to existing content:
🛡️ Cisco Secure Firewall Threat Defense Integration
Improved and tested several ESCU detections to work with Event Streamer (eStreamer) data collected by the Cisco Secure Firewall Threat Defense (FTD) platform. For more information about Cisco Secure Firewall, go to the Cisco Secure Firewall site or refer to the Cisco Secure Firewall Threat Defense Analytics analytic story.
🐛 Bugfixes based on community feedback
Feedback from community members and users continues to be one of the best paths to improve the quality and performance of ESCU content. This release includes a number of bug fixes that reduces false positives and improves the risk entities and fields returned from searches.
New Analytics - [1]
Updated Analytics - [12]
- AWS Defense Evasion Impair Security Services
- Detect Outbound LDAP Traffic
- Detect Remote Access Software Usage Traffic
- Internal Horizontal Port Scan NMAP Top 20
- Internal Horizontal Port Scan
- Internal Vertical Port Scan
- O365 Concurrent Sessions From Different Ips
- Prohibited Network Traffic Allowed
- Protocol or Port Mismatch
- Protocols passing authentication in cleartext
- TOR Traffic
- Windows Sensitive Registry Hive Dump Via CommandLine
Other Updates
- Added lookup
cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools - Updated lookups
cisco_secure_firewall_filetype_lookupandcisco_snort_ids_to_threat_mapping - No detections have been removed in the ESCU v5.7.0 release. As previously communicated in the ESCU v5.6.0 release, several detections will be removed in ESCU v5.8.0. For details on detections scheduled for removal in ESCU version v5.8.0, see the List of Detections Scheduled for Removal in ESCU v5.8.0