This website requires JavaScript.
94bb6643fc
[Rule Tuning] AWS Cloudtrail Created/Updated/Suspended/Deleted (#5292 )
2025-11-14 02:48:52 -05:00
f02589c249
[Rule Tunings] AWS Group Creation, User Added to Group, Group Deletion (#5269 )
2025-11-14 02:34:28 -05:00
b3502f77ba
[Rule Tuning] AWS S3 Bucket Configuration Deletion (#5265 )
2025-11-14 01:49:14 -05:00
7b7082e9f4
[New] Command Obfuscation via Unicode Modifier Letters (#5311 )
2025-11-13 21:29:07 +00:00
033145adf4
[Bug] Add synthetic properties check to remote ESQL validation (#5308 )
2025-11-13 15:25:42 -05:00
f184b0a237
[Rule Tuning] Azure Diagnostic Settings Deletion (#5253 )
2025-11-13 13:49:44 -05:00
7b6f4864f0
Update defense_evasion_agent_spoofing_mismatched_id.toml (#5312 )
2025-11-13 17:26:29 +00:00
29d4aeb37a
[Bug] [DAC] Auto Gen Schema Fails on Certain Subqueries (#5256 )
2025-11-12 11:21:53 -05:00
700443bc97
[New Rule] Potential Git CVE-2025-48384 Exploitation (#5301 )
2025-11-12 15:45:52 +01:00
21217e5536
[Rule Tuning] Elastic Agent Service Terminated (#5272 )
2025-11-12 12:34:34 +01:00
7dac1ee803
[Rule Tuning] Microsoft 365 Global Administrator Role Assigned (#5293 )
2025-11-11 13:13:07 -05:00
da9bfd0abc
MITRE ATT&CK Sub-Technique Update - Solves Issue #5279 (#5280 )
2025-11-11 16:26:14 +01:00
32fb003781
Lock versions for releases: 8.19,9.0,9.1,9.2 (#5300 )
2025-11-11 18:58:05 +05:30
e938ecf41a
Refresh Manifest and Schemas November Update (#5298 )
2025-11-11 18:04:20 +05:30
29393f2ca4
[New] New USB Storage Device Mounted (#5299 )
2025-11-11 09:28:54 +00:00
1280e0854a
[New Rule] Potential SSH Password Grabbing via strace (#5294 )
2025-11-11 09:35:34 +01:00
4e1c8f677c
[Tuning] Add mv_expand for gen_ai.policy.action field (#5296 )
2025-11-10 20:07:40 -06:00
34bd88a37e
[Tuning] Potential Ransomware Behavior - Note Files by System (#5235 )
2025-11-10 18:22:37 +00:00
085ef447e8
[New] Windows Server Update Service Spawning Suspicious Processes (#5250 )
2025-11-10 18:10:32 +00:00
28f227ab6f
[Rule Tunings] AWS EC2 EBS Snapshot and Encryption Rules (#5229 )
2025-11-10 12:08:31 -05:00
56c40b18f0
Ignore agentless executions in agent_id_status events. (#5295 )
2025-11-10 22:18:51 +05:30
4d89eab189
[Rule Tuning] AWS S3 Bucket Server Access Logging Disabled (#5254 )
2025-11-10 11:36:55 -05:00
70ee55d07d
[Rule Tuning] AWS S3 Bucket Expiration Lifecycle Configuration Added (#5251 )
2025-11-10 11:25:06 -05:00
cc5387d566
[New Rule][Deprecation] AWS EC2 Export Task Rules (#5248 )
2025-11-10 11:15:13 -05:00
5b386e0a8f
[Rule Tuning] AWS EC2 Full Network Packet Capture Detected (#5244 )
2025-11-10 10:49:17 -05:00
57facddd32
[Rule Tuning] File Transfer or Listener Established via Netcat (#5223 )
2025-11-10 16:11:16 +01:00
37e18af7a5
[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232 )
2025-11-10 16:03:39 +01:00
bb38e2558a
[New Rule] Privilege Escalation via SUID/SGID Proxy Execution (#5266 )
2025-11-10 11:41:38 +01:00
62d7316e85
[Rule Tuning] AWS S3 Object Versioning Suspended (#5261 )
2025-11-07 17:09:24 -05:00
477df5c635
[Rule Tuning] AWS S3 Static Site Javascript File Uploaded (#5264 )
2025-11-07 17:00:56 -05:00
ee06afd9e1
[Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access (#5268 )
2025-11-07 16:25:05 -05:00
3a52db299e
[Rule Tuning] M365 Impossible / Atypical Travel FN (#5267 )
2025-11-04 11:29:25 -05:00
598e5c363f
[New] Suspicious Kerberos Authentication Ticket Request (#5260 )
2025-11-03 15:44:13 +00:00
f52aedf41d
Update tj-actions/changed-files action to v46.0.5 (#5097 )
2025-10-28 21:07:33 +05:30
c6f1c90c2f
Update Release Fleet and Lock versions to use ESQL Remote Validation (#5245 )
2025-10-27 21:05:16 +05:30
7604c20d9e
[FR] Add ESQL rules to dataset exception (#5249 )
2025-10-27 11:03:48 -04:00
9345e0ec27
Add unit test for protected prebuilt-rules (#5242 )
2025-10-24 19:15:52 +05:30
566242772f
Remove toml filtering for branches (#5243 )
2025-10-23 12:53:15 -04:00
b9b8e24514
Lock versions for releases: 8.19,9.0,9.1,9.2 (#5234 )
2025-10-17 22:10:05 +05:30
3c56a72cd4
Update Splunk Schemas for pre-release versions to support 9.0 Kibana versions (#5233 )
2025-10-17 21:22:37 +05:30
818978975d
Prep 9.2 (#5231 )
2025-10-17 21:01:13 +05:30
b24c6111ed
[New Rule] Azure Compute Restore Point Collection Deleted (#5217 )
2025-10-17 10:49:38 -04:00
93f539cc92
[New Rule] Azure Storage Account Deletion (#5200 )
2025-10-17 10:26:00 -04:00
a56b0d9e23
[New Rule] Azure Recovery Services Deletion (#5214 )
2025-10-17 10:11:10 -04:00
f58e833106
[Rule Tuning] Suspicious Entra ID OAuth User Impersonation Scope Detected (#5190 )
2025-10-17 09:52:40 -04:00
a3cb002ef4
[Rule Tuning] Potential CVE-2025-32463 Sudo Chroot Execution Attempt (#5227 )
2025-10-17 09:29:17 +02:00
1653183cd4
[New Rule] Entra ID Protection Admin Confirmed Compromise (#5186 )
2025-10-16 14:29:28 -04:00
551252099d
[Rule Tuning] AWS User Created Access Keys For Another User (#5212 )
2025-10-16 12:57:57 -04:00
7e1f815334
[Rule Tuning][New BBR Rule] AWS Sign-In Token Creation and Console Login (#5197 )
2025-10-16 12:47:30 -04:00
5f60e21ece
[Rule Tunings] AWS IAM Administrator Access Policy Attached to Group/Role/User (#5215 )
2025-10-16 12:22:56 -04:00
fd64bc4c7a
[New Rule] Azure Storage Blob Retrieval via AzCopy (#5179 )
2025-10-16 12:00:55 -04:00
c7246313f7
feat: ESQL query validation against Elastic cluster (#4955 )
2025-10-15 21:17:07 +02:00
00ed573623
[Rule Tuning][Deprecation] AWS Root Console Login Rules (#5201 )
2025-10-15 14:16:02 -04:00
83e36854f0
[Rule Tunings] AWS Root Access Rules (#5218 )
2025-10-15 13:58:32 -04:00
64a8290b37
[New] Potential Command Shell via NetCat (#5221 )
2025-10-15 12:30:09 +01:00
871cfb61b7
[Rule Tuning] Excessive Secret or Key Retrieval from Azure Key Vault (#5220 )
2025-10-14 12:53:02 -05:00
574c8d67ea
[Tuning] Simple HTTP Web Server Connection (#5209 )
2025-10-13 15:01:38 +01:00
a5c100a65b
[Bug] Add unit tests and fix Alert Suppression schema validation for ThresholdQueryRuleData (#5196 )
2025-10-09 16:21:21 -04:00
ebb7bb5bce
Update Package Category (#5192 )
2025-10-08 19:26:11 +05:30
a31fb00614
[Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193 )
2025-10-07 12:40:23 -03:00
49637fbfc7
Lock versions for releases: 8.18,8.19,9.0,9.1 (#5188 )
2025-10-06 22:14:15 +05:30
3397b7e707
Monthly Schema Updates (#5187 )
2025-10-06 21:39:14 +05:30
b73e6e2a57
[Rule Tuning] AWS S3 Bucket Enumeration or Brute Force (#5173 )
2025-10-06 11:53:41 -04:00
8eb32f96ce
Update privilege_escalation_sts_role_chaining.toml (#5180 )
2025-10-06 11:29:41 -04:00
db1f8d1fab
[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#5149 )
2025-10-06 10:33:51 -04:00
2931d75692
[New Rule] Azure RBAC Built-In Administrator Roles Assigned (#5113 )
2025-10-06 09:38:56 -04:00
d6b6f99b27
[New Rule] Azure Storage Account Blob Public Access Enabled (#5139 )
2025-10-06 09:15:07 -04:00
ca640a62ab
[New Rule] Entra ID Actor Token User Impersonation Abuse (#5136 )
2025-10-06 08:57:36 -04:00
87b6a80e01
[Tuning] Azure Entra ID Rare App ID for Principal Authentication (#5184 )
2025-10-06 08:49:31 -04:00
949cb751ca
[New Rule] Attempt to Clear Logs via Journalctl (#5170 )
2025-10-06 13:52:25 +02:00
1833d2e7a0
tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#5163 )
2025-10-06 07:19:22 -04:00
25880e73da
[New Rule] Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt (#5166 )
2025-10-06 13:01:57 +02:00
be3af09d9d
[Rule Tuning] Misc. Linux Community Tunings (#5160 )
2025-10-06 12:05:59 +02:00
29c4c19d59
[Tuning] Startup or Run Key Registry Modification (#5137 )
2025-10-06 09:24:33 +01:00
b4e9b48ad7
[New] Suspicious SeIncreaseBasePriorityPrivilege Use (#5150 )
2025-10-03 16:52:32 +01:00
66a0b6b97c
[Tuning] Potential Ransomware Behavior - High count of Readme files by System (#5167 )
2025-10-02 17:39:51 +01:00
5d69eb19ba
[New Rules] Potential CVE-2025-32463 Exploitation (#5169 )
2025-10-01 11:25:22 +02:00
b474a81ead
[Rule Tuning] Update Azure / M365 Index Patterns and Lookback Windows (#5155 )
2025-09-30 15:51:50 -04:00
b451ff8e4c
[Rule Tuning] Update Azure / M365 Mappings (#5153 )
2025-09-30 12:58:25 -04:00
dcb4334e6f
[Rule Tuning] Azure AD Global Administrator Role Assigned (#5090 )
2025-09-30 12:37:01 -04:00
8319b7f5d8
[Rule Tuning] Potential Port Scanning Activity from Compromised Host (#5161 )
2025-09-30 16:35:41 +02:00
7410ec7db9
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151 )
2025-09-30 00:36:29 -04:00
42be8bc8ba
[Bug] Add Required to the Annotation (#5159 )
2025-09-29 18:30:50 -04:00
53a2233e9b
[New Rule] Node.js Pre or Post-Install Script Execution (#5131 )
2025-09-29 21:48:47 +02:00
0c739da6b9
[New Rule] Azure Storage Account Keys Accessed by Privileged User (#5141 )
2025-09-29 12:20:31 -04:00
9f5793759c
[New Rule] GitHub Authentication Token Access via Node.js (#5130 )
2025-09-24 20:48:19 +02:00
1636a8ffea
[New Rule] Credential Access via TruffleHog Execution (#5129 )
2025-09-24 20:40:01 +02:00
bb08af542a
[Rule Tuning] Microsoft Entra ID Elevated Access to User Access Administrator (#5107 )
2025-09-22 13:20:58 -04:00
f75062a855
[Rule Tuning] Suspicious PowerShell Engine ImageLoad (#5134 )
2025-09-22 10:03:41 -03:00
cd6c37e3b9
[Rule Tuning] Mark some field optional for 3rd party compatibility (#5135 )
2025-09-22 09:43:10 -03:00
53b4e92861
[New Rule] Curl or Wget Spawned via Node.js (#5132 )
2025-09-22 10:58:07 +02:00
e147188939
Add SIEM package category (#5128 )
2025-09-18 19:15:53 +05:30
db688e43b3
[New] Microsoft Entra ID Protection Alert and Device Registration (#4688 )
2025-09-18 09:54:47 +01:00
80c01cf665
[Bug] Annotated Fields Ignored (#5125 )
2025-09-17 17:34:42 -04:00
8f79d58f3f
Lock versions for releases: 8.18,8.19,9.0,9.1 (#5123 )
2025-09-16 19:56:59 +05:30
657b504f46
Update investigation guides (#5112 )
2025-09-16 18:34:37 +05:30
99ebad576b
Added handling for unauth error (#5115 )
2025-09-16 08:55:10 -04:00
b2b9d677c7
[Bug] Github Gist API Now Requires Auth (#5119 )
2025-09-16 08:18:48 -04:00
4476ac52a8
[Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091 )
2025-09-15 09:38:03 -07:00
7bd9c52852
[Rule Tuning] Windows High Severity - 5 (#5096 )
2025-09-15 09:29:37 -07:00
Isai