Built-in detection rules changelog
Sekoia.io provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.
This page relates the changes that Sekoia.io made to these rules over time.
Changelog last update on 2024-04-24
Changelog
Microsoft 365 Email Forwarding To Consumer Email Address
- 22/04/2024 - minor - Add zohomail.com
Entra ID Password Compromised By Known Credential Testing Tool
- 16/04/2024 - minor - Add more correlation IDs and error code 50052
Discovery Commands Correlation
- 16/04/2024 - minor - Adding new elements to increase detection.
Suspicious Email Attachment Received
- 15/04/2024 - minor - Update email from field to latest parser format
OneNote Suspicious Children Process
- 15/04/2024 - minor - Changing effort level and adding new filters to reduce false positives.
Process Memory Dump Using Comsvcs
- 10/04/2024 - minor - Rule description was changed due to some mistakes
Anomaly Kerberos User Enumeration
- 09/04/2024 - major - change field on aggregation
Anomaly Secret Store Access
- 08/04/2024 - minor - change field name on query
Anomaly Possible Sysvol Dump
- 08/04/2024 - minor - change field name on query
Smss Wrong Parent
- 05/04/2024 - major - Added filter to reduce false positives
Alternate PowerShell Hosts Pipe
- 04/04/2024 - major - Rule's pattern field changed
TUN/TAP Driver Installation
- 04/04/2024 - major - Rule's pattern field changed
User Account Deleted
- 04/04/2024 - major - Rule's pattern field changed
Suspicious LDAP-Attributes Used
- 04/04/2024 - major - Rule's pattern field changed
Secure Deletion With SDelete
- 04/04/2024 - major - Rule's pattern field changed
Account Tampering - Suspicious Failed Logon Reasons
- 04/04/2024 - major - Rule's pattern field changed
MSBuild Abuse
- 04/04/2024 - major - Rule's pattern field changed
User Added to Local Administrators
- 04/04/2024 - major - Rule's pattern field changed
DHCP Server Error Failed Loading the CallOut DLL
- 04/04/2024 - major - Rule's pattern field changed
SCM Database Handle Failure
- 04/04/2024 - major - Rule's pattern field changed
Failed Logon Source From Public IP Addresses
- 04/04/2024 - major - Rule's pattern field changed
Suspicious PsExec Execution
- 04/04/2024 - major - Rule's pattern field changed
SAM Registry Hive Handle Request
- 04/04/2024 - major - Rule's pattern field changed
RDP Login From Localhost
- 04/04/2024 - major - Rule's pattern field changed
Remote Registry Management Using Reg Utility
- 04/04/2024 - major - Rule's pattern field changed
SysKey Registry Keys Access
- 04/04/2024 - major - Rule's pattern field changed
DHCP Server Loaded the CallOut DLL
- 04/04/2024 - major - Rule's pattern field changed
Remote Service Activity Via SVCCTL Named Pipe
- 04/04/2024 - major - Rule's pattern field changed
Microsoft Malware Protection Engine Crash
- 04/04/2024 - major - Rule's pattern field changed
SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory
- 04/04/2024 - major - Rule's pattern field changed
Successful Brute Force Login From Internet
- 04/04/2024 - major - Rule's pattern field changed
Suspect Svchost Memory Access
- 04/04/2024 - major - Rule's pattern field changed
Webshell Creation
- 04/04/2024 - major - Rule's pattern field changed
CVE-2019-0708 Scan
- 04/04/2024 - major - Rule's pattern field changed
Suspicious SAM Dump
- 04/04/2024 - major - Rule's pattern field changed
Powershell Winlogon Helper DLL
- 04/04/2024 - major - Rule's pattern field changed
DPAPI Domain Backup Key Extraction
- 04/04/2024 - major - Rule's pattern field changed
WMI Event Subscription
- 04/04/2024 - major - Rule's pattern field changed
Suspicious Outbound Kerberos Connection
- 04/04/2024 - major - Rule's pattern field changed
DNS Server Error Failed Loading The ServerLevelPluginDLL
- 04/04/2024 - major - Rule's pattern field changed
User Account Created
- 04/04/2024 - major - Rule's pattern field changed
Remote Privileged Group Enumeration
- 04/04/2024 - major - Rule's pattern field changed
External Disk Drive Or USB Storage Device
- 04/04/2024 - major - Rule's pattern field changed
User Couldn't Call A Privileged Service LsaRegisterLogonProcess
- 04/04/2024 - major - Rule's pattern field changed
Suspicious Access To Sensitive File Extensions
- 04/04/2024 - major - Rule's pattern field changed
Suspicious Hostname
- 04/04/2024 - major - Rule's pattern field changed
Suspicious Windows ANONYMOUS LOGON Local Account Created
- 04/04/2024 - major - Rule's pattern field changed
Credential Dumping By LaZagne
- 04/04/2024 - major - Rule's pattern field changed
Netskope DLP Alert
- 28/03/2024 - minor - Rule effort was updated to master
Netskope Alert
- 28/03/2024 - minor - Rule effort was updated to master
Netskope Admin Audit
- 28/03/2024 - minor - Rule effort was updated to master
WAF Correlation Block actions
- 28/03/2024 - minor - Rule effort was updated to master
Cloudflare WAF Correlation Alerts
- 28/03/2024 - minor - Rule effort was updated to master
WAF Correlation Block Multiple Destinations
- 28/03/2024 - minor - Rule effort was updated to master
PsExec Process
- 26/03/2024 - major - Rule's pattern field changed
Malicious Service Installations
- 26/03/2024 - major - Rule's pattern field changed
Active Directory Replication User Backdoor
- 26/03/2024 - major - Rule's pattern field changed
Potential RDP Connection To Non-Domain Host
- 26/03/2024 - major - Rule's pattern field changed
Password Change On Directory Service Restore Mode (DSRM) Account
- 26/03/2024 - major - Rule's pattern field changed
Process Hollowing Detection
- 26/03/2024 - major - Rule's pattern field changed
Detection of default Mimikatz banner
- 26/03/2024 - major - Rule's pattern field changed
Denied Access To Remote Desktop
- 26/03/2024 - major - Rule's pattern field changed
Eventlog Cleared
- 26/03/2024 - major - Rule's pattern field changed
Creation or Modification of a GPO Scheduled Task
- 26/03/2024 - major - Rule's pattern field changed
Process Herpaderping
- 26/03/2024 - major - Rule's pattern field changed
Microsoft Defender Antivirus Configuration Changed
- 26/03/2024 - major - Rule's pattern field changed
Dynwrapx Module Loading
- 26/03/2024 - major - Rule's pattern field changed
AD User Enumeration
- 26/03/2024 - major - Rule's pattern field changed
Chafer (APT 39) Activity
- 26/03/2024 - major - Rule's pattern field changed
Domain Trust Created Or Removed
- 26/03/2024 - major - Rule's pattern field changed
Antivirus Relevant File Paths Alerts
- 26/03/2024 - major - Rule's pattern field changed
DCSync Attack
- 26/03/2024 - major - Rule's pattern field changed
Possible Replay Attack
- 26/03/2024 - major - Rule's pattern field changed
Python Opening Ports
- 26/03/2024 - major - Rule's pattern field changed
NetNTLM Downgrade Attack
- 26/03/2024 - major - Rule's pattern field changed
Account Removed From A Security Enabled Group
- 26/03/2024 - major - Rule's pattern field changed
Mimikatz LSASS Memory Access
- 26/03/2024 - major - Rule's pattern field changed
Admin User RDP Remote Logon
- 26/03/2024 - major - Rule's pattern field changed
Microsoft Defender Antivirus Threat Detected
- 26/03/2024 - major - Rule's pattern field changed
Microsoft Defender Antivirus History Deleted
- 26/03/2024 - major - Rule's pattern field changed
Privileged AD Builtin Group Modified
- 26/03/2024 - major - Rule's pattern field changed
Computer Account Deleted
- 26/03/2024 - major - Rule's pattern field changed
Account Added To A Security Enabled Group
- 26/03/2024 - major - Rule's pattern field changed
StoneDrill Service Install
- 26/03/2024 - major - Rule's pattern field changed
Password Dumper Activity On LSASS
- 26/03/2024 - major - Rule's pattern field changed
Protected Storage Service Access
- 26/03/2024 - major - Rule's pattern field changed
Microsoft Defender Antivirus Exclusion Configuration
- 26/03/2024 - major - Rule's pattern field changed
APT29 Fake Google Update Service Install
- 26/03/2024 - major - Rule's pattern field changed
Active Directory Replication from Non Machine Account
- 26/03/2024 - major - Rule's pattern field changed
Successful Overpass The Hash Attempt
- 26/03/2024 - major - Rule's pattern field changed
Admin Share Access
- 26/03/2024 - major - Rule's pattern field changed
Legitimate Process Execution From Unusual Folder
- 26/03/2024 - major - Rule's pattern field changed
LSASS Memory Dump
- 26/03/2024 - major - Rule's pattern field changed
Cobalt Strike Default Service Creation Usage
- 26/03/2024 - major - Rule's pattern field changed
DC Shadow via Service Principal Name (SPN) creation
- 26/03/2024 - major - Rule's pattern field changed
Smbexec.py Service Installation
- 26/03/2024 - major - Rule's pattern field changed
Backup Catalog Deleted
- 26/03/2024 - major - Rule's pattern field changed
AD Privileged Users Or Groups Reconnaissance
- 26/03/2024 - major - Rule's pattern field changed
LSASS Access From Non System Account
- 26/03/2024 - major - Rule's pattern field changed
Active Directory Delegate To KRBTGT Service
- 26/03/2024 - major - Rule's pattern field changed
PowerView commandlets 2
- 26/03/2024 - major - Rule's pattern field changed
Possible RottenPotato Attack
- 26/03/2024 - major - Rule's pattern field changed
Malware Outbreak
- 26/03/2024 - major - Rule's pattern field changed
Putty Sessions Listing
- 26/03/2024 - major - Rule's pattern field changed
Active Directory Database Dump Via Ntdsutil
- 26/03/2024 - major - Rule's pattern field changed
Active Directory User Backdoors
- 26/03/2024 - major - Rule's pattern field changed
Bloodhound and Sharphound Tools Usage
- 26/03/2024 - minor - Adapted the rule to remove false positives.
WMImplant Hack Tool
- 26/03/2024 - major - Rule's pattern field changed
Lateral Movement - Remote Named Pipe
- 26/03/2024 - major - Rule's pattern field changed
Microsoft Defender Antivirus Tampering Detected
- 26/03/2024 - major - Rule's pattern field changed
Impacket Secretsdump.py Tool
- 26/03/2024 - major - Rule's pattern field changed
CVE-2017-11882 Microsoft Office Equation Editor Vulnerability
- 26/03/2024 - major - Rule's pattern field changed
Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address
- 22/03/2024 - major - More precise list of error codes for success and failure to reduce false positives.
Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address
- 22/03/2024 - major - More precise list of error codes to reduce false positives.
Impacket Wmiexec Module
- 22/03/2024 - minor - improve filter to extand detection
Remote Task Creation Via ATSVC Named Pipe
- 21/03/2024 - minor - change filter to ACL hex value
Winrshost Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Wininit Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Lsass Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Wsmprovhost Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Taskhostw Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Winword wrong parent
- 19/03/2024 - major - Added filter to reduce false positives
Svchost Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Wmiprvse Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Winlogon wrong parent
- 19/03/2024 - major - Added filter to reduce false positives
Logonui Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Explorer Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Searchindexer Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Spoolsv Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Gpscript Suspicious Parent
- 19/03/2024 - major - Added filter to reduce false positives
Dllhost Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Userinit Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Taskhost Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Csrss Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
Microsoft 365 Suspicious Inbox Rule
- 13/03/2024 - minor - Add another suspicious folder.
Searchprotocolhost Wrong Parent
- 12/03/2024 - minor - Added filter to reduce false positives
Listing Systemd Environment
- 06/03/2024 - minor - Effort level was adapted according to the observed hits for the rule
Exfiltration Domain
- 29/02/2024 - minor - enforce detection by adding tag
WMIC Command To Determine The Antivirus
- 28/02/2024 - minor - Adding a new usage of wmic.
Non-Legitimate Executable Using AcceptEula Parameter
- 19/02/2024 - minor - Update filter and effort level according to the observed hits for the rule.
Outlook Registry Access
- 19/02/2024 - minor - Effort level was adapted according to the observed hits for the rule
CVE-2021-21985 VMware vCenter
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Okta Phishing Detection with FastPass Origin Check
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
AWS CloudTrail GuardDuty Detector Deleted
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Microsoft Defender for Office 365 Medium Severity AIR Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
AWS GuardDuty Medium Severity Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Microsoft Defender for Office 365 High Severity AIR Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Okta MFA Disabled
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
AWS CloudTrail GuardDuty Detector Suspended
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
AWS GuardDuty High Severity Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Sekoia.io EICAR Detection
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Netsh Port Forwarding
- 15/02/2024 - minor - Added filter to reduce false positives
Microsoft Defender Antivirus Disabled Base64 Encoded
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
MS Office Product Spawning Exe in User Dir
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
NlTest Usage
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
CrowdStrike Falcon Intrusion Detection Informational Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
HarfangLab EDR Hlai Engine Detection
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Login Failed Brute-Force On SentinelOne EDR Management Console
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
SentinelOne EDR Threat Mitigation Report Remediate Success
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
CrowdStrike Falcon Intrusion Detection Medium Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
SentinelOne EDR SSO User Added
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
WithSecure Elements Critical Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
HarfangLab EDR Process Execution Blocked (HL-AI engine)
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
SentinelOne EDR Threat Mitigation Report Quarantine Failed
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
CrowdStrike Falcon Identity Protection Detection High Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
CrowdStrike Falcon Intrusion Detection
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
CrowdStrike Falcon Intrusion Detection Critical Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
SentinelOne EDR Custom Rule Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Cybereason EDR Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
SentinelOne EDR Threat Mitigation Report Kill Success
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
CrowdStrike Falcon Intrusion Detection Low Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
CrowdStrike Falcon Identity Protection Detection Informational Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Login Brute-Force Successful On SentinelOne EDR Management Console
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
SentinelOne EDR Malicious Threat Not Mitigated
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
CrowdStrike Falcon Identity Protection Detection Critical Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Cybereason EDR Malware Detection
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
CrowdStrike Falcon Identity Protection Detection Medium Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
CrowdStrike Falcon Intrusion Detection High Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
SentinelOne EDR Threat Detected (Malicious)
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Trend Micro Apex One Malware Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
CrowdStrike Falcon Identity Protection Detection Low Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Trend Micro Apex One Data Loss Prevention Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
SentinelOne EDR Threat Mitigation Report Quarantine Success
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
SentinelOne EDR Threat Detected (Suspicious)
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
Trend Micro Apex One Intrusion Detection Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
WMIC Uninstall Product
- 13/02/2024 - minor - Exclude non-Windows operating systems (false positives)
High Privileges Network Share Removal
- 02/02/2024 - major - changing current pattern and adding another one
Inhibit System Recovery Deleting Backups
- 31/01/2024 - minor - Improve selection filter
Microsoft Office Product Spawning Windows Shell
- 23/01/2024 - minor - Adding elements to increase detection and filters to reduce false positives.
PowerShell Malicious PowerShell Commandlets
- 23/01/2024 - minor - Adding exclusion pattern and selection commandlet
Suspicious Process Requiring DLL Starts Without DLL
- 22/01/2024 - minor - Added filter to reduce false positives
Suspicious CodePage Switch with CHCP
- 16/01/2024 - minor - Rename rule to fit with behavior
Usage Of Procdump With Common Arguments
- 15/01/2024 - minor - Added filter to reduce false positives.
Windows Registry Persistence COM Search Order Hijacking
- 11/01/2024 - minor - Adding filtering for some FPs
Grabbing Sensitive Hives Via Reg Utility
- 02/01/2024 - minor - Rule was improved to have broader detection and filters were added.
Suspicious Driver Loaded
- 02/01/2024 - minor - improve selection to avoid FP
SolarWinds Wrong Child Process
- 22/12/2023 - minor - Adding a child process name to the filter list to avoid some FPs
Windows Registry Persistence COM Key Linking
- 14/12/2023 - minor - Exclude common legitimate processes
Linux Binary Masquerading
- 12/12/2023 - minor - extend regex to macth more cases
BITSAdmin Download
- 06/12/2023 - minor - Adding key words to increase detection.
Microsoft 365 Sign-in With No User Agent
- 04/12/2023 - major - Added
Login:login
request type with a filter for codes indicating failure
HTA Infection Chains
- 30/11/2023 - minor - Update pattern with new lolbin
PowerShell Download From URL
- 29/11/2023 - minor - Added a filter to the rule as some false positives were observed.
Netsh Program Allowed With Suspicious Location
- 29/11/2023 - minor - Update regex pattern to insensitive case
NjRat Registry Changes
- 29/11/2023 - minor - Update regex pattern to insensitive case
Suspicious Regsvr32 Execution
- 23/11/2023 - major - Extended detection and added filter
TOR Usage Generic Rule
- 22/11/2023 - minor - Adding filter to improve rule.
AD Object WriteDAC Access
- 21/11/2023 - minor - Rule's effort level has been changed to advanced as legitimate administrator actions can trigger the rule.
Suspicious Double Extension
- 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
WiFi Credentials Harvesting Using Netsh
- 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was highly dependent on the environment.
PowerShell Credential Prompt
- 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment.
WAF Block Rule
- 15/11/2023 - minor - Adding support for Ubika
AWS CloudTrail Remove Flow logs
- 15/11/2023 - minor - Changing effort level.
Cobalt Strike Default Beacons Names
- 08/11/2023 - minor - Added filter to reduce false positives
ETW Tampering
- 08/11/2023 - minor - Added filter to reduce false positives
NTDS.dit File Interaction Through Command Line
- 08/11/2023 - minor - Added filter to reduce false positives
CMSTP Execution
- 19/10/2023 - minor - Slight change in selection to reduce false positives. Adding similarity.
Suspicious Windows Script Execution
- 19/10/2023 - major - Review of the rule to reduce false positives.
Domain Trust Discovery Through LDAP
- 19/10/2023 - minor - improve filter to reduce false positives
Transfering Files With Credential Data Via Network Shares
- 17/10/2023 - minor - Improve selection to reduce false positives
AdFind Usage
- 12/10/2023 - minor - Slight change to a condition in order to reduce false positives.
Microsoft 365 (Office 365) Mass Download By A Single User
- 09/10/2023 - major - Fix field names to match the current parser.
Microsoft 365 (Office 365) Potential Ransomware Activity Detected
- 09/10/2023 - major - Fix field names to match the current parser.
Microsoft 365 (Office 365) Unusual Volume Of File Deletion
- 09/10/2023 - major - Fix field names to match the current parser.
Login Brute-Force Successful
- 06/10/2023 - minor - renaming and tunn filters to limit False Positive
Suspicious Regasm Regsvcs Usage
- 27/09/2023 - major - Rule creation
Suspicious Rundll32.exe Execution
- 21/09/2023 - minor - Extend to some usage without dll filename
UAC Bypass via Event Viewer
- 21/09/2023 - minor - Improve filter to reduce false positives
Opening Of a Password File
- 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation
Suspicious Network Args In Command Line
- 10/08/2023 - major - Added a list of suspicious processes to drastically reduce false positives.
Okta User Logged In Multiple Applications
- 07/08/2023 - major - Switching type from event_count to value_count | Adding Target in order to match only on different Apps
Potential LokiBot User-Agent
- 04/08/2023 - minor - Added a condition to only match on internal IP as source
Suspicious Windows DNS Queries
- 02/08/2023 - minor - Added a new field and filters to reduce false positives.
Wmic Process Call Creation
- 01/08/2023 - major - Rewritten as a regex to reduce false positives
Potential DNS Tunnel
- 19/07/2023 - major - New regex pattern and new filters.
Correlation Potential DNS Tunnel
- 19/07/2023 - major - New regex pattern and new filters.
Rclone Process
- 28/06/2023 - minor - Added filter to the rule to reduce false positives.
HackTools Suspicious Process Names In Command Line
- 19/06/2023 - minor - Added filter to the rule to reduce false positives.
Msdt (Follina) File Browse Process Execution
- 19/06/2023 - minor - Added filter to the rule to reduce false positives.
Socat Relaying Socket
- 14/06/2023 - minor - Added filter to the rule to reduce false positives.
Socat Reverse Shell Detection
- 14/06/2023 - minor - Added filter to the rule to reduce false positives.
Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL
- 13/06/2023 - minor - Adding private IPs as sources
Suspicious Cmd.exe Command Line
- 30/05/2023 - minor - Adding the Intellij IDEA to filter list
Suspicious PowerShell Invocations - Specific
- 26/05/2023 - minor - Added a filter to the rule as some false positives were observed.
Internet Scanner Target
- 28/04/2023 - minor - Support for standard ECS FW fields
Internet Scanner
- 28/04/2023 - minor - Support for standard ECS FW fields
Audio Capture via PowerShell
- 18/04/2023 - minor - Use more specific patterns to fix false positives.
Mimikatz Basic Commands
- 06/04/2023 - minor - Added a filter to the rule as many false positives were observed.
Suspicious PowerShell Invocations - Generic
- 28/03/2023 - minor - Excluded some commonly observed false positives.
Adexplorer Usage
- 27/03/2023 - minor - Modify pattern to avoid false positive and detect usage of either / or - character for snapshot parameter
Windows Update LolBins
- 24/03/2023 - minor - The legitimate DLL UpdateDeploymentProvider.dll is now excluded from the rule as it triggered several false positives.
SentinelOne EDR User Logged In To The Management Console
- 24/03/2023 - minor - Adjusting displayed columns when the rule triggers an alert. Now timestamp and username will be displayed.
Login Brute-Force Successful On AzureAD From Single IP Address
- 23/03/2023 - minor - The error code 50076 has been excluded as it is not a specific error code related to a login failure that we want to detect and caused several false positives.
ISO LNK Infection Chain
- 13/03/2023 - minor - Extended the list of suspicious process names being spawned from explorer.exe
Suspicious certutil command
- 15/02/2023 - minor - "encode" and "decode" were removed as it was causing too much false positives while not being the main usage of the certutil command by attackers.
OneNote Embedded File
- 09/02/2023 - minor - Adding other suspicious file extensions (.cmd, .img, .iso, .msi, .vhd, .vhdx) for file opened from a OneNote.
Write To File In Systemd
- 04/01/2023 - minor - Added filter to reduce false positives.