This website requires JavaScript.
d72cb92d59
Bringing back "fix: Cleaning up the hashable content for the rule" (#4621 ) (#4668 )
2025-04-28 18:29:55 +02:00
97e6d8b706
Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4665 )
2025-04-25 20:35:09 +05:30
f02ccfef64
[New Rule] Adding Coverage for AWS IAM or STS API Calls via Temporary Session Tokens (#4628 )
2025-04-24 15:39:51 -04:00
191396e5e8
Version bump (#4655 )
2025-04-24 19:19:36 +02:00
b7a324b2e8
Revert "fix: Cleaning up the hashable content for the rule (#4621 )" (#4654 )
2025-04-24 19:05:17 +02:00
84966f02a1
[Tuning] Update DPRK ByBit Hunting Queries (#4645 )
2025-04-24 07:58:06 -05:00
80c4f7eacc
fix: Cleaning up the hashable content for the rule (#4621 )
2025-04-24 11:03:26 +02:00
b429be2bda
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#4648 )
2025-04-24 00:49:06 -04:00
70062c3991
Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4649 )
2025-04-24 07:12:12 +05:30
34231160ee
Fix versions for changes in required_fileds (#4640 )
2025-04-24 06:28:18 +05:30
b9ed05562d
[Rule Tuning] User Added to Privileged Group in Active Directory (#4646 )
2025-04-23 21:42:33 -03:00
e8e76972f5
[Rule Tuning] Replace legacy winlog.api usage (#4647 )
2025-04-23 21:22:38 -03:00
54fadc8e2e
Add 8.18 and 9.0 beats schemas (#4641 )
2025-04-24 05:36:45 +05:30
bbfc026c95
[New Hunt] New Hunting Queries for DPRK ByBit (#4644 )
2025-04-23 16:41:23 -04:00
ea31143b83
[New] Suspicious Azure Sign-in via Visual Studio Code (#4639 )
2025-04-23 14:06:05 +01:00
f8e91be329
[New] RemoteMonologue Attack rules (#4604 )
2025-04-22 19:26:57 +01:00
1bab74179e
[New Rule] Potential Malicious PowerShell Based on Alert Correlation (#4635 )
2025-04-22 13:36:04 -03:00
c80319d462
[Deprecate] LaunchDaemon Creation or Modification and Immediate Loading (#4547 )
2025-04-22 10:53:01 -05:00
8361cfd205
[New Rule] Potential PowerShell Obfuscation via String Reordering (#4595 )
2025-04-22 12:26:55 -03:00
364d9dd3bc
[New Rule] Threat Intel Email Indicator Match (#4598 )
2025-04-22 12:15:36 -03:00
a495b4b9b2
[Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs (#4627 )
2025-04-22 11:59:06 -03:00
a9f99137f3
[New Rule] Dynamic IEX Reconstruction via Method String Access (#4634 )
2025-04-22 11:47:03 -03:00
4ef72457d3
[Tuning] MacOS DR Tuning PR (#4546 )
2025-04-21 17:32:05 -05:00
c58d59eeb7
[New Rule] Adding Coverage for AWS CLI with Kali Linux Fingerprint Identified (#4625 )
2025-04-21 12:06:57 -04:00
94237798a5
[New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration (#4626 )
2025-04-21 11:02:14 -04:00
96c2d0ca85
[New Rule] Adding Coverage for AWS Temporary User Session Token Used from Multiple Addresses (#4624 )
2025-04-17 16:06:40 -04:00
62feac3348
[Bug] Update Schema Prompt to include new_terms_fields (#4567 )
2025-04-17 10:45:51 -04:00
6cb238bedb
[Enhancement] Add flag to export rules via KQL search on name (#4594 )
2025-04-17 00:40:46 +02:00
9b682b752c
Feature exclude tactic name (#4593 )
2025-04-16 22:02:14 +02:00
033c82858c
[FR] Add Support for Local Dates Flag (#4582 )
2025-04-16 15:41:09 -04:00
ba16e27edb
[Rule Tuning] Tuning Azure Service Principal Credentials Added (#4570 )
2025-04-16 13:58:17 -04:00
1a6669e5a6
[Rule Tuning] Adjusting Microsoft Entra ID Rare Authentication Requirement for Principal User (#4562 )
2025-04-16 12:21:41 -04:00
e11fe78846
[Rule Tuning] Suspicious WMI Event Subscription Created (#4618 )
2025-04-16 10:05:20 -03:00
3eed0f5b6a
[Rule Tuning] SSH Authorized Keys File Deletion (#4591 )
2025-04-15 12:16:03 -03:00
ea7de8230c
[FR] Add Kibana Action Connector Error to Exception List Workaround (#4583 )
2025-04-15 09:18:50 -04:00
108b64f0c2
[FR] Update Detection Rules MITRE Workflow to SHA Pin (#4581 )
2025-04-15 09:03:34 -04:00
595d204fe6
Remove Task List reference (#4605 )
2025-04-15 09:22:56 +05:30
3b1f780435
[D4C Conversion] Converting Compatible D4C Rules to DR (#4532 )
2025-04-10 14:26:40 +02:00
05c9f6bbdb
[FN Tuning] Shared Object Created or Changed by Previously Unknown Pr… (#4529 )
2025-04-08 18:19:18 +02:00
fbddc2e659
Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4601 )
2025-04-08 18:25:47 +05:30
a5d9d6400a
[Rule Tuning] Suspicious Execution via Scheduled Task (#4599 )
2025-04-07 14:29:08 -03:00
3966981dae
Add investigation guides (#4600 )
2025-04-07 20:55:39 +05:30
9577d53284
[Rule Tuning] Add Host Metadata to ES|QL Aggregation Rules (#4592 )
2025-04-07 12:00:14 -03:00
753e8d8200
[New] Unusual Network Connection to Suspicious Top Level Domain (#4563 )
2025-04-03 14:22:41 -05:00
d4b2a35237
[New] Unusual Network Connection to Suspicious Web Service (#4569 )
2025-04-03 14:02:03 -05:00
8bb5e2493b
Update docset.yml (#4590 )
2025-04-03 13:46:01 -05:00
e7806fc74f
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation (#4589 )
2025-04-02 09:52:34 -03:00
6d8cfda10f
Update defense_evasion_microsoft_defender_tampering.toml (#4573 )
2025-04-01 18:04:29 +01:00
c6e37d6910
[Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 (#4557 )
2025-03-27 15:55:04 -04:00
280140650a
tuning 'Azure Conditional Access Policy Modified' (#4558 )
2025-03-27 15:43:46 -04:00
2f3f4fbdef
deprecating 'Azure Virtual Network Device Modified or Deleted' (#4559 )
2025-03-27 10:09:34 -04:00
51826ed32f
Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4571 )
2025-03-27 09:42:15 +05:30
2b3095a13c
Update Max signals value to supported limits (#4556 )
2025-03-27 09:02:25 +05:30
63c1f47689
[Rule Tuning] Added OWA (outlook for web) new AppID (#4568 )
2025-03-26 19:15:28 +01:00
e8c54169a4
Prep main for 9.1 (#4555 )
2025-03-26 20:34:14 +05:30
2d2c5b4d88
[Bug] Update Custom Rules Markdown Location (#4565 )
2025-03-26 10:00:52 -04:00
5e12f05a36
fixing double header in investigation notes (#4490 )
2025-03-25 09:08:13 -04:00
3bbe24d154
Create new detection rule set documentation to be included in the new docs. (#4508 )
2025-03-24 17:23:06 +01:00
65170c394b
fix: removing outdated code in Kibana client auth (#4495 )
2025-03-24 12:28:36 +01:00
db78756062
[New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors (#4535 )
2025-03-21 10:05:24 -04:00
75b2b5cb6a
[FR] Bump changed-files Version to Patched Version (#4542 )
2025-03-20 12:58:21 -04:00
cd9ec7838c
[ci] Add new docs-builder automation. (#4507 )
2025-03-20 17:20:27 +01:00
059d7efa25
Prep for Release 9.0 (#4550 )
2025-03-20 20:32:07 +05:30
955e973c00
Change description and name of problemchild ML detection-rules (#4545 )
2025-03-20 08:58:10 -04:00
28a06fd25f
Update defense_evasion_posh_assembly_load.toml (#4543 )
2025-03-20 08:13:28 +00:00
5ccb7ed4af
Min stack rules from 4516 (#4549 )
2025-03-19 20:27:30 -04:00
5b3dc4a4a7
Revert "Add new ML detection rules for Privileged Access Detection (#4516 )" (#4548 )
2025-03-19 20:08:08 -04:00
2ff8d1bb56
Add new ML detection rules for Privileged Access Detection (#4516 )
2025-03-19 11:02:28 -04:00
40a97f719f
Temporaily Disable Changed FIles Workflow (#4538 )
2025-03-14 23:42:48 -04:00
0993ced309
Deprecate Cloud Defend Rules (#4537 )
2025-03-14 21:27:37 +05:30
290f0be959
Update defense_evasion_execution_suspicious_explorer_winword.toml (#4533 )
2025-03-14 13:46:56 +00:00
a64b6a39a7
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4531 )
2025-03-12 19:02:53 +05:30
d7d8c414ec
[New Rule] File Creation in /var/log via Suspicious Process (#4528 )
2025-03-12 12:50:48 +01:00
02be7cac0a
Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4530 )
2025-03-12 12:49:43 +05:30
3ed820afa8
[New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) (#4523 )
2025-03-11 11:25:10 -04:00
aacb376acf
[New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication (#4524 )
2025-03-11 11:05:56 -04:00
fd1369a164
[New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User (#4525 )
2025-03-11 10:51:01 -04:00
7c4f334a00
[New Hunt] Adding Hunting Queries for Azure Entra Sign-In Anomalies (#4527 )
2025-03-11 10:27:08 -04:00
4deb6a73b8
[FR] [DaC] Update Readme with DaC Support References (#4526 )
2025-03-10 21:24:12 -04:00
eadcd9d3e0
[FR] Add Env Var DR_CLI_MAX_WIDTH and DaC Docs Updates (#4518 )
2025-03-10 12:59:12 -04:00
3bdda091e1
chore: use docs-dev instead of docs dir for docs (#4522 )
2025-03-07 14:34:51 +01:00
e28512a32f
Deprecation Notice to Cloud Defend Rules (#4520 )
2025-03-07 10:50:00 +05:30
561ab703de
[New Rule] Uncommon Destination Port Connection by Web Server (#4515 )
2025-03-06 17:31:33 +01:00
9fb7b57a47
[New Rule] Unusual File Creation from Web Server Parent (#4514 )
2025-03-06 17:21:47 +01:00
fe0a9f4935
[New/Tuning] Docker Socket Enumeration (#4510 )
2025-03-06 17:07:10 +01:00
8dfa5da3bf
[New Rules] Potential Port/Subnet Scanning Activity from Compromised Host (#4509 )
2025-03-06 16:57:33 +01:00
fe06843636
[New Rule] Unusual Process Spawned from Web Server Parent (#4513 )
2025-03-06 16:46:12 +01:00
6eed757b66
Revert "Moving docs to docs-dev"
2025-03-06 16:29:37 +01:00
75abb8d0b5
Moving docs to docs-dev
2025-03-06 16:27:26 +01:00
7ce6aaf566
[New Rule] Unusual Command Execution from Web Server Parent (#4512 )
2025-03-06 16:25:38 +01:00
a1d6ff4a50
Added ML detection-rules for new Security Host package (#4519 )
2025-03-06 09:23:29 -05:00
081bd03618
fix(ci): use negative patterns in paths instead of paths-ignore (#4521 )
2025-03-06 13:57:41 +01:00
8854b3bea0
Ignore changes in rules/integrations except endpoint, and in _deprecated (#4498 )
2025-03-05 12:49:46 +01:00
5f54eb8006
chore: Removing RTAs (#4437 )
2025-03-05 12:35:57 +01:00
49c361dd98
[New Rules] Azure OpenAI (#3701 )
2025-03-04 11:29:38 -06:00
b1470a480b
[New] WDAC Policy File by an Unusual Process (#4504 )
2025-03-04 15:21:58 +00:00
467034ee5b
Deprecate an APM BBR rule (#4511 )
2025-03-04 17:39:45 +05:30
b9e8115c2f
[New Rule] Python Site or User Customize File Creation (#4500 )
2025-03-03 15:30:33 +01:00
d948279af6
[New Rule] Python Path File (pth) Creation (#4499 )
2025-03-03 15:20:00 +01:00
f70eafb8e7
[New Rule] Successful SSH Authentication from Unusual User (#4481 )
2025-03-03 11:55:27 +01:00
Sergey Polzunov