This release contains updates to MITRE tags used in several rules that have been deprecated, removed, or were otherwise invalid. Other changes are enumerated below.
Rules
- [New] MATCH-S00886 Suspicious chmod Execution
- This alert looks for a "chmod" execution on a file that is found on the
/tmpdirectory of a Linux or macOS host. Threat actors may download and copy files to this directory and add execution bits or change permissions on these files.
- This alert looks for a "chmod" execution on a file that is found on the
- [Updated] MATCH-S00516 Antivirus Ransomware Detection
- [Updated] MATCH-S00534 MacOS - Re-Opened Applications
- [Updated] MATCH-S00149 PowerShell File Download
- [Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher
Log Mappers
- [Updated] Microsoft Defender for Cloud - Security Alerts
- Adds support for Security Alerts via Azure Activity Log
- [Updated] Zscaler - Nanolog Streaming Service - JSON
- Adds alternate values for NSS mappers to ensure proper normalization
- [Updated] Zscaler Firewall
- Adds alternate values for ZScaler Firewall mappers to ensure proper normalization