This website requires JavaScript.
2f468ddcba
[Rule Tuning] Windows DR Tuning - 7 (#3344 )
2023-12-18 14:27:55 -03:00
42fdcbef3e
[Security Content] Add Investigation Guides to Linux C2 Rules (#3247 )
2023-12-18 17:02:40 +01:00
270a68c448
[Security Content] Add Investigation Guides to Linux C2 Rules (#3247 )
2023-12-18 17:02:40 +01:00
91a757a018
[Security Content] Add Investigation Guides to Linux C2 Rules (#3247 )
2023-12-18 17:02:40 +01:00
89188034ce
[Rule Tuning] Adjust Attempt to Deactivate MFA for an Okta User Account Okta Rule (#3345 )
2023-12-18 09:14:10 -05:00
eb5dbd46b4
[Rule Tuning] Adjust Attempt to Deactivate MFA for an Okta User Account Okta Rule (#3345 )
2023-12-18 09:14:10 -05:00
203c228249
[Rule Tuning] Adjust Attempt to Deactivate MFA for an Okta User Account Okta Rule (#3345 )
2023-12-18 09:14:10 -05:00
dae8e76cd4
[Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254 )
2023-12-18 09:36:21 +01:00
ee5fa810aa
[Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254 )
2023-12-18 09:36:21 +01:00
84824c67fd
[Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254 )
2023-12-18 09:36:21 +01:00
caf8ab1ffd
[Rule Tuning] Optimize query for Query Registry using Built-in Tools (#3330 )
2023-12-14 17:55:36 -09:00
7e07c12fd8
[Rule Tuning] Optimize query for Query Registry using Built-in Tools (#3330 )
2023-12-14 17:55:36 -09:00
a6c5cfc418
[Rule Tuning] Optimize query for Query Registry using Built-in Tools (#3330 )
2023-12-14 17:55:36 -09:00
ea6a0bec59
[Tuning] Suspicious Script Object Execution (#3339 )
2023-12-14 23:49:54 +00:00
9f513da1c0
[Tuning] Suspicious Script Object Execution (#3339 )
2023-12-14 23:49:54 +00:00
4b183be124
[Tuning] Suspicious Script Object Execution (#3339 )
2023-12-14 23:49:54 +00:00
389ac555e2
[Tuning] Remote Scheduled Task Creation (#3337 )
2023-12-14 23:39:52 +00:00
5b8e686583
[Tuning] Remote Scheduled Task Creation (#3337 )
2023-12-14 23:39:52 +00:00
07b952b7bc
[Tuning] Remote Scheduled Task Creation (#3337 )
2023-12-14 23:39:52 +00:00
74fadb8278
[Rule Tuning] Optimize query for Installation of Custom Shim Databases (#3331 )
2023-12-14 13:04:08 -09:00
5d5bb7ed16
[Rule Tuning] Optimize query for Installation of Custom Shim Databases (#3331 )
2023-12-14 13:04:08 -09:00
aff7f37b92
[Rule Tuning] Optimize query for Installation of Custom Shim Databases (#3331 )
2023-12-14 13:04:08 -09:00
7ffbf19e86
[Rule Tuning] Optimize query for Direct Outbound SMB Connection (#3329 )
2023-12-14 09:21:46 -09:00
35589e47a7
[Rule Tuning] Optimize query for Direct Outbound SMB Connection (#3329 )
2023-12-14 09:21:46 -09:00
a7b9a61942
[Rule Tuning] Optimize query for Direct Outbound SMB Connection (#3329 )
2023-12-14 09:21:46 -09:00
6e82ddd307
[Tuning] Suspicious Managed Code Hosting Process (#3338 )
2023-12-14 17:51:35 +00:00
c4b6e810d1
[Tuning] Suspicious Managed Code Hosting Process (#3338 )
2023-12-14 17:51:35 +00:00
8b2aed4fc0
[Tuning] Suspicious Managed Code Hosting Process (#3338 )
2023-12-14 17:51:35 +00:00
362b3291a9
[Tuning] Multiple Logon Failure Followed by Logon Success (#3340 )
2023-12-14 17:41:06 +00:00
077041fef5
[Tuning] Multiple Logon Failure Followed by Logon Success (#3340 )
2023-12-14 17:41:06 +00:00
727c23e3d2
[Tuning] Multiple Logon Failure Followed by Logon Success (#3340 )
2023-12-14 17:41:06 +00:00
d5e7f2c958
[Rule Tuning] Account Password Reset Remotely (#3335 )
2023-12-14 17:22:19 +00:00
6dad9359c4
[Rule Tuning] Account Password Reset Remotely (#3335 )
2023-12-14 17:22:19 +00:00
7a4f1224dc
[Rule Tuning] Account Password Reset Remotely (#3335 )
2023-12-14 17:22:19 +00:00
1f15003bd1
Update Advanced Analytics config guides (#3302 )
2023-12-13 07:53:41 -08:00
c5606e7f3f
Update Advanced Analytics config guides (#3302 )
2023-12-13 07:53:41 -08:00
9a9f5437f2
Update Advanced Analytics config guides (#3302 )
2023-12-13 07:53:41 -08:00
69f9bb416d
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3319 )
2023-12-12 13:23:14 -05:00
760735c90b
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3319 )
2023-12-12 13:23:14 -05:00
a39a52360a
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3319 )
2023-12-12 13:23:14 -05:00
73e65e14c6
updating min-stack for Okta rule (#3318 )
2023-12-12 12:27:18 -05:00
c7469afefe
updating min-stack for Okta rule (#3318 )
2023-12-12 12:27:18 -05:00
631f8841ad
updating min-stack for Okta rule (#3318 )
2023-12-12 12:27:18 -05:00
7b7ca3fdc9
[New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265 )
2023-12-12 10:31:45 -05:00
b70bbe0841
[New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265 )
2023-12-12 10:31:45 -05:00
93d71acb91
[New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265 )
2023-12-12 10:31:45 -05:00
f3d2a73f26
[Rule Tuning] Windows DR Tuning - 6 (#3246 )
2023-12-12 11:37:54 -03:00
c55eb80d2a
[Rule Tuning] Windows DR Tuning - 6 (#3246 )
2023-12-12 11:37:54 -03:00
6f4c323929
[Rule Tuning] Windows DR Tuning - 6 (#3246 )
2023-12-12 11:37:54 -03:00
908168725a
[FR] 8.12 Release Preparation update Main Branch to 8.13 (#3313 )
2023-12-11 14:58:06 -05:00
1fc8e591d7
[FR] 8.12 Release Preparation update Main Branch to 8.13 (#3313 )
2023-12-11 14:58:06 -05:00
90a2043bc4
[FR] 8.12 Release Preparation update Main Branch to 8.13 (#3313 )
2023-12-11 14:58:06 -05:00
2303db8486
[Bug] Use integration schemas for required_field types (#3303 )
2023-12-11 11:32:38 -06:00
1f776c8ebe
[Bug] Use integration schemas for required_field types (#3303 )
2023-12-11 11:32:38 -06:00
face95058f
[Bug] Use integration schemas for required_field types (#3303 )
2023-12-11 11:32:38 -06:00
7c4a827fb8
[Security Content] Add Investigation Guides to Linux Persistence Rules - 1 (#3288 )
2023-12-11 13:53:06 +01:00
0ed1db8aab
[Security Content] Add Investigation Guides to Linux Persistence Rules - 1 (#3288 )
2023-12-11 13:53:06 +01:00
6c614eb102
[Security Content] Add Investigation Guides to Linux Persistence Rules - 1 (#3288 )
2023-12-11 13:53:06 +01:00
10f00a3f88
Create new_meta.md (#3305 )
2023-12-08 14:39:02 -06:00
53f924d52e
[FR] Add Support for ES|QL Rule Type and Remote Validation (#3281 )
2023-12-08 13:46:28 -06:00
111ce46b75
[FR] Add Support for ES|QL Rule Type and Remote Validation (#3281 )
2023-12-08 13:46:28 -06:00
7514c0a206
[FR] Add Support for ES|QL Rule Type and Remote Validation (#3281 )
2023-12-08 13:46:28 -06:00
094f3ead92
[Security Content] Introduce Investigate Plugin in Investigation Guides (#3080 )
2023-12-08 15:54:40 -03:00
87f8498b68
[Security Content] Introduce Investigate Plugin in Investigation Guides (#3080 )
2023-12-08 15:54:40 -03:00
aeb1f91320
[Security Content] Introduce Investigate Plugin in Investigation Guides (#3080 )
2023-12-08 15:54:40 -03:00
98fe04217b
[Security Content] Add Windows Investigation Guides (#3095 )
2023-12-08 11:31:16 -03:00
be07759888
[Security Content] Add Windows Investigation Guides (#3095 )
2023-12-08 11:31:16 -03:00
eb7c5f6717
[Security Content] Add Windows Investigation Guides (#3095 )
2023-12-08 11:31:16 -03:00
ab0c5154a2
[New Rule] Suspicious File Creation via Kworker (#3237 )
2023-12-07 23:02:00 +01:00
7c5664d34d
[New Rule] Suspicious File Creation via Kworker (#3237 )
2023-12-07 23:02:00 +01:00
840958d117
[New Rule] Suspicious File Creation via Kworker (#3237 )
2023-12-07 23:02:00 +01:00
2e585eab84
[New Rule] Out-Of-Tree Kernel Module Load (#3233 )
2023-12-07 22:53:21 +01:00
3cc7a46384
[New Rule] Out-Of-Tree Kernel Module Load (#3233 )
2023-12-07 22:53:21 +01:00
490fa0e1d2
[New Rule] Out-Of-Tree Kernel Module Load (#3233 )
2023-12-07 22:53:21 +01:00
84240c082e
[New BBR] Pot. Persistence Through Systemd-udevd (#3235 )
2023-12-07 22:42:29 +01:00
ab4f31499b
[New BBR] Pot. Persistence Through Systemd-udevd (#3235 )
2023-12-07 22:42:29 +01:00
07b1cab919
[New BBR] Pot. Persistence Through Systemd-udevd (#3235 )
2023-12-07 22:42:29 +01:00
07c235988f
[New Rule] UID Elevation from Unknown Executable (#3239 )
2023-12-07 22:25:01 +01:00
4d1fb91520
[New Rule] UID Elevation from Unknown Executable (#3239 )
2023-12-07 22:25:01 +01:00
9c61231dc6
[New Rule] UID Elevation from Unknown Executable (#3239 )
2023-12-07 22:25:01 +01:00
39c81d157b
[New Rule] Suspicious Kworker UID Elevation (#3238 )
2023-12-07 20:59:07 +01:00
5aec8b4afe
[New Rule] Suspicious Kworker UID Elevation (#3238 )
2023-12-07 20:59:07 +01:00
1071b12f00
[New Rule] Suspicious Kworker UID Elevation (#3238 )
2023-12-07 20:59:07 +01:00
315e5e9bca
[New] Rare SMB Connection to the Internet (#3300 )
2023-12-07 16:10:20 +00:00
17139b0278
[New] Rare SMB Connection to the Internet (#3300 )
2023-12-07 16:10:20 +00:00
7070eb3b34
[New] Rare SMB Connection to the Internet (#3300 )
2023-12-07 16:10:20 +00:00
67449e26a5
[Rule Tuning] UEBA new_terms process_executable (#3268 )
2023-12-07 16:38:08 +01:00
d528af6bdb
[Rule Tuning] UEBA new_terms process_executable (#3268 )
2023-12-07 16:38:08 +01:00
1647a16fab
[Rule Tuning] UEBA new_terms process_executable (#3268 )
2023-12-07 16:38:08 +01:00
6c28ba53ad
[Tuning] Small Linux DR Tuning (#3287 )
2023-12-07 12:45:24 +01:00
7ab6b29c66
[Tuning] Small Linux DR Tuning (#3287 )
2023-12-07 12:45:24 +01:00
38862b89e9
[Tuning] Small Linux DR Tuning (#3287 )
2023-12-07 12:45:24 +01:00
1ae2cdeca5
[New] Process Created with a Duplicated Token (#3152 )
2023-12-07 11:20:30 +00:00
97db361c09
[New] Process Created with a Duplicated Token (#3152 )
2023-12-07 11:20:30 +00:00
7488c60090
[New] Process Created with a Duplicated Token (#3152 )
2023-12-07 11:20:30 +00:00
3d40a09531
Fix syntax error in query (#3285 )
2023-12-07 03:49:18 -07:00
268990dfec
Fix syntax error in query (#3285 )
2023-12-07 03:49:18 -07:00
a4ad0b6a24
Fix syntax error in query (#3285 )
2023-12-07 03:49:18 -07:00
f128070ae5
[Rule Tuning] Multiple Users with the Same Okta Device Token Hash (#3304 )
2023-12-06 10:35:46 -05:00
6e6c2726fc
[Rule Tuning] Multiple Users with the Same Okta Device Token Hash (#3304 )
2023-12-06 10:35:46 -05:00
Jonhnathan