August 23, 2024 - Content Release
This content release includes:
- Updates to rules to improve the user experience
- Specific updates are enumerated and summarized below
note
Rule DNS query for dynamic DNS provider (LEGACY-S00180) is slated for removal the week of 2024-09-02. The rule is being removed from global content due to the untenable nature of maintaining the list of dynamic DNS providers within the rule expression. To retain this rule, it must be duplicated prior to the date of removal.
Rules
- [Updated] MATCH-S00816 Interactive Logon to Domain Controller
- Updated expression match list to use new
domain_controllers_hostnames
instead ofdomain_controllers
which was generating false positives due to IP dependency.
- Updated expression match list to use new
- [Updated] LEGACY-S00105 Suspicious DC Logon
- Updated expression match list to use new
domain_controllers_hostnames
instead ofdomain_controllers
which was generating false positives due to IP dependency.
- Updated expression match list to use new
srcDevice_hostname and srcDevice_ip have been removed from signal summaries to avoid null
values for the following rules:
- [Updated] MATCH-S00874 AWS Lambda Function Recon
- [Updated] MATCH-S00825 AWS Secrets Manager Enumeration
- [Updated] MATCH-S00513 Critical Severity Intrusion Signature
- [Updated] THRESHOLD-S00085 Excessive Outbound Firewall Blocks
- [Updated] MATCH-S00666 High Severity Intrusion Signature
- [Updated] MATCH-S00669 Informational Severity Intrusion Signature
- [Updated] MATCH-S00668 Low Severity Intrusion Signature
- [Updated] MATCH-S00667 Medium Severity Intrusion Signature
- [Updated] THRESHOLD-S00095 Password Attack
Removed MITRE ATT&CK Subtechnique T1003.007 (OS Credential Dumping: Proc Filesystem) for the following rules:
- [Updated] MATCH-S00429 LSASS Memory Dumping +
- [Updated] MATCH-S00161 Malicious PowerShell Get Commands +
- [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands +
- [Updated] MATCH-S00198 Malicious PowerShell Keywords +
- [Updated] MATCH-S00191 Suspicious PowerShell Keywords +
- [Updated] MATCH-S00431 Suspicious Use of Procdump +
- [Updated] MATCH-S00583 WCE wceaux.dll Access +
- [Updated] MATCH-S00274 Windows Credential Editor (WCE) Tool Use Detected +
- [Updated] MATCH-S00291 Windows Credential Editor (WCE) in use +
Added exclusion to match expression for OneDrive
to reduce false positives and removed fields producing nulls in the signal summary for the following rules:
- [Updated] THRESHOLD-S00111 Sharepoint - Excessive Documents Accessed by External IP
- [Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed by User
- [Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded
- [Updated] THRESHOLD-S00110 Sharepoint - External IP Downloaded Excessive Documents