November 7, 2024 - Content Release
This content release includes:
- New detection rules.
- Updates to existing detection rules to correct rule logic and reduce false positives.
- New parsing and mapping support for Automox, WatchGuard Firewall, and Digital Guardian ARC.
- Update to existing AWS Application Load Balancer parsing and mapping to support Connection logs.
- Update to MITRE ATT&CK tag schema to support ATT&CK v16.0.
Changes are enumerated below.
Rules​
- [New] CHAIN-S00018 Autorun file created after USB disk mount on host
- This signal looks for a USB drive being mounted on a Windows host followed by a file creation event with the file name of "autorun.inf" within a 5-minute time frame. This activity could be indicative of an attempt at lateral movement or initial access avenues through a USB device. Ensure that the machine in question is authorized to use USB devices and look for other file creation events from this host around the same time frame.
- [New] FIRST-S00071 First Seen AWS ConsoleLogin by User
- First observance of a user logging on to the Amazon AWS console. This could be indicative of new administrator onboarding, or an unauthorized access to the AWS console. Recommended to investigate the nature of the user account and the login.
- [New] FIRST-S00080 First Seen Azure Portal access by User
- First observance of a user logging on to the Microsoft Azure Portal. This could be indicative of new user onboarding, or an unauthorized access to the Azure portal. Recommended to investigate the nature of the user account and the login.
- [New] FIRST-S00073 First Seen Get-ADDefaultDomainPasswordPolicy
- The first observed execution of the PowerShell CMDLet Get-ADDefaultDomainPasswordPolicy on this host. This CMDLet can be used in the discovery of Windows Domain Password Policies by threat actors. Investigating the host and active users for additional activity around the time of execution is recommended.
- [New] FIRST-S00072 First Seen Group Policy Discovery Operation
- This detection is a first observed execution of Windows process or PowerShell commands that can be run by users or administrators in order to gather password policy and other types of system information in an enterprise environment. The detections in this signal are based off variations found in Atomic Red Team test cases. Reference: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md. Look at the command line and parent process details of the signal in order to determine if this execution is legitimate or part of system provisioning or systems administration operations.
- [New] FIRST-S00076 First Seen Net Command Use on Host
- Microsoft’s Net.exe can be used for multiple Discovery tactics, including Password Policy, Permissions, Account and Domain Trust Discovery. This detection identifies the first observance of a Net related command on a system related to these discovery tactics. It is recommended to investigate the host and user to determine if this is authorized admin activity or needs further inspection.
- [New] FIRST-S00065 First Seen Successful Authentication From Unexpected Country
- First Seen rule which triggers when there are at least two successful logins from the same user with different country codes indicating possible credential theft. It is recommended to add filtering criteria to the expression to reduce false positives, such as known VPN addresses.(If degradation issues occur it is recommendation implementing tuning around your expected network.)
- [New] FIRST-S00074 First Seen driverquery execution on host
- First observed execution of the driverquery command on the following device host:
{{device_hostname}}. Driverquery is a useful command for an attacker to enumerate local device drivers to determine next steps in the attack. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution.
- First observed execution of the driverquery command on the following device host:
- [New] FIRST-S00079 First Seen gpresult execution on host
- This detection is first observed execution of gpresult on a host. This command may be used by attackers to access detailed password policy information in an enterprise environment. Vulnerability scanners and automated processes may trigger this detection. It is recommended to identify and filter these processes out using a Tuning Expression for the corresponding baseImage. On detection, investigate the host and process executing the command to assist in understanding the context of the execution.
- [New] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
- This signal looks for a new Client ID value ( mapped to the
user_usernamefield ) and ASN combination being issued an OIDC token, excluding the Okta Browser Plugin and Okta Dashboard. Use the Okta admin portal and look at the "Applications" section to cross-reference the Client ID value. Ensure that the IP address that is requesting the token is known and that this operation is expected and authorized.
- This signal looks for a new Client ID value ( mapped to the
- [New] FIRST-S00068 Okta - First Seen User Accessing Admin Application
- A user not seen since the baseline period has accessed the Okta admin application. Ensure that this user is expected to perform Okta administrative activities. If this user is expected and authroized, consider adding the user to the "Okta_Admins" match list to exclude the user from this signal.
- [New] FIRST-S00066 Okta - First Seen User Requesting Report
- This signal looks for a first seen user requesting an export of an Okta report. The various Okta report types can be found in the “Reports” section of the Okta administrative portal and can include various report types such as application password help, MFA usage, and reports around user access. During the October 2023 Okta incident, threat actors downloaded reports from Okta portals to extract information regarding user contact information. Ensure that the user that is requesting such reports is authorized and that this activity is expected. If a suspicious report generation event occurs, look at the “target” element within the event to gain more detailed information as to the type of report being generated and exported.
- [New] OUTLIER-S00018 Okta - Outlier in ASNs Used to Access Applications
- This signal looks for an outlier in the number of distinct autonomous system numbers (ASNs) that a particular user utilizes to access Okta resources within an hour time period. This is designed to alert on various forms of token or credential theft as well as general Okta session anomalies.
- [New] OUTLIER-S00017 Okta - Outlier in MFA Attempts Denied by User
- This signal builds an hourly baseline of MFA denied events per user and triggers when an outlier in the number of denied attempts is detected. This signal is designed to trigger on MFA-fatigue type attacks. If false positives are detected, consider excluding certain users from the alerting logic or raise the minimum count value within the rule configuration.
- [New] OUTLIER-S00016 Okta - Outlier in OIDC token request failures
- This signal looks for an outlier in the number of OpenID Connect (OIDC) token request failures for an Okta client application. Use the Okta admin portal to correlate the Client ID (mapped to
user_username) to determine what application is being targeted. Pivot off the Client ID and IP address values to examine the raw Okta events in order to ensure that this activity is planned and expected. This activity can occur during setup and development of Okta applications and integrations.
- This signal looks for an outlier in the number of OpenID Connect (OIDC) token request failures for an Okta client application. Use the Okta admin portal to correlate the Client ID (mapped to
- [New] OUTLIER-S00013 Outlier in Data Outbound Per Day by Admin or Sensitive Device
- A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule.
- [New] OUTLIER-S00015 Outlier in Data Outbound Per Hour by Admin or Sensitive Device
- A larger than typical amount of data has been observed being sent outbound from a Sensitive Device or an Admin user. It is recommended to investigate the device associated with this IP, the Internet destinations, and traffic associated with this anomalous behavior. A normalized record search for the source IP and external network traffic within the period of time of the detection will help identify suspicious activity. This rule is dependent on the Match Lists "domain_controllers" and "admin_usernames" being populated with the sensitive device IPs and admin usernames. Additionally, Entity Tagging offers a similar and extensible alternative to Match Lists. To add more sensitive Match Lists or Entity Tagging, use Rule Tuning Expressions. For further customization, consider adjusting the severity of this rule and/or using entity severity as needed to increase the severity of this rule.
- [Updated] THRESHOLD-S00095 Password Attack
- Added NULL exclusion to rule expression to prevent false-positives stemming from NULL IP or hostnames.
- [Updated] MATCH-S00556 Outbound Data Transfer Protocol Over Non-standard Port
- Added missing parenthesis to match expression.
Log Mappers​
- [New] AWS - Application Load Balancer - Connection
- [New] Automox - Audit logs
- [New] Automox - Audit logs - Logon
- [New] Automox - Event logs
- [New] Digital Guardian ARC - Audit Events
- [New] Digital Guardian ARC - Mail
- [New] Digital Guardian ARC - Network
- [New] Digital Guardian ARC - User Login|Logoff
- [New] Watchguard Fireware - Firewall
- [New] Watchguard Fireware - http/https-proxy
Parsers​
- [New] /Parsers/System/Automox/Automox
- [New] /Parsers/System/Digital Guardian/Digital Guardian ARC
- [New] /Parsers/System/WatchGuard/WatchGuard Fireware
- [Updated] /Parsers/System/AWS/AWS ALB
- Updated parser to support AWS Application Load Balancer Connection logs