Swachchhanda Shrawan Poudel
c3b0256d71
remove: Active Directory Parsing DLL Loaded Via Office Application - deprecated as this rule was triggered everytime any office app was opened fix: Uncommon AppX Package Locations - Add a filter to legit Microsoft path fix: File With Uncommon Extension Created By An Office Application - Add a filter to remove fp caused by ".com" directory filename fix: Startup Folder File Write - Add a filter for OneNote fix: Suspicious Volume Shadow Copy Vssapi.dll Load - Add a filter for null Image field fix: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Add a filter for null Image field fix: Suspicious WSMAN Provider Image Loads - Add a filter for mmc loading wsman provider images fix: Office Application Initiated Network Connection To Non-Local IP - Add filter to more legit microsoft IP address ASN subnets fix: Office Application Initiated Network Connection Over Uncommon Ports - Add filter for other common ports fix: Suspicious Userinit Child Process - Add filter to Explorer in CommandLine fix: CurrentVersion Autorun Keys Modification - Add more filters for OneDriverSetup.EXE fix: Office Autorun Keys Modification - Add a new filter for a FriendlyName Addin fix: Suspicious Access to Sensitive File Extensions - Zeek - Commented out groups.xml fix: Suspicious Access to Sensitive File Extensions - Commented out groups.xml --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Deprecated folder
This folder contains all rules that have been marked as deprecated.
It is recommended to avoid using these rules, as they are no longer maintained or supported.
For a summary of the deprecated rules, refer to deprecated.csv or deprecated.json