This website requires JavaScript.
d358641c45
[New] Multiple Rare Elastic Defend Behavior Rules by Host (#5738 )
2026-02-20 09:40:42 +00:00
f773103519
[Rule Tuning] Entra ID Federated Identity Credential Persistence Detection (#5702 )
2026-02-19 15:58:12 -05:00
4278521811
[Rule Tuning] Accepted Default Telnet Port Connection (#5737 )
2026-02-19 15:15:51 -05:00
63f76cf004
[Rule Tuning] Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client (#5681 )
2026-02-19 10:09:15 -05:00
cf6472005a
[Tuning] High Order Rules fine tuning (#5728 )
2026-02-18 23:31:56 +00:00
dbbf71b9c2
[Rule Tuning] Entra ID Suspicious Cloud Device Registration (#5683 )
2026-02-18 17:37:17 -05:00
e633c83b73
[New Rule] AWS SSM Inventory Reconnaissance by Rare User (#5724 )
2026-02-18 15:50:14 -05:00
f10de64527
[New Rule] AWS Sensitive IAM Operations Performed via CloudShell (#5718 )
2026-02-18 15:29:53 -05:00
f62026e378
[New Rules] AWS IAM new identity federation provider rules (#5691 )
2026-02-18 15:17:13 -05:00
204f0b2ebc
[Tuning] Adds host metadata to the setup requirements (#5719 )
2026-02-18 17:04:40 +00:00
25f3d6a879
[FR] Add copilot instructions to catch the gotchas (#5733 )
2026-02-18 10:37:00 -06:00
2605d38018
[New] Potential Notepad Markdown RCE Exploitation (#5729 )
2026-02-18 16:19:56 +00:00
6d0471768f
[Rule Tuning] PowerShell Rules Revamp - 9 (#5706 )
2026-02-18 12:22:24 -03:00
93d20b1233
[Rule Deprecation] M365 Teams Guest & External Access Rules (#5721 )
2026-02-18 10:00:24 -05:00
5d98a212fc
[Rule Tuning] Potential Timestomp in Executable Files (#5727 )
2026-02-18 11:14:54 -03:00
183b337a01
[Tuning] Elastic Agent Service Terminated (#5730 )
2026-02-17 22:30:34 +00:00
386c8f7e7a
[New Rule] AWS GuardDuty Member Account Manipulation (#5688 )
2026-02-17 16:32:20 -05:00
4299831b90
[Rule Tuning] M365 Identity Excessive SSO Login Errors Reported (#5677 )
2026-02-17 13:55:24 -05:00
0c7e6516f9
[Rule Tuning] System Information Discovery via dmidecode from Parent Shell (#5732 )
2026-02-17 17:49:56 +01:00
e94ee9d873
[New Rule] Okta Admin Console Login Failure (#5669 )
2026-02-17 10:01:07 -05:00
41a8256aa3
[tuning] LLM DNS queries (#5709 )
2026-02-13 13:54:52 +00:00
60606ecd4e
[New] Elastic Defend Alert Followed by Telemetry Loss (#5716 )
2026-02-13 10:00:27 +00:00
62cc9f105d
[Rule Tuning] Okta User Assigned Administrator Role (#5671 )
2026-02-12 09:33:25 -05:00
64168f62c1
[New/Tuning] Misc. D4C Rules (#5710 )
2026-02-12 10:52:16 +01:00
f306404fe5
[Bug] CLI adds frequency field to system actions (.cases), causing import failure (#5690 )
2026-02-11 15:18:20 -05:00
f74c04d11a
[Bug] ESQL validation keep Clause Reported Missing Metadata Fields (#5717 )
2026-02-11 15:02:23 -05:00
51cf7574a9
[Rule Deprecation] PowerShell Rules (#5707 )
2026-02-11 16:49:33 -03:00
4980a3b50c
[Rule Tuning] PowerShell Rules Revamp - 8 (#5705 )
2026-02-11 16:32:04 -03:00
3065b10f91
[Rule Tuning] PowerShell Rules Revamp - 7 (#5704 )
2026-02-11 16:02:48 -03:00
9be58755ae
[Rule Tuning] PowerShell Rules Revamp - 6 (#5700 )
2026-02-11 15:50:49 -03:00
20450660df
[Rule Tuning] PowerShell Rules Revamp - 5 (#5699 )
2026-02-11 15:36:48 -03:00
2d4d56bf21
[Rule Tuning] PowerShell Rules Revamp - 4 (#5698 )
2026-02-11 15:26:05 -03:00
5489c107b0
[New Rule] Potential PowerShell Obfuscated Script via High Entropy (#5554 )
2026-02-11 09:50:19 -03:00
df9c27d82e
Lock versions for releases: 8.19,9.1,9.2,9.3 (#5708 )
2026-02-10 11:14:23 +05:30
70d7f2b6b1
Monthly Manifest and Schema Updation (#5697 )
2026-02-10 09:17:04 +05:30
229f3adf75
[New/Tuning] Misc. New D4C Rules and Tunings (#5692 )
2026-02-09 16:58:27 +01:00
2b5472a9b3
[Tuning/New] Solarwinds Post Exploit (#5696 )
2026-02-09 13:57:52 +00:00
793d79b063
[New Rule] AWS EC2 Serial Console Access Enabled (#5687 )
2026-02-06 17:34:55 -05:00
ac6ead4346
[Rule Tuning] Update LLM Verdict for COMPLETION Rules
2026-02-06 11:25:22 -06:00
43d3f3b467
[New] Endpoint Rule Conversion PR (#5658 )
2026-02-06 10:53:44 -06:00
440ff43810
[Rule Tuning] Adding D4C Compatibility to Compatible Container-Related Rules (#5685 )
2026-02-06 09:38:56 +01:00
1c59a6adde
[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#5657 )
2026-02-05 21:34:38 -05:00
64cca9e1ba
[Rule Tuning] Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score (#5523 ) (#5686 )
2026-02-05 20:54:26 +00:00
80968035bb
MacOS detection rules tuning (#5667 )
2026-02-05 11:20:16 -06:00
64a08cd6af
[New Rules] Misc. K8s RBAC Abuse Rules (#5673 )
2026-02-05 17:42:03 +01:00
694376bd7a
[Bug] Fix UTF-8 Encoding for Rule File Operations (#5684 )
2026-02-05 14:21:30 +01:00
00159a3eca
[Tuning] M365 Exchange Inbox Phishing Evasion Rule Created (#5648 )
2026-02-05 13:02:57 +00:00
3cba3d7982
[Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672 )
2026-02-05 13:24:21 +01:00
aff945cb70
[New Rules] ESQL LLM-Based Alert Triage Rules (#5656 )
2026-02-04 14:32:36 -06:00
94c17dff59
[New Rule] Execution via OpenClaw Agent (#5666 )
2026-02-04 14:02:52 -06:00
e6fafc914e
[Rule Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion (#5592 )
2026-02-04 11:16:14 -06:00
2b8fb44cb5
[New] SolarWinds Web Help Desk Java Module Load or Child Process (#5665 )
2026-02-04 16:09:55 +00:00
f6454e93e8
Update (#5675 )
2026-02-04 09:15:53 -06:00
fda9f00c2b
[Tuning] M365 Exchange Inbox Forwarding Rule Created (#5647 )
2026-02-04 13:50:55 +00:00
d42ebdc3e6
[Tuning] Component Object Model Hijacking (#5651 )
2026-02-04 13:23:40 +00:00
ed089d5d76
[Tuning] Svchost spawning Cmd (#5649 )
2026-02-04 12:42:50 +00:00
362c459094
[New] Multiple Machine Learning Alerts by Influencer Field (#5660 )
2026-02-04 12:25:59 +00:00
59e394f36b
[doc fix] Adjust wording in the docs for Kibana import/export commands (#5600 )
2026-02-04 11:17:58 +01:00
c455d3d98a
[Rule Tuning] Full Kubernetes Ruleset (#5659 )
2026-02-04 10:42:41 +01:00
7c03840737
[New Rules] Misc. D4C Rules re: (un)Authenticated API Access (#5661 )
2026-02-04 09:58:42 +01:00
7feaf0f1c0
Add security product to docset.yml (#5654 )
2026-02-04 00:40:05 +01:00
3ce5379ef5
README fixes (#5616 )
2026-02-03 23:22:17 +01:00
c75fc7e487
[Rule Tuning] Mythic C2 AzureBlob Profile Endpoints (#5663 )
2026-02-03 09:38:14 -05:00
ae88c095e9
[New Rule] Fortigate (FG-IR-26-060) Detections (#5641 )
2026-01-30 10:16:34 -05:00
6502ba61d7
[Rule Tuning] M365 Security Compliance Potential Ransomware Activity (#5653 )
2026-01-30 09:57:56 -05:00
efd1756d49
Update impact_hosts_file_modified.toml (#5655 )
2026-01-29 17:02:14 +00:00
fa56ae556e
[New Rule] Okta AiTM Session Cookie Replay Detection (#5627 )
2026-01-29 08:58:59 -05:00
a2c1dd8575
[New] Suspicious FortiGate and Fortinet Logon rules (#5640 )
2026-01-28 17:56:56 +00:00
cee9f51b6d
[New] Newly Observed Process Exhibiting CPU Spike (#5635 )
2026-01-28 17:38:22 +00:00
8b8c0beec7
Lock versions for releases: 8.19,9.1,9.2,9.3 (#5639 )
2026-01-28 18:37:52 +05:30
d252cae4ee
Ignore Keep * for ES|QL hash calc (#5638 )
2026-01-27 23:01:27 -05:00
2265717c41
chore: Fix lock version for 9.3.2 Release (#5634 )
2026-01-27 22:38:39 -05:00
070b457659
Test remote_cli update test indices
2026-01-27 09:38:19 -05:00
3ee0a72a65
Add investigation guides (#5630 )
2026-01-27 14:28:06 +05:30
7ff19b3497
[Rule Tuning] Accepted Default Telnet Port Connection (#5629 )
2026-01-26 20:43:23 -05:00
2f9dc7af53
[Rule Tuning] PowerShell Rules Revamp - 2 (#5623 )
2026-01-26 19:35:05 -03:00
6843d11b09
[Rule Tuning] PowerShell Rules Revamp - 3 (#5625 )
2026-01-26 19:11:29 -03:00
fc55e8b308
[Rule Tuning] PowerShell Rules Revamp - 1 (#5619 )
2026-01-26 19:01:48 -03:00
42e7f3b4ce
[New] Multiple Alerts on a Host Exhibiting CPU Spike (#5621 )
2026-01-26 20:42:20 +00:00
b311044624
[Rule Tuning] Entra ID OAuth Phishing via First-Party Microsoft Application (#5610 )
2026-01-26 14:55:18 -05:00
094f907144
[New] Detection Alert on a Process Exhibiting CPU Spike (#5617 )
2026-01-26 17:42:31 +00:00
6d9eef48b0
[New] Multiple Vulnerabilities by Asset via Wiz (#5598 )
2026-01-26 17:26:17 +00:00
88e0b14709
[Tuning] ESQL Dynamic unique value fields (#5569 )
2026-01-26 16:34:16 +00:00
edf28367e4
[New] Lateral Movement Alerts from a Newly Observed Entity (#5557 )
2026-01-26 16:21:27 +00:00
6626475119
[Rule Tuning] Several Community DR Issues (#5615 )
2026-01-26 17:08:49 +01:00
c5b64c9fbf
[New/Tuning] General API Abuse D4C/K8s Rules (#5591 )
2026-01-26 16:59:14 +01:00
57599e3796
[New Rule] Curl SOCKS Proxy Detected via Defend for Containers (#5596 )
2026-01-26 16:46:59 +01:00
fe4418d7f5
[New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561 )
2026-01-26 16:37:34 +01:00
3b6302a0c5
Update credential_access_multi_could_secrets_via_api.toml (#5618 )
2026-01-26 15:21:18 +00:00
bbe83452b4
Revert "[Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules (#5578 )" (#5620 )
2026-01-26 08:31:53 -06:00
7221db6b36
[Tuning] Potential Ransomware Behavior - Note Files by System (#5595 )
2026-01-26 13:15:54 +00:00
30c7833f08
[Tuning] Rare Connection to WebDAV Target (#5604 )
2026-01-26 12:51:09 +00:00
c608b673bf
[Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules (#5578 )
2026-01-26 13:28:08 +01:00
5b092d7831
[fix] Preserve actions[].params.message field formatting during rule export from the repo (#5597 )
2026-01-26 13:04:36 +01:00
3497c7b0b5
[New] Potential Telnet Authentication Bypass (CVE-2026-24061) (#5612 )
2026-01-26 10:18:23 +00:00
5fff45ec93
Added logic to main.py to use the created_at and updated_at values if they exist (#5444 )
2026-01-26 11:00:45 +01:00
6c555aaba4
[Rule Tuning] Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (#5589 )
2026-01-24 08:51:23 -05:00
04b99c8ec1
[Rule Tuning] Entra ID OAuth Device Code Flow with Concurrent Sign-ins (#5594 )
2026-01-23 16:25:51 -05:00
15aacaba70
[Rule Tuning] M365 Threat Intelligence Signal (#5587 )
2026-01-23 15:45:05 -05:00
8b1764071b
[New] Newly Observed Network Alert (#5585 )
2026-01-23 12:22:21 +00:00
Samirbous