We released new analytic stories and detections to enhance monitoring and security across GitHub, O365, and SQL Server environments. Here's a summary of the latest updates:

• GitHub Malicious Activity: A new analytic story focused on detecting potential security risks and policy violations in GitHub Enterprise and GitHub Organizations. This includes detections for disabling 2FA requirements, modifying or pausing audit log event streams, deleting repositories, disabling security features like Dependabot and branch protection rules, and registering unauthorized self-hosted runners—helping organizations prevent unauthorized changes and account takeovers.

• O365 Email Threat Monitoring: Expanded coverage for malicious email activity in O365 environments. New detections focus on identifying inbox rule modifications, excessive email deletions, suspicious exfiltration behavior, and attempts to compromise payroll or password information. These detections help security teams track and mitigate email-based attacks, account takeovers, and data exfiltration tactics.

• SQL Server Abuse: Introduced a new analytic story targeting SQL Server exploitation tactics. These detections cover malicious SQLCMD execution, abuse of xp_cmdshell, unauthorized configuration changes, and the loading of potentially dangerous extended procedures. This enhanced monitoring helps organizations detect lateral movement and privilege escalation attempts in Windows-based SQL environments.

• We have also mapped several of our existing detections to the Black Basta Ransomware, SnappyBee and SystemBC malware families as they continue to make headlines targeting various organizations.

• As announced in ESCU v5.0.0 release, we are removing old and dated content from the app starting with ESCU v5.2.0, which includes several removal of detections in this release to improve quality of detections. Along with the deprecation assistant that is shipped in the application, you can also refer to this list of removed detections and replacement on Splunk docs.

These additions strengthen security teams' ability to detect and respond to emerging threats across critical enterprise platforms.

1. Black Basta Ransomware
2. China-Nexus Threat Activity
3. GitHub Malicious Activity
4. SQL Server Abuse
5. SnappyBee
6. SystemBC

1. Executables Or Script Creation In Temp Path
2. GitHub Enterprise Delete Branch Ruleset
3. GitHub Enterprise Disable 2FA Requirement
4. GitHub Enterprise Disable Audit Log Event Stream
5. GitHub Enterprise Disable Classic Branch Protection Rule
6. GitHub Enterprise Disable Dependabot
7. GitHub Enterprise Disable IP Allow List
8. GitHub Enterprise Modify Audit Log Event Stream
9. GitHub Enterprise Pause Audit Log Event Stream
10. GitHub Enterprise Register Self Hosted Runner
11. GitHub Enterprise Remove Organization
12. GitHub Enterprise Repository Archived
13. GitHub Enterprise Repository Deleted
14. GitHub Organizations Delete Branch Ruleset
15. GitHub Organizations Disable 2FA Requirement
16. GitHub Organizations Disable Classic Branch Protection Rule
17. GitHub Organizations Disable Dependabot
18. GitHub Organizations Repository Archived
19. GitHub Organizations Repository Deleted
20. O365 BEC Email Hiding Rule Created (External Contributor: @0xC0FFEEEE)
21. O365 Email Hard Delete Excessive Volume (External Contributor: @nterl0k)
22. O365 Email New Inbox Rule Created (External Contributor: @nterl0k)
23. O365 Email Password and Payroll Compromise Behavior
24. O365 Email Receive and Hard Delete Takeover Behavior
25. O365 Email Send Attachments Excessive Volume
26. O365 Email Send and Hard Delete Exfiltration Behavior
27. O365 Email Send and Hard Delete Suspicious Behavior
28. O365 Email Suspicious Search Behavior
29. Windows Anonymous Pipe Activity
30. Windows PowerShell Invoke-Sqlcmd Execution
31. Windows Process Execution From ProgramData
32. Windows SQL Server Configuration Option Hunt
33. Windows SQL Server Critical Procedures Enabled
34. Windows SQL Server Extended Procedure DLL Loading Hunt
35. Windows SQL Server Startup Procedure
36. Windows SQL Server xp_cmdshell Config Change
37. Windows SQLCMD Execution
38. Windows Scheduled Task with Suspicious Command
39. Windows Scheduled Task with Suspicious Name
40. Windows SnappyBee Create Test Registry
41. Windows Sqlservr Spawning Shell
42. Windows Svchost.exe Parent Process Anomaly
43. Windows Unusual SysWOW64 Process Run System32 Executable

The following is a list of removed detections and its potential replacements, where available.

1. AWS SAML Access by Provider User and Principal
2. GitHub Actions Disable Security Workflow
3. aws detect permanent key creation
4. Github Commit In Develop
5. Suspicious Driver Loaded Path
6. Known Services Killed by Ransomware
7. Github Commit Changes In Master
8. GitHub Pull Request from Unknown User
9. Suspicious Event Log Service Behavior
10. Suspicious Process File Path
11. aws detect attach to role policy
12. GitHub Dependabot Alert
13. aws detect sts get session token abuse
14. aws detect role creation
15. aws detect sts assume role abuse
16. AWS Cross Account Activity From Previously Unseen Account
17. Remote Desktop Network Bruteforce

Updated search outputs for all AWS and Azure AD detections