Starting with this release, the rule type for First Seen rules is now "Anomaly", and Outlier Rules have been promoted from prototype mode.
NOTE: Due to performance and efficacy findings, OUTLIER-S00012 will be deleted on July 28th. If you wish to retain this rule, it must be duplicated in the CSE Rules UI.
Rules
- [Updated] OUTLIER-S00001 Spike in login failures from a user
- Removed incorrect match list from expression.
- Will remain in prototype an additional week due to changes made to the rule expression.
- [Updated] OUTLIER-S00002 Spike in Successful Distinct Share Access
- [Updated] OUTLIER-S00003 Spike in Failed Share Access by User
- [Updated] OUTLIER-S00004 Spike in Azure Firewall Deny Events from Source IP
- [Updated] OUTLIER-S00005 Spike in AWS API Call from User
- [Updated] OUTLIER-S00006 Spike in Data Transferred Outbound by User
- [Updated] OUTLIER-S00007 Spike in Windows Administrative Privileges Granted for User
- [Updated] OUTLIER-S00008 Spike in Failed Azure Sign In Attempts Due to Bad Password from IP Address
- [Updated] OUTLIER-S00009 Spike in PowerShell Command Line Length From Host
- [Updated] OUTLIER-S00010 Spike in URL Length from IP Address
- [Updated] OUTLIER-S00011 Spike in AWS AccessDenied Events by assumedrole
Schema
- [New] http_referer_queryParameters
- New queryParameters enrichment/mappable field
- [New] http_url_queryParameters
- New queryParameters enrichment/mappable field
- [New] objectClassification
- Allows objectClassification to be used in CSE rule expressions.