This release includes new detections for macOS systems and mapping support for Dataminr Alerts. It also includes fixes aimed to reduce false positivity and correct the transposition of description and summary on several rules. Other changes are enumerated below.
Rules
- [New] CHAIN-S00016 macOS - Suspicious Osascript Execution and Network Activity
- [New]* FIRST-S00039 First Seen mdfind Usage from User
- [New]* FIRST-S00041 First Seen networksetup Usage from User
- [New]* FIRST-S00042 First Seen Ioreg Usage from User
- [New]* FIRST-S00043 First Seen pbpaste Usage from User
- [New] MATCH-S00878 macOS - Suspicious Osascript Parent Execution
- [New] MATCH-S00879 macOS - Suspicious Osascript Execution
- [New] MATCH-S00880 macOS - Entitlement Enumeration via Xattr
- [New]* MATCH-S00881 macOS - csrutil status Usage Detected
- [New] MATCH-S00882 macOS - System Preference Enumeration via Security Binary
- [New] MATCH-S00883 macOS - Keychain Enumeration
- [New] MATCH-S00884 macOS - Suspicious Python PIP Execution
- [New] MATCH-S00885 macOS - Screen Sharing Session Established
- [New]* MATCH-S00886 Suspicious chmod Execution
* These rules were originally released September 1, but have been updated in this release.
Log Mappers
- [New] Dataminr Alerts
- [Updated] Squid Proxy - Parser
- Updated mapper to take advantage of additional parsed data (see parser updates)
Parsers
- [Updated] /Parsers/System/Squid/Squid Proxy Syslog
- Updated parser to extract port and protocol information from URL when present