Skip to content

Built-in detection rules changelog

Sekoia.io provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.

This page relates the changes that Sekoia.io made to these rules over time.

Changelog last update on 2024-04-24

Changelog

Microsoft 365 Email Forwarding To Consumer Email Address

  • 22/04/2024 - minor - Add zohomail.com

Entra ID Password Compromised By Known Credential Testing Tool

  • 16/04/2024 - minor - Add more correlation IDs and error code 50052

Discovery Commands Correlation

  • 16/04/2024 - minor - Adding new elements to increase detection.

Suspicious Email Attachment Received

  • 15/04/2024 - minor - Update email from field to latest parser format

OneNote Suspicious Children Process

  • 15/04/2024 - minor - Changing effort level and adding new filters to reduce false positives.

Process Memory Dump Using Comsvcs

  • 10/04/2024 - minor - Rule description was changed due to some mistakes

Anomaly Kerberos User Enumeration

  • 09/04/2024 - major - change field on aggregation

Anomaly Secret Store Access

  • 08/04/2024 - minor - change field name on query

Anomaly Possible Sysvol Dump

  • 08/04/2024 - minor - change field name on query

Smss Wrong Parent

  • 05/04/2024 - major - Added filter to reduce false positives

Alternate PowerShell Hosts Pipe

  • 04/04/2024 - major - Rule's pattern field changed

TUN/TAP Driver Installation

  • 04/04/2024 - major - Rule's pattern field changed

User Account Deleted

  • 04/04/2024 - major - Rule's pattern field changed

Suspicious LDAP-Attributes Used

  • 04/04/2024 - major - Rule's pattern field changed

Secure Deletion With SDelete

  • 04/04/2024 - major - Rule's pattern field changed

Account Tampering - Suspicious Failed Logon Reasons

  • 04/04/2024 - major - Rule's pattern field changed

MSBuild Abuse

  • 04/04/2024 - major - Rule's pattern field changed

User Added to Local Administrators

  • 04/04/2024 - major - Rule's pattern field changed

DHCP Server Error Failed Loading the CallOut DLL

  • 04/04/2024 - major - Rule's pattern field changed

SCM Database Handle Failure

  • 04/04/2024 - major - Rule's pattern field changed

Failed Logon Source From Public IP Addresses

  • 04/04/2024 - major - Rule's pattern field changed

Suspicious PsExec Execution

  • 04/04/2024 - major - Rule's pattern field changed

SAM Registry Hive Handle Request

  • 04/04/2024 - major - Rule's pattern field changed

RDP Login From Localhost

  • 04/04/2024 - major - Rule's pattern field changed

Remote Registry Management Using Reg Utility

  • 04/04/2024 - major - Rule's pattern field changed

SysKey Registry Keys Access

  • 04/04/2024 - major - Rule's pattern field changed

DHCP Server Loaded the CallOut DLL

  • 04/04/2024 - major - Rule's pattern field changed

Remote Service Activity Via SVCCTL Named Pipe

  • 04/04/2024 - major - Rule's pattern field changed

Microsoft Malware Protection Engine Crash

  • 04/04/2024 - major - Rule's pattern field changed

SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory

  • 04/04/2024 - major - Rule's pattern field changed

Successful Brute Force Login From Internet

  • 04/04/2024 - major - Rule's pattern field changed

Suspect Svchost Memory Access

  • 04/04/2024 - major - Rule's pattern field changed

Webshell Creation

  • 04/04/2024 - major - Rule's pattern field changed

CVE-2019-0708 Scan

  • 04/04/2024 - major - Rule's pattern field changed

Suspicious SAM Dump

  • 04/04/2024 - major - Rule's pattern field changed

Powershell Winlogon Helper DLL

  • 04/04/2024 - major - Rule's pattern field changed

DPAPI Domain Backup Key Extraction

  • 04/04/2024 - major - Rule's pattern field changed

WMI Event Subscription

  • 04/04/2024 - major - Rule's pattern field changed

Suspicious Outbound Kerberos Connection

  • 04/04/2024 - major - Rule's pattern field changed

DNS Server Error Failed Loading The ServerLevelPluginDLL

  • 04/04/2024 - major - Rule's pattern field changed

User Account Created

  • 04/04/2024 - major - Rule's pattern field changed

Remote Privileged Group Enumeration

  • 04/04/2024 - major - Rule's pattern field changed

External Disk Drive Or USB Storage Device

  • 04/04/2024 - major - Rule's pattern field changed

User Couldn't Call A Privileged Service LsaRegisterLogonProcess

  • 04/04/2024 - major - Rule's pattern field changed

Suspicious Access To Sensitive File Extensions

  • 04/04/2024 - major - Rule's pattern field changed

Suspicious Hostname

  • 04/04/2024 - major - Rule's pattern field changed

Suspicious Windows ANONYMOUS LOGON Local Account Created

  • 04/04/2024 - major - Rule's pattern field changed

Credential Dumping By LaZagne

  • 04/04/2024 - major - Rule's pattern field changed

Netskope DLP Alert

  • 28/03/2024 - minor - Rule effort was updated to master

Netskope Alert

  • 28/03/2024 - minor - Rule effort was updated to master

Netskope Admin Audit

  • 28/03/2024 - minor - Rule effort was updated to master

WAF Correlation Block actions

  • 28/03/2024 - minor - Rule effort was updated to master

Cloudflare WAF Correlation Alerts

  • 28/03/2024 - minor - Rule effort was updated to master

WAF Correlation Block Multiple Destinations

  • 28/03/2024 - minor - Rule effort was updated to master

PsExec Process

  • 26/03/2024 - major - Rule's pattern field changed

Malicious Service Installations

  • 26/03/2024 - major - Rule's pattern field changed

Active Directory Replication User Backdoor

  • 26/03/2024 - major - Rule's pattern field changed

Potential RDP Connection To Non-Domain Host

  • 26/03/2024 - major - Rule's pattern field changed

Password Change On Directory Service Restore Mode (DSRM) Account

  • 26/03/2024 - major - Rule's pattern field changed

Process Hollowing Detection

  • 26/03/2024 - major - Rule's pattern field changed

Detection of default Mimikatz banner

  • 26/03/2024 - major - Rule's pattern field changed

Denied Access To Remote Desktop

  • 26/03/2024 - major - Rule's pattern field changed

Eventlog Cleared

  • 26/03/2024 - major - Rule's pattern field changed

Creation or Modification of a GPO Scheduled Task

  • 26/03/2024 - major - Rule's pattern field changed

Process Herpaderping

  • 26/03/2024 - major - Rule's pattern field changed

Microsoft Defender Antivirus Configuration Changed

  • 26/03/2024 - major - Rule's pattern field changed

Dynwrapx Module Loading

  • 26/03/2024 - major - Rule's pattern field changed

AD User Enumeration

  • 26/03/2024 - major - Rule's pattern field changed

Chafer (APT 39) Activity

  • 26/03/2024 - major - Rule's pattern field changed

Domain Trust Created Or Removed

  • 26/03/2024 - major - Rule's pattern field changed

Antivirus Relevant File Paths Alerts

  • 26/03/2024 - major - Rule's pattern field changed

DCSync Attack

  • 26/03/2024 - major - Rule's pattern field changed

Possible Replay Attack

  • 26/03/2024 - major - Rule's pattern field changed

Python Opening Ports

  • 26/03/2024 - major - Rule's pattern field changed

NetNTLM Downgrade Attack

  • 26/03/2024 - major - Rule's pattern field changed

Account Removed From A Security Enabled Group

  • 26/03/2024 - major - Rule's pattern field changed

Mimikatz LSASS Memory Access

  • 26/03/2024 - major - Rule's pattern field changed

Admin User RDP Remote Logon

  • 26/03/2024 - major - Rule's pattern field changed

Microsoft Defender Antivirus Threat Detected

  • 26/03/2024 - major - Rule's pattern field changed

Microsoft Defender Antivirus History Deleted

  • 26/03/2024 - major - Rule's pattern field changed

Privileged AD Builtin Group Modified

  • 26/03/2024 - major - Rule's pattern field changed

Computer Account Deleted

  • 26/03/2024 - major - Rule's pattern field changed

Account Added To A Security Enabled Group

  • 26/03/2024 - major - Rule's pattern field changed

StoneDrill Service Install

  • 26/03/2024 - major - Rule's pattern field changed

Password Dumper Activity On LSASS

  • 26/03/2024 - major - Rule's pattern field changed

Protected Storage Service Access

  • 26/03/2024 - major - Rule's pattern field changed

Microsoft Defender Antivirus Exclusion Configuration

  • 26/03/2024 - major - Rule's pattern field changed

APT29 Fake Google Update Service Install

  • 26/03/2024 - major - Rule's pattern field changed

Active Directory Replication from Non Machine Account

  • 26/03/2024 - major - Rule's pattern field changed

Successful Overpass The Hash Attempt

  • 26/03/2024 - major - Rule's pattern field changed

Admin Share Access

  • 26/03/2024 - major - Rule's pattern field changed

Legitimate Process Execution From Unusual Folder

  • 26/03/2024 - major - Rule's pattern field changed

LSASS Memory Dump

  • 26/03/2024 - major - Rule's pattern field changed

Cobalt Strike Default Service Creation Usage

  • 26/03/2024 - major - Rule's pattern field changed

DC Shadow via Service Principal Name (SPN) creation

  • 26/03/2024 - major - Rule's pattern field changed

Smbexec.py Service Installation

  • 26/03/2024 - major - Rule's pattern field changed

Backup Catalog Deleted

  • 26/03/2024 - major - Rule's pattern field changed

AD Privileged Users Or Groups Reconnaissance

  • 26/03/2024 - major - Rule's pattern field changed

LSASS Access From Non System Account

  • 26/03/2024 - major - Rule's pattern field changed

Active Directory Delegate To KRBTGT Service

  • 26/03/2024 - major - Rule's pattern field changed

PowerView commandlets 2

  • 26/03/2024 - major - Rule's pattern field changed

Possible RottenPotato Attack

  • 26/03/2024 - major - Rule's pattern field changed

Malware Outbreak

  • 26/03/2024 - major - Rule's pattern field changed

Putty Sessions Listing

  • 26/03/2024 - major - Rule's pattern field changed

Active Directory Database Dump Via Ntdsutil

  • 26/03/2024 - major - Rule's pattern field changed

Active Directory User Backdoors

  • 26/03/2024 - major - Rule's pattern field changed

Bloodhound and Sharphound Tools Usage

  • 26/03/2024 - minor - Adapted the rule to remove false positives.

WMImplant Hack Tool

  • 26/03/2024 - major - Rule's pattern field changed

Lateral Movement - Remote Named Pipe

  • 26/03/2024 - major - Rule's pattern field changed

Microsoft Defender Antivirus Tampering Detected

  • 26/03/2024 - major - Rule's pattern field changed

Impacket Secretsdump.py Tool

  • 26/03/2024 - major - Rule's pattern field changed

CVE-2017-11882 Microsoft Office Equation Editor Vulnerability

  • 26/03/2024 - major - Rule's pattern field changed

Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address

  • 22/03/2024 - major - More precise list of error codes for success and failure to reduce false positives.

Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address

  • 22/03/2024 - major - More precise list of error codes to reduce false positives.

Impacket Wmiexec Module

  • 22/03/2024 - minor - improve filter to extand detection

Remote Task Creation Via ATSVC Named Pipe

  • 21/03/2024 - minor - change filter to ACL hex value

Winrshost Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Wininit Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Lsass Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Wsmprovhost Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Taskhostw Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Winword wrong parent

  • 19/03/2024 - major - Added filter to reduce false positives

Svchost Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Wmiprvse Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Winlogon wrong parent

  • 19/03/2024 - major - Added filter to reduce false positives

Logonui Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Explorer Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Searchindexer Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Spoolsv Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Gpscript Suspicious Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Dllhost Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Userinit Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Taskhost Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Csrss Wrong Parent

  • 19/03/2024 - major - Added filter to reduce false positives

Microsoft 365 Suspicious Inbox Rule

  • 13/03/2024 - minor - Add another suspicious folder.

Searchprotocolhost Wrong Parent

  • 12/03/2024 - minor - Added filter to reduce false positives

Listing Systemd Environment

  • 06/03/2024 - minor - Effort level was adapted according to the observed hits for the rule

Exfiltration Domain

  • 29/02/2024 - minor - enforce detection by adding tag

WMIC Command To Determine The Antivirus

  • 28/02/2024 - minor - Adding a new usage of wmic.

Non-Legitimate Executable Using AcceptEula Parameter

  • 19/02/2024 - minor - Update filter and effort level according to the observed hits for the rule.

Outlook Registry Access

  • 19/02/2024 - minor - Effort level was adapted according to the observed hits for the rule

CVE-2021-21985 VMware vCenter

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Okta Phishing Detection with FastPass Origin Check

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

AWS CloudTrail GuardDuty Detector Deleted

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Microsoft Defender for Office 365 Medium Severity AIR Alert

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

AWS GuardDuty Medium Severity Alert

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Microsoft Defender for Office 365 High Severity AIR Alert

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Okta MFA Disabled

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

AWS CloudTrail GuardDuty Detector Suspended

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

AWS GuardDuty High Severity Alert

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Sekoia.io EICAR Detection

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Netsh Port Forwarding

  • 15/02/2024 - minor - Added filter to reduce false positives

Microsoft Defender Antivirus Disabled Base64 Encoded

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

MS Office Product Spawning Exe in User Dir

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

NlTest Usage

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

CrowdStrike Falcon Intrusion Detection Informational Severity

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

HarfangLab EDR Hlai Engine Detection

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Login Failed Brute-Force On SentinelOne EDR Management Console

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

SentinelOne EDR Threat Mitigation Report Remediate Success

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

CrowdStrike Falcon Intrusion Detection Medium Severity

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

SentinelOne EDR SSO User Added

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

WithSecure Elements Critical Severity

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

HarfangLab EDR Process Execution Blocked (HL-AI engine)

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

SentinelOne EDR Threat Mitigation Report Quarantine Failed

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

CrowdStrike Falcon Identity Protection Detection High Severity

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

CrowdStrike Falcon Intrusion Detection

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

CrowdStrike Falcon Intrusion Detection Critical Severity

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

SentinelOne EDR Custom Rule Alert

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Cybereason EDR Alert

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

SentinelOne EDR Threat Mitigation Report Kill Success

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

CrowdStrike Falcon Intrusion Detection Low Severity

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

CrowdStrike Falcon Identity Protection Detection Informational Severity

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Login Brute-Force Successful On SentinelOne EDR Management Console

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

SentinelOne EDR Malicious Threat Not Mitigated

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

CrowdStrike Falcon Identity Protection Detection Critical Severity

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Cybereason EDR Malware Detection

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

CrowdStrike Falcon Identity Protection Detection Medium Severity

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

CrowdStrike Falcon Intrusion Detection High Severity

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

SentinelOne EDR Threat Detected (Malicious)

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Trend Micro Apex One Malware Alert

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

CrowdStrike Falcon Identity Protection Detection Low Severity

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Trend Micro Apex One Data Loss Prevention Alert

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

SentinelOne EDR Threat Mitigation Report Quarantine Success

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

SentinelOne EDR Threat Detected (Suspicious)

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

Trend Micro Apex One Intrusion Detection Alert

  • 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.

WMIC Uninstall Product

  • 13/02/2024 - minor - Exclude non-Windows operating systems (false positives)

High Privileges Network Share Removal

  • 02/02/2024 - major - changing current pattern and adding another one

Inhibit System Recovery Deleting Backups

  • 31/01/2024 - minor - Improve selection filter

Microsoft Office Product Spawning Windows Shell

  • 23/01/2024 - minor - Adding elements to increase detection and filters to reduce false positives.

PowerShell Malicious PowerShell Commandlets

  • 23/01/2024 - minor - Adding exclusion pattern and selection commandlet

Suspicious Process Requiring DLL Starts Without DLL

  • 22/01/2024 - minor - Added filter to reduce false positives

Suspicious CodePage Switch with CHCP

  • 16/01/2024 - minor - Rename rule to fit with behavior

Usage Of Procdump With Common Arguments

  • 15/01/2024 - minor - Added filter to reduce false positives.

Windows Registry Persistence COM Search Order Hijacking

  • 11/01/2024 - minor - Adding filtering for some FPs

Grabbing Sensitive Hives Via Reg Utility

  • 02/01/2024 - minor - Rule was improved to have broader detection and filters were added.

Suspicious Driver Loaded

  • 02/01/2024 - minor - improve selection to avoid FP

SolarWinds Wrong Child Process

  • 22/12/2023 - minor - Adding a child process name to the filter list to avoid some FPs

Windows Registry Persistence COM Key Linking

  • 14/12/2023 - minor - Exclude common legitimate processes

Linux Binary Masquerading

  • 12/12/2023 - minor - extend regex to macth more cases

BITSAdmin Download

  • 06/12/2023 - minor - Adding key words to increase detection.

Microsoft 365 Sign-in With No User Agent

  • 04/12/2023 - major - Added Login:login request type with a filter for codes indicating failure

HTA Infection Chains

  • 30/11/2023 - minor - Update pattern with new lolbin

PowerShell Download From URL

  • 29/11/2023 - minor - Added a filter to the rule as some false positives were observed.

Netsh Program Allowed With Suspicious Location

  • 29/11/2023 - minor - Update regex pattern to insensitive case

NjRat Registry Changes

  • 29/11/2023 - minor - Update regex pattern to insensitive case

Suspicious Regsvr32 Execution

  • 23/11/2023 - major - Extended detection and added filter

TOR Usage Generic Rule

  • 22/11/2023 - minor - Adding filter to improve rule.

AD Object WriteDAC Access

  • 21/11/2023 - minor - Rule's effort level has been changed to advanced as legitimate administrator actions can trigger the rule.

Suspicious Double Extension

  • 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.

WiFi Credentials Harvesting Using Netsh

  • 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was highly dependent on the environment.

PowerShell Credential Prompt

  • 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.

WAF Block Rule

  • 15/11/2023 - minor - Adding support for Ubika

AWS CloudTrail Remove Flow logs

  • 15/11/2023 - minor - Changing effort level.

Cobalt Strike Default Beacons Names

  • 08/11/2023 - minor - Added filter to reduce false positives

ETW Tampering

  • 08/11/2023 - minor - Added filter to reduce false positives

NTDS.dit File Interaction Through Command Line

  • 08/11/2023 - minor - Added filter to reduce false positives

CMSTP Execution

  • 19/10/2023 - minor - Slight change in selection to reduce false positives. Adding similarity.

Suspicious Windows Script Execution

  • 19/10/2023 - major - Review of the rule to reduce false positives.

Domain Trust Discovery Through LDAP

  • 19/10/2023 - minor - improve filter to reduce false positives

Transfering Files With Credential Data Via Network Shares

  • 17/10/2023 - minor - Improve selection to reduce false positives

AdFind Usage

  • 12/10/2023 - minor - Slight change to a condition in order to reduce false positives.

Microsoft 365 (Office 365) Mass Download By A Single User

  • 09/10/2023 - major - Fix field names to match the current parser.

Microsoft 365 (Office 365) Potential Ransomware Activity Detected

  • 09/10/2023 - major - Fix field names to match the current parser.

Microsoft 365 (Office 365) Unusual Volume Of File Deletion

  • 09/10/2023 - major - Fix field names to match the current parser.

Login Brute-Force Successful

  • 06/10/2023 - minor - renaming and tunn filters to limit False Positive

Suspicious Regasm Regsvcs Usage

  • 27/09/2023 - major - Rule creation

Suspicious Rundll32.exe Execution

  • 21/09/2023 - minor - Extend to some usage without dll filename

UAC Bypass via Event Viewer

  • 21/09/2023 - minor - Improve filter to reduce false positives

Opening Of a Password File

  • 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation

Suspicious Network Args In Command Line

  • 10/08/2023 - major - Added a list of suspicious processes to drastically reduce false positives.

Okta User Logged In Multiple Applications

  • 07/08/2023 - major - Switching type from event_count to value_count | Adding Target in order to match only on different Apps

Potential LokiBot User-Agent

  • 04/08/2023 - minor - Added a condition to only match on internal IP as source

Suspicious Windows DNS Queries

  • 02/08/2023 - minor - Added a new field and filters to reduce false positives.

Wmic Process Call Creation

  • 01/08/2023 - major - Rewritten as a regex to reduce false positives

Potential DNS Tunnel

  • 19/07/2023 - major - New regex pattern and new filters.

Correlation Potential DNS Tunnel

  • 19/07/2023 - major - New regex pattern and new filters.

Rclone Process

  • 28/06/2023 - minor - Added filter to the rule to reduce false positives.

HackTools Suspicious Process Names In Command Line

  • 19/06/2023 - minor - Added filter to the rule to reduce false positives.

Msdt (Follina) File Browse Process Execution

  • 19/06/2023 - minor - Added filter to the rule to reduce false positives.

Socat Relaying Socket

  • 14/06/2023 - minor - Added filter to the rule to reduce false positives.

Socat Reverse Shell Detection

  • 14/06/2023 - minor - Added filter to the rule to reduce false positives.

Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL

  • 13/06/2023 - minor - Adding private IPs as sources

Suspicious Cmd.exe Command Line

  • 30/05/2023 - minor - Adding the Intellij IDEA to filter list

Suspicious PowerShell Invocations - Specific

  • 26/05/2023 - minor - Added a filter to the rule as some false positives were observed.

Internet Scanner Target

  • 28/04/2023 - minor - Support for standard ECS FW fields

Internet Scanner

  • 28/04/2023 - minor - Support for standard ECS FW fields

Audio Capture via PowerShell

  • 18/04/2023 - minor - Use more specific patterns to fix false positives.

Mimikatz Basic Commands

  • 06/04/2023 - minor - Added a filter to the rule as many false positives were observed.

Suspicious PowerShell Invocations - Generic

  • 28/03/2023 - minor - Excluded some commonly observed false positives.

Adexplorer Usage

  • 27/03/2023 - minor - Modify pattern to avoid false positive and detect usage of either / or - character for snapshot parameter

Windows Update LolBins

  • 24/03/2023 - minor - The legitimate DLL UpdateDeploymentProvider.dll is now excluded from the rule as it triggered several false positives.

SentinelOne EDR User Logged In To The Management Console

  • 24/03/2023 - minor - Adjusting displayed columns when the rule triggers an alert. Now timestamp and username will be displayed.

Login Brute-Force Successful On AzureAD From Single IP Address

  • 23/03/2023 - minor - The error code 50076 has been excluded as it is not a specific error code related to a login failure that we want to detect and caused several false positives.

ISO LNK Infection Chain

  • 13/03/2023 - minor - Extended the list of suspicious process names being spawned from explorer.exe

Suspicious certutil command

  • 15/02/2023 - minor - "encode" and "decode" were removed as it was causing too much false positives while not being the main usage of the certutil command by attackers.

OneNote Embedded File

  • 09/02/2023 - minor - Adding other suspicious file extensions (.cmd, .img, .iso, .msi, .vhd, .vhdx) for file opened from a OneNote.

Write To File In Systemd

  • 04/01/2023 - minor - Added filter to reduce false positives.