June 12, 2025 - Content Release
This content release includes:
- New detection rules for browser extension persistence, Kerberos certificate authentication, GitHub vulnerability alerts, Okta application access monitoring, and threat intelligence email matching.
- New product support for Atlassian audit and login events.
- Enhanced Azure Event Hub Windows Defender integration with new threat event mapping for passthrough alerts.
- Cisco ASA updates with new network event support and NAT IP handling improvements.
- Citrix NetScaler mapping updates to support additional events.
- Update to Auth0 successful/unsuccessful login mappings to properly classify each.
- CrowdStrike NextGen SIEM Alert event support.
- Mimecast security event mapping improvements across several event types.
- AWS CloudTrail network event enhancements with event success/failure handling and protocol support.
- Parser updates to support additional event formats for multiple platforms.
Changes are enumerated below.
Rules
- [New] MATCH-S00897 Chromium Extension Installed
- Threat actors may install browser extensions as a form of persistence on victim systems. Look up the 32 character extension ID in order to ensure that the extension is valid and expected to be installed as part of normal business operations. This extension ID can be found in the following values:
file_pathand/orchangeTargetdepending on the source of the telemetry. This rule logic utilizes Sysmon file creation events, which need to be enabled and configured on relevant assets.
- Threat actors may install browser extensions as a form of persistence on victim systems. Look up the 32 character extension ID in order to ensure that the extension is valid and expected to be installed as part of normal business operations. This extension ID can be found in the following values:
- [New] FIRST-S00064 First Seen Certificate Thumbprint in Successful Kerberos Authentication
- This alert looks for a first seen certificate thumbprint being used to authenticate to an Active Directory environment, resulting in a Kerberos ticket being successfully issued. This alert is designed to catch Active Directory Certificate Services related attacks, ensure the certificate thumprint is valid, correlate the thumbprint ID with other Certificate Services events, particularly looking for recently issued templates.
- [New] MATCH-S00949 GitHub - Vulnerability Alerts
- Detects vulnerability alerts created for a GitHub repository.
- [New] FIRST-S00070 Okta - First Seen Application Accessed by User
- This signal looks for a user that is accessing an application behind Okta SSO that is first seen since the baseline period. Ensure that access of this application is expected and authorized, look for other Okta events around the user account in question to determine whether access to this application is expected and authorized.
- [New] AGGREGATION-S00007 Okta - Session Anomaly (Multiple Operating Systems)
- This rule detects when a user has utilized multiple distinct operating systems when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly. Examine other Okta related events surrounding the time period for this signal, pivoting off the username value to examine if any other suspicious activity has taken place. If this rule is generating false positives, adjust the threshold value and consider excluding certain user accounts via tuning expression or a match list.
- [New] MATCH-S01020 Threat Intel - Matched Target Email
- Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
- [New] MATCH-S01019 Threat Intel - Matched User Email
- Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider.
- [Updated] MATCH-S00170 Windows - Scheduled Task Creation
- Fixed spelling error.
Log Mappers
- [New] Altassian audit events
- [New] Altassian login events
- [New] Azure Event Hub - Windows Defender Azure Alert
- [New] Cisco ASA 4180(18|19|44)
- [New] Cisco ASA 713nnn JSON
- [New] Cisco ASA Network events
- [New] Citrix NetScaler - SSL Handshake Failure
- [New] CrowdStrike NextGen SIEM
- [Updated] Auth0 Failed Authentication
- [Updated] Auth0 Successful Authentication
- [Updated] Azure Event Hub - Windows Defender Logs
- [Updated] Cisco ASA 106010 JSON
- [Updated] Cisco ASA 20900(4|5) JSON
- [Updated] Cisco ASA 50000(4|3) JSON
- [Updated] Citrix NetScaler - TCP Connection
- [Updated] CloudTrail - ec2.amazonaws.com - All Network Events
- [Updated] F5 HTTP Request
- [Updated] Mimecast AV Event
- [Updated] Mimecast Audit Authentication Logs
- [Updated] Mimecast Audit Hold Messages
- [Updated] Mimecast Audit Logs
- [Updated] Mimecast DLP Logs
- [Updated] Mimecast Email logs
- [Updated] Mimecast Impersonation Event
- [Updated] Mimecast Spam Event
- [Updated] Mimecast Targeted Threat Protection Logs
Parsers
- [New] /Parsers/System/Atlassian/Atlassian Audit Events
- [Updated] /Parsers/System/Cisco/Cisco ASA
- [Updated] /Parsers/System/Cisco/Cisco Umbrella CSV
- [Updated] /Parsers/System/Citrix/Citrix NetScaler Syslog
- [Updated] /Parsers/System/AWS/CloudTrail
- [Updated] /Parsers/System/CrowdStrike/CrowdStrike Falcon Endpoint - JSON
- [Updated] /Parsers/System/F5/F5 Syslog
- [Updated] /Parsers/System/Microsoft/Microsoft Azure JSON
- [Updated] /Parsers/System/Microsoft/Windows-JSON-Open Telemetry