This website requires JavaScript.
36e6f54e43
Fixing path in execution_shell_via_java_revshell_linux.toml (#6079 )
2026-05-05 10:01:06 -04:00
c744a6c6a1
[Rule Tuning] Credential access collection sensitive files (#5952 )
2026-05-05 12:48:42 +02:00
e4746c3a83
[New] Suspicious Kubernetes Pod Exec (#5978 )
2026-05-04 22:42:34 +01:00
245956a8d6
[New] Potential Privilege Escalation in Container via Runc Init (#5964 )
2026-05-04 22:31:04 +01:00
83406d8ce1
[New/Tuning] Direct Kubelet API Access rules (#5996 )
2026-05-04 22:18:23 +01:00
0b15511ef5
Lock versions for releases: 8.19,9.2,9.3,9.4 (#6044 )
2026-05-04 21:29:14 +05:30
d95919b7e3
[Rule Tuning] Windows Setup Guides - Low and Medium Severity Rules (#6042 )
2026-05-04 11:17:05 -03:00
2d6094e1e4
[Hunt Tuning] Entra ID Device Code Phishing / Update Drifted Docs (#5936 )
2026-05-04 09:46:13 -04:00
a6fba3c728
Monthly Manifest and Schema Updation (#6036 )
2026-05-04 18:01:56 +05:30
3ddbfdfbb1
[New Rule] Kubernetes Pod Creation Using Common Debug or Base Images (#5890 )
2026-05-04 12:17:26 +02:00
ef113dc19e
[New Rule] DNS to Commonly Abused Web Services (#5938 )
2026-05-04 12:04:57 +02:00
bf49a90eb0
[New] Sensitive Identity File Open by Suspicious Process via Auditd (#5982 )
2026-05-03 11:24:43 +01:00
0c69b63ff2
[New] Kubernetes Secret get or list with Suspicious User Agent (#5974 )
2026-05-02 16:14:17 +01:00
2e223459c4
[New/Tuning] K8 RBAC Privs (#5987 )
2026-05-02 15:08:00 +01:00
838e926058
[New] Nsenter to PID 1 Namespace via Auditd/D4C (#5988 )
2026-05-02 14:56:06 +01:00
80f3ed464c
[New/Tuning] Chroot Execution in Container Context on Linux (#5992 )
2026-05-02 13:45:21 +01:00
338548a306
[New] Kubernetes Secret get or list from Node or Pod Service Account (#5973 )
2026-05-02 11:48:24 +01:00
e0c6e715fb
[New] Curl or Wget Execution from Container Context (#5975 )
2026-05-02 11:08:29 +01:00
55f91946ec
[New] Kubernetes Secrets List Across Cluster or Sensitive Namespaces (#5966 )
2026-05-02 10:55:30 +01:00
0a4a05f322
[New] Kubernetes Rapid Secret GET Activity Against Multiple Objects (#5967 )
2026-05-02 10:43:13 +01:00
a892cd1b6d
[New] Kubernetes Multi-Resource Discovery (#5971 )
2026-05-02 10:32:50 +01:00
40213fa041
[New] Unusual Process Connection to Docker or Containerd Socket (#6005 )
2026-05-02 10:05:09 +01:00
435ec8115d
[Rule Tuning] Network Rules Deprecate Beats Indices (#5932 )
2026-05-01 21:33:53 -04:00
aad0e4ed11
Fix percentages (#6002 )
2026-05-01 19:13:53 -04:00
efa3fe5911
[Rule Tuning] Fixes for Unsupported Fields (#6025 )
2026-05-02 01:01:01 +02:00
69da69f1d8
[Rule Tuning] Misc GenAI Tuning (#6006 )
2026-05-01 17:46:51 -05:00
cc66323d1d
[Bug] Omit ES|QL engine columns from required_fields (#6027 )
2026-05-01 17:37:31 -05:00
748ee85339
[Rule Tuning] Windows High-Severity Rules Revamp - 7 (#6013 )
2026-05-01 19:13:37 -03:00
c503e550b8
[Rule Tuning] Misc Windows Tuning (#5990 )
2026-05-01 18:40:27 -03:00
ab7f9d7296
[Rule Tuning] Windows High-Severity Rules Revamp - 3 (#5969 )
2026-05-01 18:23:53 -03:00
250ad4a8eb
[New] Diverse AWS rules (#5913 )
2026-05-01 21:57:28 +01:00
61ee9caf8a
[Rule Tuning] Windows High-Severity Rules Revamp - 5 (#6004 )
2026-05-01 17:02:56 -03:00
84f2d3771c
[Rule Tunings] AWS ESQL keep fields missing (#6014 )
2026-05-01 15:43:38 -04:00
771be70c38
[Rule Tuning] Windows High-Severity Rules Revamp - 6 (#6010 )
2026-05-01 16:14:44 -03:00
2cb5e1860a
[Rule Tuning] Windows High-Severity Rules Revamp - 8 (#6019 )
2026-05-01 15:52:50 -03:00
8982ff9032
[Rule Tuning] Windows High-Severity Rules Revamp - 9 (#6022 )
2026-05-01 15:32:43 -03:00
920910c485
[Rule Tuning] Windows High-Severity Rules Revamp - 4 (#5981 )
2026-05-01 14:31:25 -03:00
244cdda427
[New] Multi-Cloud CLI Token and Credential Access Commands (#6012 )
2026-05-01 17:35:19 +01:00
ba8fa3ef0f
[Tuning/New] Namespace Manipulation Using Unshare (#6024 )
2026-05-01 15:29:44 +01:00
a1458f0fd0
Revert "[Tuning] Namespace Manipulation Using Unshare (#5989 )" (#6023 )
2026-05-01 08:23:55 -05:00
b399d856a1
[New] AWS Lateral Movement via Kubernetes SA (#5959 )
2026-05-01 12:10:55 +01:00
175e043adf
[Tuning] Namespace Manipulation Using Unshare (#5989 )
2026-05-01 11:17:17 +01:00
6b3b84ca38
[New/Tuning] Linux LPE via SUID Shell (#5980 )
2026-05-01 10:51:29 +01:00
8dc3fef270
[Rule Tuning] Privilege Escalation via SUID/SGID (#6017 )
2026-05-01 10:08:46 +02:00
eb32e7a242
[Rule Tuning] Veeam Backup Library Loaded by Unusual Process (#5985 )
2026-04-30 18:15:40 -03:00
f0467c8bed
[New] Suspicious SUID Binary Execution (#6018 )
2026-04-30 17:38:22 +01:00
3371938045
[New] Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket (#6015 )
2026-04-30 12:24:01 -04:00
b9065e0689
[Rule Tuning] Add Lunixar to RMM rules, fix new_terms condition (#5986 )
2026-04-30 07:59:46 -03:00
f7387bb10d
[FR] [DAC] Add Exception Duplication Checking (#5689 )
2026-04-29 08:57:07 -04:00
cb3c342b31
Lock versions for releases: 8.19,9.2,9.3,9.4 (#5998 )
2026-04-29 00:52:04 +05:30
53f26965e3
[Rule Tuning] Revert Event Dataset for Security Alert Index (#5994 )
2026-04-28 13:17:03 -04:00
0f521a0848
Fix value lists within exception lists (#5963 )
2026-04-24 18:23:06 +02:00
ff369b4e44
[Bug] Lock Pyright Version (#5977 )
2026-04-23 09:22:10 -04:00
b6886f310c
[FR] Add enforcement for deprecated_reason (#5953 )
2026-04-23 06:45:47 -05:00
2dac152094
Lock versions for releases: 8.19,9.2,9.3,9.4 (#5972 )
2026-04-22 20:15:10 -04:00
2029654e79
ESQL validation support fix (#5970 )
2026-04-22 16:52:37 -04:00
7a54f8be99
Prep for Release 9.4 (#5965 )
2026-04-23 00:13:05 +05:30
ebcd05f879
[Rule Tuning] Misc Windows Tunings (#5955 )
2026-04-22 15:10:05 -03:00
b805dbed76
[Rule Tuning] GenAI or MCP Server Child Process Execution (#5951 )
2026-04-22 12:56:25 -05:00
496d2e206a
[New] AWS Credentials Used from GitHub Actions and Non-CI/CD Infra (#5956 )
2026-04-22 18:45:55 +01:00
2177135f86
[New] AWS Rare Source AS Organization Activity (#5957 )
2026-04-22 18:30:57 +01:00
62076dd0dd
[Tuning] Execution via GitHub Actions Runner (#5892 )
2026-04-22 18:16:22 +01:00
ec791fa67a
[New] Long Base64 Encoded Command via Scripting Interpreter (#5891 )
2026-04-22 18:05:49 +01:00
be80d7f2be
[Rule Tuning] Additional GenAI context for Domains & Cred File Access (#5958 )
2026-04-22 11:34:10 -05:00
876e4ed535
[Bug ]Fix Kibana version parsing for package version (#5962 )
2026-04-22 10:25:06 -05:00
aa89d2512f
[Rule Tuning] Multiple Device Token Hashes for Single Okta Session (#5948 )
2026-04-22 08:16:42 -04:00
d8a39869c5
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909 )
2026-04-22 08:06:35 -04:00
4512ec1735
[New Rules] False Negatives for New BPFDoor Variants (#5939 )
2026-04-22 08:03:32 +02:00
67313bcd2a
[FR] Workflow Updates for Automatically Bumping Stack Version (#5941 )
2026-04-21 11:48:48 -04:00
8d25a7ddce
[Rule Tuning] Update MDE tags to "Microsoft Defender XDR" (#5927 )
2026-04-20 18:38:09 -03:00
b2e4925c7f
[Rule Tuning] Abnormally Large DNS Response (#5922 )
2026-04-20 09:28:01 -04:00
ff73f13446
[Docs] Refresh DEX Philosophy (#5933 )
2026-04-10 16:40:06 -05:00
deab1c0161
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )
2026-04-10 12:27:52 -04:00
9736407ef3
[FR] [DAC] Initial Yaml Support (#5821 )
2026-04-10 11:29:15 -04:00
a9d0d79a5b
[Rule Tuning] Process Created with an Elevated Token (#5934 )
2026-04-10 11:47:27 -03:00
984be4a1ac
[Bug] Small bugfix to address update navigator edge case (#5942 )
2026-04-10 08:53:56 -04:00
1503976d10
[FR] Load ECS mapping based on supplied stack version (#5925 )
2026-04-09 12:40:10 -04:00
2e8ff76172
Migrate docs workflows from preview-build to docs-actions (#5897 )
2026-04-09 15:20:30 +02:00
b5e5822c1f
Update persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml (#5937 )
2026-04-08 22:11:43 +01:00
c601edfbb3
Lock versions for releases: 8.19,9.1,9.2,9.3 (#5930 )
2026-04-08 19:44:16 +05:30
7fcbec380b
Update command_and_control_rmm_after_msi_install.toml (#5901 )
2026-04-08 14:01:10 +01:00
09e5bf04f4
[Rule Deprecation] SUNBURST Command and Control Activity (#5928 )
2026-04-08 09:25:05 -03:00
9999336f5e
[Rule Tuning] Misc GenAI Rules (#5929 )
2026-04-08 07:05:35 -05:00
88bc42265f
Lock versions for releases: 8.19,9.1,9.2,9.3 (#5926 )
2026-04-07 17:45:00 +05:30
c99dc2f4cc
[New Rules] AWS IAM Long-Term Creds Abuse Coverage (#5924 )
2026-04-06 15:14:59 -04:00
2d2ef5f5b1
Revert "[New Rules] AWS IAM Long-Term Creds Abuse Coverage (#5918 )" (#5923 )
2026-04-06 14:30:19 -04:00
a950f4738e
[Rule Tuning] Windows High-Severity Rules Revamp - 2 (#5900 )
2026-04-06 13:06:24 -03:00
2c42c12c26
[Rule Tuning] Windows High-Severity Rules Revamp - 1 (#5899 )
2026-04-06 12:30:43 -03:00
a6d31d7dfd
[New Rules] AWS IAM Long-Term Creds Abuse Coverage (#5918 )
2026-04-06 10:36:39 -04:00
ca821414a4
[New Rule] AWS S3 Rapid Bucket Posture API Calls from a Single Principal (#5911 )
2026-04-06 10:06:35 -04:00
c78c6363b0
Remove OSQuery/Investigate Plugin disclaimer enforcement (#5921 )
2026-04-06 10:53:00 -03:00
48128c1c66
[Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field (#5894 )
2026-04-06 09:40:21 -04:00
6f23fb8d08
[Rule Tuning] M365 Identity OAuth Illicit Consent Grant by Rare Client and User (#5917 )
2026-04-06 09:30:07 -04:00
1924fc3fae
[Rule Tuning] Entra ID Service Principal with Unusual Source ASN (#5915 )
2026-04-06 08:59:28 -04:00
0a8c89d3f5
[Rule Tuning] Misc Windows (#5906 )
2026-04-06 09:42:29 -03:00
199a4d6160
Monthly Manifest and Schema Updation (#5920 )
2026-04-06 17:35:33 +05:30
c0b852a23d
[New Rule][Rule Tuning] AWS Organizations/Account Discovery Coverage (#5910 )
2026-04-03 14:54:25 -04:00
ae5ecd5346
[Rule Tuning] AWS suspicious user agents (TruffleHog, Kali CLI/Boto3) (#5902 )
2026-04-03 11:50:28 -04:00
3e1c6f38e4
Update Entity related Kibana prebuilt ML rules with new _ea ML job ID and update minimum stack versions (#5794 )
2026-04-02 09:25:14 -04:00
778781cc13
[Rule Tuning] Potential snap-confine Privilege Escalation (#5889 )
2026-04-02 11:21:09 +02:00
yuriShafet