September 19, 2024 - Content Release
This content release includes:
- Updates to 111 rules to improve the user experience by removing often lengthy command lines from rule summary expressions (retained in record and signal).
- Deletion of a low efficacy rule.
- Mapping updates to better employ normalized classification fields across data sources.
- Adds alternate case handling for Windows Security Event Log error codes.
- Updates to LastPass parsing and mapping to support Reporting and Failed Logon events.
- Adds support for Thinkst Canary JSON logging.
- Adjusts time handling for Thinkst Canary Syslog.
Other changes are enumerated below.
Rules
- [Deleted] LEGACY-S00180 DNS query for dynamic DNS provider
- [Updated] MATCH-S00814 Abnormal Child Process - sdiagnhost.exe - CVE-2022-30190
- [Updated] MATCH-S00660 Anomalous AWS User Executed a Command on ECS Container
- [Updated] MATCH-S00388 COMPlus_ETWEnabled Command Line Arguments
- [Updated] MATCH-S00727 CPL File Executed from Temp Directory
- [Updated] MATCH-S00412 Command Line Execution with Suspicious URL and AppData Strings
- [Updated] MATCH-S00658 Container Management Utility in Container
- [Updated] MATCH-S00410 Copy from Admin Share
- [Updated] MATCH-S00443 Create Windows Share
- [Updated] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy
- [Updated] MATCH-S00526 Credential Dumping Via Symlink To Shadow Copy
- [Updated] MATCH-S00348 Curl Start Combination
- [Updated] MATCH-S00385 DTRACK Process Creation
- [Updated] MATCH-S00441 Delete Windows Share
- [Updated] MATCH-S00543 Detect Psexec With Accepteula Flag
- [Updated] MATCH-S00319 Dridex Process Pattern
- [Updated] MATCH-S00590 Elise Backdoor
- [Updated] MATCH-S00392 File or Folder Permissions Modifications
- [Updated] FIRST-S00028 First Seen Common Windows Recon Commands From User
- [Updated] FIRST-S00059 First Seen esentutl command From User
- [Updated] FIRST-S00041 First Seen networksetup Usage from User
- [Updated] FIRST-S00058 First Seen vssadmin command From User
- [Updated] FIRST-S00060 First Seen wbadmin command From User
- [Updated] FIRST-S00008 First Seen whoami command From User
- [Updated] MATCH-S00414 Grabbing Sensitive Hives via Reg Utility
- [Updated] MATCH-S00325 Greenbug Campaign Indicators
- [Updated] MATCH-S00367 Impacket Lateralization Detection
- [Updated] MATCH-S00482 Impacket-Obfuscation SMBEXEC Utility
- [Updated] MATCH-S00483 Impacket-Obfuscation WMIEXEC Utility
- [Updated] MATCH-S00322 Judgement Panda Credential Access Activity
- [Updated] MATCH-S00334 Judgement Panda Exfil Activity
- [Updated] MATCH-S00651 Kubernetes CreateCronjob
- [Updated] MATCH-S00652 Kubernetes DeleteCronjob
- [Updated] MATCH-S00650 Kubernetes ListCronjobs
- [Updated] MATCH-S00648 Kubernetes ListSecrets
- [Updated] MATCH-S00647 Kubernetes Pod Deletion
- [Updated] MATCH-S00649 Kubernetes Service Account Token File Accessed
- [Updated] MATCH-S00461 LNKSmasher Utility Commands
- [Updated] MATCH-S00746 Loadable Kernel Module Dependency Install
- [Updated] MATCH-S00745 Loadable Kernel Module Enumeration
- [Updated] MATCH-S00723 Loadable Kernel Module Modifications
- [Updated] MATCH-S00352 MSHTA Suspicious Execution
- [Updated] MATCH-S00534 MacOS - Re-Opened Applications
- [Updated] MATCH-S00729 MacOS Gatekeeper Bypass
- [Updated] MATCH-S00731 MacOS System Integrity Protection Disabled
- [Updated] MATCH-S00161 Malicious PowerShell Get Commands
- [Updated] MATCH-S00190 Malicious PowerShell Invoke Commands
- [Updated] MATCH-S00198 Malicious PowerShell Keywords
- [Updated] MATCH-S00331 MavInject Process Injection
- [Updated] MATCH-S00466 MsiExec Web Install
- [Updated] MATCH-S00288 NotPetya Ransomware Activity
- [Updated] MATCH-S00698 PATH Set to Current Directory
- [Updated] MATCH-S00659 Package Management Utility in Container
- [Updated] MATCH-S00697 Pkexec Privilege Escalation - CVE-2021-4034
- [Updated] MATCH-S00149 PowerShell File Download
- [Updated] MATCH-S00449 Powershell Execution Policy Bypass
- [Updated] MATCH-S00427 Process Dump via Rundll32 and Comsvcs.dll
- [Updated] MATCH-S00439 Psr.exe Capture Screenshots
- [Updated] MATCH-S00167 Recon Using Common Windows Commands
- [Updated] MATCH-S00346 Ryuk Ransomware Endpoint Indicator
- [Updated] MATCH-S00506 SC Exe Manipulating Windows Services
- [Updated] MATCH-S00153 Scheduled Task Created via PowerShell
- [Updated] MATCH-S00529 Schtasks Scheduling Job On Remote System
- [Updated] MATCH-S00530 Schtasks Used For Forcing A Reboot
- [Updated] MATCH-S00359 Suspicious Certutil Command
- [Updated] MATCH-S00356 Suspicious Compression Tool Parameters
- [Updated] MATCH-S00362 Suspicious Curl File Upload
- [Updated] MATCH-S00476 Suspicious Execution of Search Indexer
- [Updated] MATCH-S00464 Suspicious Non-Standard InstallUtil Execution
- [Updated] MATCH-S00191 Suspicious PowerShell Keywords
- [Updated] MATCH-S00431 Suspicious Use of Procdump
- [Updated] MATCH-S00477 Suspicious Use of Workflow Compiler for Payload Execution
- [Updated] MATCH-S00342 Suspicious use of Dev-Tools-Launcher
- [Updated] MATCH-S00279 TAIDOOR RAT DLL Load
- [Updated] MATCH-S00531 Unload Sysmon Filter Driver
- [Updated] MATCH-S00762 Unusual Staging Directory - PolicyDefinitions
- [Updated] MATCH-S00761 Volume Shadow Copy Service Stopped
- [Updated] MATCH-S00147 WMI Managed Object Format (MOF) Process Execution
- [Updated] MATCH-S00760 WMI Ping Sweep
- [Updated] MATCH-S00146 WMI Process Call Create
- [Updated] MATCH-S00151 WMI Process Get Brief
- [Updated] MATCH-S00379 WMIExec VBS Script
- [Updated] MATCH-S00400 Web Download via Office Binaries
- [Updated] MATCH-S00539 Web Servers Executing Suspicious Processes
- [Updated] MATCH-S00174 Web Services Executing Common Web Shell Commands
- [Updated] MATCH-S00284 Windows - Delete Windows Backup Catalog
- [Updated] MATCH-S00181 Windows - Domain Trust Discovery
- [Updated] MATCH-S00168 Windows - Local System executing whoami.exe
- [Updated] MATCH-S00162 Windows - Network trace capture using netsh.exe
- [Updated] MATCH-S00159 Windows - Permissions Group Discovery
- [Updated] MATCH-S00268 Windows - Possible Impersonation Token Creation Using Runas
- [Updated] MATCH-S00276 Windows - Possible Squiblydoo Technique Observed
- [Updated] MATCH-S00281 Windows - PowerShell Process Discovery
- [Updated] MATCH-S00171 Windows - Powershell Scheduled Task Creation from PowerSploit or Empire
- [Updated] MATCH-S00185 Windows - Remote System Discovery
- [Updated] MATCH-S00272 Windows - Rogue Domain Controller - dcshadow
- [Updated] MATCH-S00170 Windows - Scheduled Task Creation
- [Updated] MATCH-S00192 Windows - System Network Configuration Discovery
- [Updated] MATCH-S00194 Windows - System Time Discovery
- [Updated] MATCH-S00172 Windows - WiFi Credential Harvesting with netsh
- [Updated] MATCH-S00532 Windows Adfind Exe
- [Updated] MATCH-S00552 Windows Connhost Started Forcefully
- [Updated] MATCH-S00398 Windows Defender Download Activity
- [Updated] MATCH-S00179 Windows Network Sniffing
- [Updated] MATCH-S00157 Windows Process Name Impersonation
- [Updated] MATCH-S00178 Windows Query Registry
- [Updated] MATCH-S00533 Windows Security Account Manager Stopped
- [Updated] LEGACY-S00171 Windows Service Executed from Nonstandard Execution Path
- [Updated] MATCH-S00724 Windows Update Agent DLL Changed
- [Updated] MATCH-S00382 Winnti Pipemon Characteristics
- [Updated] MATCH-S00435 XSL Script Processing
- [Updated] MATCH-S00726 macOS Kernel Extension Load
Log Mappers
- [New] LastPass Failed Login Attempt
- [New] LastPass Reporting
- [Updated] Thinkst Canary Parser - Catch All
- Removed time handling from mapper to favor parser time handling
- [Updated] 1Password Item Audit Actions
- [Updated] 1Password Item Usage Actions
- [Updated] AWS Config - Custom Parser
- [Updated] AWS EKS - Custom Parser
- [Updated] AWS Inspector - Custom Parser
- [Updated] AWS Route 53 Logs
- [Updated] AWS S3 Server Access Log - Custom Parser
- [Updated] AWS Security Hub
- [Updated] AWSGuardDuty - Audit Events
- [Updated] AWSGuardDuty - AwsServiceEvent-AWS API Call via CloudTrail
- [Updated] AWSGuardDuty - Reconnaissance and malicious activity detection
- [Updated] AWSGuardDuty - Tor Client and Relay
- [Updated] AWSGuardDuty - UnauthorizedAccess_EC2_TorIPCaller
- [Updated] AWSGuardDuty_Catch_All
- [Updated] Adaxes - Custom Parser
- [Updated] ApplicationGatewayAccessLog
- [Updated] ApplicationGatewayFirewallLog
- [Updated] Aqua Runtime Policy Match
- [Updated] Azure Appplication Service Console Logs
- [Updated] Azure AuditEvent logs
- [Updated] Azure Event Hub - Windows Defender Logs
- [Updated] Azure Firewall Application Rule
- [Updated] Azure Firewall DNS Proxy
- [Updated] Azure Firewall Network Rule
- [Updated] Azure NSG Flows
- [Updated] Azure Policy Logs
- [Updated] AzureActivityLog
- [Updated] AzureActivityLog 01
- [Updated] AzureActivityLog AuditLogs
- [Updated] AzureDevOpsAuditing
- [Updated] Cato Networks Audits
- [Updated] CloudTrail - cloudtrail.amazonaws.com - CreateTrail
- [Updated] Cyber Ark EPM AggregateEvent
- [Updated] Druva Cyber Resilience - Catch All
- [Updated] GCP App Engine Logs
- [Updated] GCP Audit Logs
- [Updated] GCP IDS
- [Updated] GCP Parser - Load Balancer
- [Updated] Google Security Command Center
- [Updated] JumpCloud IdP - Catch All
- [Updated] Kaltura Audits
- [Updated] Microsoft Defender for Cloud - Security Alerts
- [Updated] Microsoft Office 365 AzureActiveDirectory Events
- [Updated] Microsoft Office 365 MicrosoftStream Events
- [Updated] Microsoft Office 365 PowerApps Events
- [Updated] Microsoft Office 365 Sway Events
- [Updated] Microsoft Office 365 Teams Events
- [Updated] Microsoft Office 365 Yammer Events
- [Updated] MicrosoftGraphActivityLogs
- [Updated] Office 365 - MicrosoftFlow
- [Updated] Office 365 - Security Compliance Alerts
- [Updated] Osquery Catchall
- [Updated] Osquery FIM
- [Updated] Osquery Process Auditing
- [Updated] Osquery Socket Events
- [Updated] Osquery Startup Items
- [Updated] Palo Alto Config - Custom Parser
- [Updated] Palo Alto Threat Spyware - Custom Parser
- [Updated] RSA SecurID Runtime Authn Logout
- [Updated] RSA SecurID Runtime Catchall
- [Updated] UnauthorizedAccess_EC2_SSHBruteForce
- [Updated] Windows - Security - 4625
- [Updated] Windows - Security - 4634
Parsers
- [New] /Parsers/System/Thinkst Canary/Thinkst Canary JSON
- [Updated] /Parsers/System/LastPass/LastPass
- [Updated] /Parsers/System/Thinkst Canary/Thinkst Canary
- Updated time handling to use
_messagetime
metadata
- Updated time handling to use