Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Content Release Notes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L3 Networker
92% helpful (56/61)

Cortex XDR Content Release Notes

 

*Deprecation alert*

This page has been deprecated and all newer release notes can be found here

 

February 28 2024 Release:

  • Improved logic of a Low Analytics BIOC:
    • Unusual cross projects activity (f0b7d81f-5518-4295-a081-e19b21c4b474) - improved logic of a Low Analytics BIOC
  • Improved logic of 2 Low Analytics Alerts:
    • Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - improved logic of a Low Analytics Alerts
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts
  • Improved logic of 15 Informational Analytics BIOCs:
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs
    • Cloud compute serial console access (4fa4a3ce-ce13-4dca-bbf5-629476822259) - improved logic of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
    • Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A cloud identity invoked IAM related persistence operations (ae95a625-1740-4de3-abe1-3e884eef0dc3) - improved logic of an Informational Analytics BIOCs
    • A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - improved logic of an Informational Analytics BIOCs
    • A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual resource modification/creation (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
    • Network sniffing detected in Cloud environment (932986f4-e765-40a5-9517-aa9ba5bf2e7a) - improved logic of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual resource modification by newly seen IAM user (37eb241a-d1b5-4bba-b65e-002863c99365) - improved logic of an Informational Analytics BIOCs
    • A container registry was created or deleted (5dd2d962-b742-11ed-9e0e-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Improved logic of 8 Informational Analytics Alerts:
    • An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts
    • Impossible travel by a cloud identity (1a4aae10-38f7-436e-aa77-ad3db460b4c3) - improved logic of an Informational Analytics Alerts
    • Storage enumeration activity (107578a3-3e09-4db1-88e0-2f060fb24a29) - improved logic of an Informational Analytics Alerts
    • Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - improved logic of an Informational Analytics Alerts
    • Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - improved logic of an Informational Analytics Alerts
    • Cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of an Informational Analytics Alerts
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of an Informational Analytics Alerts
  • Increased the severity to Low for a BIOC:
    • Out of band testing domain connection (ac36d4cc-d764-419c-8970-54916b05bda4) - increased the severity to Low

 

February 21 2024 Release:

  • Improved logic of 2 High Analytics BIOCs:
    • A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - improved logic of a High Analytics BIOCs
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
  • Improved logic of 6 Medium Analytics BIOCs:
    • Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Azure AD PIM alert disabled (8d5ce951-909b-44e7-aca6-1c8203f95c35) - improved logic of a Medium Analytics BIOCs
    • Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - improved logic of a Medium Analytics BIOCs
    • A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs
  • Improved logic of 13 Low Analytics BIOCs:
    • First Azure AD PowerShell operation for a user (04db68a0-bfda-47dc-b2ff-0f8d2d700eee) - improved logic of a Low Analytics BIOCs
    • MFA was disabled for an Azure identity (2f62698c-13e4-11ed-9d12-acde48001122) - improved logic of a Low Analytics BIOCs
    • Azure Temporary Access Pass (TAP) registered to an account (91368e38-b8af-43a4-bc84-3f9f4ad5acff) - improved logic of a Low Analytics BIOCs
    • Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - improved logic of a Low Analytics BIOCs
    • Azure account deletion by a non-standard account (b3cffc99-7a38-4e6f-a2ad-19a3325c38b3) - improved logic of a Low Analytics BIOCs
    • SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - improved logic of a Low Analytics BIOCs
    • Suspicious modification of the AdminSDHolder's ACL (e0db7194-3131-4f0c-9591-7f28ac59669a) - improved logic of a Low Analytics BIOCs
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - improved logic of a Low Analytics BIOCs
    • Azure domain federation settings modification attempt (0dff4bd1-0db3-44dc-a42d-aa473b96e841) - improved logic of a Low Analytics BIOCs
    • Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs
    • Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs
    • A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs
    • Azure AD PIM role settings change (65c6e962-2fe1-41f8-bc7f-12452f2d4831) - improved logic of a Low Analytics BIOCs
  • Added a new Low Analytics Alert:
    • Multiple discovery commands (921ffd42-455f-4182-9209-8fe9893c85e0) - added a new Low alert
  • Improved logic of 7 Low Analytics Alerts:
    • Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts
    • Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts
    • Multiple Azure AD admin role removals (fea22348-d47e-4b5f-9896-6ab8e34d00a1) - improved logic of a Low Analytics Alerts
  • Added 2 new Informational Analytics BIOCs:
    • Cloud compute serial console access (4fa4a3ce-ce13-4dca-bbf5-629476822259) - added a new Informational alert
    • An identity started an AWS SSM session (e08bf777-125c-422b-985c-cb98939cad79) - added a new Informational alert
  • Improved logic of 44 Informational Analytics BIOCs:
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs
    • Azure application consent (16fc6d88-d6c7-4c90-9c31-f6d0598330d3) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • A user logged in from an abnormal country or ASN (b470fe41-351e-485f-a755-e0709b0e15ba) - improved logic of an Informational Analytics BIOCs
    • Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
    • Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - improved logic of an Informational Analytics BIOCs
    • A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • Device Registration Policy modification (9894abc5-7d4c-4ee5-9840-3614a05cd409) - improved logic of an Informational Analytics BIOCs
    • Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs
    • Owner added to Azure application (ec5ede9b-e3b9-4963-8b04-711c0683a9e9) - improved logic of an Informational Analytics BIOCs
    • First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs
    • BitLocker key retrieval (c6c906ca-ebb0-4b79-8af7-7a054c37d5a0) - improved logic of an Informational Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs
    • A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - improved logic of an Informational Analytics BIOCs
    • A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - improved logic of an Informational Analytics BIOCs
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs
    • Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs
    • An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - improved logic of an Informational Analytics BIOCs
    • A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - improved logic of an Informational Analytics BIOCs
    • A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs
    • Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Azure device code authentication flow used (c4a24d4f-1c7b-4a3d-a775-1e2a363d917e) - improved logic of an Informational Analytics BIOCs
    • Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - improved logic of an Informational Analytics BIOCs
    • Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • AWS SSM send command attempt (2cc1b5c3-e424-45a9-ab84-17ea9ceb55b7) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs
    • First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - improved logic of an Informational Analytics BIOCs
    • First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs
    • Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs
    • Successful unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
    • User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs
    • VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs
    • Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Azure service principal assigned app role (c74b7c0c-6fc6-485a-973b-768701841f2f) - improved logic of an Informational Analytics BIOCs
  • Decreased the severity to Informational for 2 Analytics Alerts:
    • Multiple discovery-like commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - decreased the severity to Informational
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - decreased the severity to Informational, and improved detection logic
  • Improved logic of 5 Informational Analytics Alerts:
    • User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alerts
    • Short-lived Azure AD user account (0e060502-5e8b-4454-b275-4e510a7aa413) - improved logic of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts
    • Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user logged on to multiple workstations via Schannel (a56e4555-5fbc-485b-85ec-2c25026525d6) - improved logic of an Informational Analytics Alerts
  • Changed metadata of an Informational Analytics Alert:
    • External Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of an Informational Analytics Alert

 

February 14 2024 Release:

  • Improved logic of a Medium Analytics BIOC:
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOC
  • Changed metadata of a Medium Analytics BIOC:
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOC
  • Added 3 new Low Analytics BIOCs:
    • Rare DCOM RPC activity (9c37ef68-75ae-4f33-87c7-6381bd5f3470) - added a new Low alert
    • Rare Scheduled Task RPC activity (fc8b21f4-5cc9-4b9b-b4b2-e33ac1b0d744) - added a new Low alert
    • An uncommon executable was remotely written over SMB to an uncommon destination (a859158d-fc75-4d4d-9a2c-56365fe35d63) - added a new Low alert
  • Improved logic of 9 Low Analytics BIOCs:
    • An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs
    • Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - improved logic of a Low Analytics BIOCs
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Low Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Low Analytics BIOCs
    • A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - improved logic of a Low Analytics BIOCs
    • Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
    • A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs
    • Unusual cross projects activity (f0b7d81f-5518-4295-a081-e19b21c4b474) - improved logic of a Low Analytics BIOCs
    • Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - improved logic of a Low Analytics BIOCs
  • Changed metadata of a Low Analytics BIOC:
    • MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - changed metadata of a Low Analytics BIOC
  • Improved logic of 5 Low Analytics Alerts:
    • New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands on a Windows host by the same process (b930e097-ae70-4372-94a7-c4ae4e1bd6c6) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
  • Improved logic of 12 Informational Analytics BIOCs:
    • A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs
    • A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs
    • Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - improved logic of an Informational Analytics BIOCs
    • Uncommon communication to an instant messaging server (af7411c9-596e-4400-8088-30ac46eddde0) - improved logic of an Informational Analytics BIOCs
    • A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • An operation was performed by an identity from a domain that was not seen in the organization (16d5b9bf-3bb9-47d9-b2bd-3e2477b1a554) - improved logic of an Informational Analytics BIOCs
    • AWS SSM send command attempt (2cc1b5c3-e424-45a9-ab84-17ea9ceb55b7) - improved logic of an Informational Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs
    • Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - improved logic of an Informational Analytics BIOCs
    • Suspicious docker image download from an unusual repository (a4c3a156-5201-40e4-96fa-772ccbc3473d) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 2 Informational Analytics BIOCs:
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - changed metadata of an Informational Analytics BIOCs
  • Improved logic of 4 Informational Analytics Alerts:
    • A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - improved logic of an Informational Analytics Alerts
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts
    • A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - improved logic of an Informational Analytics Alerts
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts

 

January 31 2024 Release:

  • Improved logic of a Medium Analytics BIOC:
    • Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - improved logic of a Medium Analytics BIOC
  • Changed metadata of 2 Low Analytics BIOCs:
    • Possible DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs
    • Possible DLL Search Order Hijacking (e6c4d87b-4904-4154-b6d9-03fbb0bcdb97) - changed metadata of a Low Analytics BIOCs
  • Added a new Informational Analytics BIOC:
    • Globally uncommon root-domain port combination by a common process (sha256) (bab5b000-ad72-4901-9527-9c7c15aceed2) - added a new Informational alert
  • Improved logic of an Informational Analytics BIOC:
    • User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOC
  • Changed metadata of 2 Informational Analytics BIOCs:
    • A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - changed metadata of an Informational Analytics BIOCs
    • Possible DLL Side-Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - changed metadata of an Informational Analytics BIOCs

 

January 24 2024 Release:

  • Improved logic of a High Analytics BIOC:
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOC
  • Improved logic of 3 Medium Analytics BIOCs:
    • Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs
    • A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs
  • Improved logic of 6 Low Analytics BIOCs:
    • SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - improved logic of a Low Analytics BIOCs
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - improved logic of a Low Analytics BIOCs
    • A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs
    • Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - improved logic of a Low Analytics BIOCs
    • Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs
    • Suspicious modification of the AdminSDHolder's ACL (e0db7194-3131-4f0c-9591-7f28ac59669a) - improved logic of a Low Analytics BIOCs
  • Improved logic of 5 Low Analytics Alerts:
    • Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - improved logic of a Low Analytics Alerts
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts
    • Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alerts
  • Improved logic of an Informational BIOC:
    • Out of band testing domain connection (ac36d4cc-d764-419c-8970-54916b05bda4) - improved logic of an Informational BIOC
  • Added a new Informational Analytics BIOC:
    • AWS SSM send command attempt (2cc1b5c3-e424-45a9-ab84-17ea9ceb55b7) - added a new Informational alert
  • Improved logic of 20 Informational Analytics BIOCs:
    • A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs
    • A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - improved logic of an Informational Analytics BIOCs
    • Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - improved logic of an Informational Analytics BIOCs
    • Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs
    • An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - improved logic of an Informational Analytics BIOCs
    • User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs
    • A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - improved logic of an Informational Analytics BIOCs
    • A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - improved logic of an Informational Analytics BIOCs
    • Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - improved logic of an Informational Analytics BIOCs
    • Cloud Unusual Instance Metadata Service (IMDS) access (82db653d-869c-4540-91d8-1c15c9ff7765) - improved logic of an Informational Analytics BIOCs
    • Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 2 Informational Analytics BIOCs:
    • Suspicious container runtime connection from within a Kubernetes Pod (b233c447-3312-429a-ab01-3a607104bb3a) - changed metadata of an Informational Analytics BIOCs
    • Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs
  • Removed an old Informational Analytics BIOC:
    • AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - removed an old Informational alert
  • Decreased the severity to Informational for an Analytics Alert:
    • Cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - decreased the severity to Informational, and improved detection logic
  • Improved logic of 11 Informational Analytics Alerts:
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts
    • External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - improved logic of an Informational Analytics Alerts
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
    • User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alerts
    • Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts
    • Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - improved logic of an Informational Analytics Alerts
    • Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts
    • Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts

 

January 17 2024 Release:

  • Improved logic of a Medium Analytics BIOC:
    • Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a Medium Analytics BIOC
  • Improved logic of a Low Analytics BIOC:
    • Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOC
  • Decreased the severity to Informational for 2 Analytics BIOCs:
    • A compute-attached identity executed API calls outside the instance's region (586f270d-8423-402f-98c1-b136cf45309c) - decreased the severity to Informational, and improved detection logic
    • Kubernetes version disclosure (313b2109-4a11-49f6-b0be-0309eaabbddf) - decreased the severity to Informational
  • Improved logic of 5 Informational Analytics BIOCs:
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • A container registry was created or deleted (5dd2d962-b742-11ed-9e0e-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOC for improvement:
    • An Azure Kubernetes network policy was modified (1952944c-b742-11ed-bd1c-acde48001122) - temporarily removed Informational alert for improvement
  • Improved logic of an Informational Analytics Alert:
    • Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - improved logic of an Informational Analytics Alert

 

January 10 2024 Release:

  • Improved logic of 2 High Analytics BIOCs:
    • Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - improved logic of a High Analytics BIOCs
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs
  • Changed metadata of a High Analytics BIOC:
    • Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOC
  • Improved logic of 6 Medium Analytics BIOCs:
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
    • A mail forwarding rule was configured in Google Workspace (227ff69a-14aa-4c40-a328-a846c73b1d07) - improved logic of a Medium Analytics BIOCs
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of 3 Medium Analytics BIOCs:
    • Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs
    • Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs
    • Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Medium Analytics BIOCs
  • Removed an old Medium Analytics BIOC:
    • Possible Cloud Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - removed an old Medium alert
  • Temporarily removed a Medium Analytics BIOCs for improvement:
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - temporarily removed Medium alert for improvement
    • Kubernetes vulnerability scanner activity by API server logs (f4bc86e7-9189-4048-ac0d-702311d3d7e0) - temporarily removed Medium alert for improvement
  • Improved logic of a Medium Analytics Alert:
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert
  • Removed an old Low BIOC:
    • Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - removed an old Low alert
  • Decreased the severity to Low for an Analytics BIOC:
    • Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - decreased the severity to Low, and improved detection logic
  • Added 2 new Low Analytics BIOCs:
    • Image file execution options (IFEO) registry key set (393619bb-6197-46f4-bd9f-0246bf014381) - added a new Low alert
    • Possible DLL Search Order Hijacking (e6c4d87b-4904-4154-b6d9-03fbb0bcdb97) - added a new Low alert
  • Improved logic of 37 Low Analytics BIOCs:
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - improved logic of a Low Analytics BIOCs
    • Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - improved logic of a Low Analytics BIOCs
    • Exchange DKIM signing configuration disabled (7b779bf4-d488-47d0-ae35-cf380881b7d7) - improved logic of a Low Analytics BIOCs
    • Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - improved logic of a Low Analytics BIOCs
    • Exchange malware filter policy removed (664b4bc9-aeba-43b7-b657-92a6ab3cd4c6) - improved logic of a Low Analytics BIOCs
    • Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - improved logic of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
    • Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs
    • MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - improved logic of a Low Analytics BIOCs
    • Exchange anti-phish policy disabled or removed (253c6332-24f3-4ad4-a8d6-e6e94b4e0beb) - improved logic of a Low Analytics BIOCs
    • Exchange Safe Link policy disabled or removed (02b65466-c898-4713-b473-01268db8dbb7) - improved logic of a Low Analytics BIOCs
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs
    • Azure account deletion by a non-standard account (b3cffc99-7a38-4e6f-a2ad-19a3325c38b3) - improved logic of a Low Analytics BIOCs
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
    • Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs
    • Exchange mailbox audit bypass (d75ef860-59d4-43bd-ad3e-663edd42b7d2) - improved logic of a Low Analytics BIOCs
    • Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - improved logic of a Low Analytics BIOCs
    • Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs
    • A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - improved logic of a Low Analytics BIOCs
    • Exchange Safe Attachment policy disabled or removed (fa5ffb2b-9259-4091-a36a-3960433051d5) - improved logic of a Low Analytics BIOCs
    • Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - improved logic of a Low Analytics BIOCs
    • Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs
    • Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of a Low Analytics BIOCs
    • LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
    • An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs
    • Possible Kerberos relay attack (5d950b94-729a-4fd3-bcbe-a9fefa922d30) - improved logic of a Low Analytics BIOCs
    • Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs
    • Possible Pass-the-Hash (ee4dad7a-348c-11eb-b388-acde48001122) - improved logic of a Low Analytics BIOCs
    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 14 Low Analytics BIOCs:
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs
    • A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Low Analytics BIOCs
    • A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - changed metadata of a Low Analytics BIOCs
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - changed metadata of a Low Analytics BIOCs
    • Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - changed metadata of a Low Analytics BIOCs
    • A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs
    • Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs
    • Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs
    • Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs
    • Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOCs
  • Removed an old Low Analytics BIOC:
    • Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - removed an old Low alert
  • Added a new Low Analytics Alert:
    • Multiple discovery commands on a Windows host by the same process (b930e097-ae70-4372-94a7-c4ae4e1bd6c6) - added a new Low alert
  • Improved logic of 21 Low Analytics Alerts:
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alerts
    • New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts
    • Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
    • NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts
    • A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - improved logic of a Low Analytics Alerts
    • Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
    • TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - improved logic of a Low Analytics Alerts
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
    • Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - improved logic of a Low Analytics Alerts
  • Added a new Informational BIOC:
    • Out of band testing domain connection (ac36d4cc-d764-419c-8970-54916b05bda4) - added a new Informational alert
  • Changed metadata of an Informational BIOC:
    • Common Apple process name missing Apple digital signature (f75bf626-24c2-4891-b7e5-8b78dbb10b85) - changed metadata of an Informational BIOC
  • Added 54 new Informational Analytics BIOCs:
    • An AWS ElastiCache security group was created (d417b2b4-b091-11ed-9b28-acde48001122) - added a new Informational alert
    • A user logged in from an abnormal country or ASN (b470fe41-351e-485f-a755-e0709b0e15ba) - added a new Informational alert
    • An Azure DNS Zone was modified (964d4524-b743-11ed-9835-acde48001122) - added a new Informational alert
    • A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment (0e24887e-b6c1-11ed-a5dc-acde48001122) - added a new Informational alert
    • An Azure Point-to-Site VPN was modified (bf00d118-b743-11ed-bb97-acde48001122) - added a new Informational alert
    • Azure device code authentication flow used (c4a24d4f-1c7b-4a3d-a775-1e2a363d917e) - added a new Informational alert
    • Azure Kubernetes events were deleted (e31af74a-b741-11ed-b996-acde48001122) - added a new Informational alert
    • An Azure firewall rule group was modified (bedc4338-b6c0-11ed-ba3b-acde48001122) - added a new Informational alert
    • An identity accessed Azure Kubernetes Secrets (8965581e-b742-11ed-9c12-acde48001122) - added a new Informational alert
    • An AWS S3 bucket configuration was modified (cb35ca90-b095-11ed-aa36-acde48001122) - added a new Informational alert
    • An Azure Firewall Rule Collection was modified (2dd88838-b742-11ed-96a1-acde48001122) - added a new Informational alert
    • An AWS Lambda function was modified (cb2184e8-b095-11ed-bda0-acde48001122) - added a new Informational alert
    • An AWS ElastiCache security group was modified or deleted (cb631bb4-b095-11ed-ad10-acde48001122) - added a new Informational alert
    • Removal of an Azure Owner from an Application or Service Principal (d7ee38c8-b741-11ed-a1f0-acde48001122) - added a new Informational alert
    • An Azure VPN Connection was modified (b6309f90-b6c0-11ed-b3e4-acde48001122) - added a new Informational alert
    • An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - added a new Informational alert
    • An AWS Lambda Function was created (cada7046-b095-11ed-8064-acde48001122) - added a new Informational alert
    • An Azure Firewall was modified (7f431eb8-b742-11ed-96f7-acde48001122) - added a new Informational alert
    • An Email address was added to AWS SES (35757db4-c253-11ed-b745-acde48001122) - added a new Informational alert
    • AWS SecurityHub findings were modified (cb4a260c-b095-11ed-bde9-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Role or Cluster-Role was modified (b3def2e8-b743-11ed-9cec-acde48001122) - added a new Informational alert
    • An AWS SES Email sending settings were modified (cb5a1bf4-b095-11ed-bf05-acde48001122) - added a new Informational alert
    • An Azure Kubernetes network policy was modified (1952944c-b742-11ed-bd1c-acde48001122) - added a new Informational alert
    • An Azure Key Vault was modified (94e3d9cc-b742-11ed-94cd-acde48001122) - added a new Informational alert
    • An identity was granted permissions to manage user access to Azure resources (79046206-b743-11ed-9133-acde48001122) - added a new Informational alert
    • An Azure virtual network Device was modified (6d9c8858-b741-11ed-b0e7-acde48001122) - added a new Informational alert
    • An AWS SES identity was deleted (caf89d0a-b095-11ed-8f65-acde48001122) - added a new Informational alert
    • Modification or Deletion of an Azure Application Gateway Detected (c96e5e48-b743-11ed-be3a-acde48001122) - added a new Informational alert
    • An Azure Key Vault key was modified (02a05bd2-b742-11ed-8c2c-acde48001122) - added a new Informational alert
    • PIM privilege member removal (f26e97d2-b6c0-11ed-b9b6-acde48001122) - added a new Informational alert
    • An AWS RDS instance was created from a snapshot (caeaf466-b095-11ed-afef-acde48001122) - added a new Informational alert
    • An AWS EFS file-share was deleted (cb2df5b8-b095-11ed-9972-acde48001122) - added a new Informational alert
    • An Azure Suppression Rule was created (74914062-b742-11ed-8108-acde48001122) - added a new Informational alert
    • A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - added a new Informational alert
    • An AWS EKS cluster was created or deleted (cb25ae8a-b095-11ed-b476-acde48001122) - added a new Informational alert
    • An AWS RDS master password was changed (cb462fb6-b095-11ed-adfd-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Service Account was modified or deleted (edc0393a-b741-11ed-8947-acde48001122) - added a new Informational alert
    • An identity disabled bucket logging (60b28a82-96ff-402b-a64d-f0dd043b5dd6) - added a new Informational alert
    • A Service Principal was removed from Azure (a9038750-b743-11ed-b5e9-acde48001122) - added a new Informational alert
    • Azure Key Vault Secrets were modified (d261af90-b744-11ed-b217-acde48001122) - added a new Informational alert
    • Granting Access to an Account (249d8988-b744-11ed-a9e8-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted (f2c9e2b4-b743-11ed-bec8-acde48001122) - added a new Informational alert
    • An Azure Container Registry was created or removed (5dd2d962-b742-11ed-9e0e-acde48001122) - added a new Informational alert
    • An AWS EFS File-share mount was deleted (cae12134-b095-11ed-bee2-acde48001122) - added a new Informational alert
    • An Azure Cloud Shell was Created (88376c0a-b741-11ed-ae05-acde48001122) - added a new Informational alert
    • An AWS SAML provider was modified (cb561ad4-b095-11ed-86c9-acde48001122) - added a new Informational alert
    • AWS STS temporary credentials were generated (cb2a08a4-b095-11ed-97cf-acde48001122) - added a new Informational alert
    • An AWS Route 53 domain was transferred to another AWS account (caf53a02-b095-11ed-86c3-acde48001122) - added a new Informational alert
    • An Azure virtual network was modified (b29d99a8-b744-11ed-ac5e-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Cluster was created or deleted (fb88f09c-b6c0-11ed-ae53-acde48001122) - added a new Informational alert
    • A cloud identity invoked IAM related persistence operations (ae95a625-1740-4de3-abe1-3e884eef0dc3) - added a new Informational alert
    • Globally uncommon IP address by a common process (sha256) (aff38296-6019-474c-9de0-c423eda168e1) - added a new Informational alert
    • An Azure Network Security Group was modified (72e1c8fa-b744-11ed-8a9d-acde48001122) - added a new Informational alert
    • An AWS GuardDuty IP set was created (cb03739c-b095-11ed-9211-acde48001122) - added a new Informational alert
  • Improved logic of 84 Informational Analytics BIOCs:
    • Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
    • An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - improved logic of an Informational Analytics BIOCs
    • A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding transport rule (fd633ec0-afaf-465d-95f8-0de0d1780151) - improved logic of an Informational Analytics BIOCs
    • Successful unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs
    • Gmail routing settings changed (393eae6b-0394-4a2f-bf46-ae4efbd0c94b) - improved logic of an Informational Analytics BIOCs
    • Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
    • A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
    • Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - improved logic of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
    • Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
    • A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - improved logic of an Informational Analytics BIOCs
    • Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs
    • A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - improved logic of an Informational Analytics BIOCs
    • Microsoft 365 DLP policy disabled or removed (7e53db42-aeb1-4087-9e32-fd9418591d68) - improved logic of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
    • An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - improved logic of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity performed an unusual admin console activity (1ef69c3e-56d5-41c5-843b-ebfe1160e661) - improved logic of an Informational Analytics BIOCs
    • An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - improved logic of an Informational Analytics BIOCs
    • Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - improved logic of an Informational Analytics BIOCs
    • Google Workspace organizational unit was modified (0c085dd2-ea10-4537-bbea-44ceb57bf29a) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - improved logic of an Informational Analytics BIOCs
    • A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs
    • An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs
    • Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - improved logic of an Informational Analytics BIOCs
    • Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - improved logic of an Informational Analytics BIOCs
    • A third-party application's access to the Google Workspace domain's resources was revoked (01bb79b4-b14c-11ed-b01a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding inbox rule (f339930e-ef11-4a4c-81dd-23503b05b0bf) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity used the security investigation tool (c1effd9b-2fde-4141-a894-f01b7fdaffd0) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - improved logic of an Informational Analytics BIOCs
    • LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
    • Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - improved logic of an Informational Analytics BIOCs
    • A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs
    • Exchange mailbox folder permission modification (1568735a-c4a6-4ed4-b7dc-bd70accca4ca) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon image load from a signed process (b5bf287d-a780-4258-a642-9e473aef709b) - improved logic of an Informational Analytics BIOCs
    • Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - improved logic of an Informational Analytics BIOCs
    • Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - improved logic of an Informational Analytics BIOCs
    • Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
    • Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - improved logic of an Informational Analytics BIOCs
    • A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
    • Unusual access to the AD Sync credential files (f28618e6-2d55-4e8b-9f85-5107b2b544e5) - improved logic of an Informational Analytics BIOCs
    • SharePoint Site Collection admin group addition (78de7350-5ea3-4c19-9a0f-f15dc7732226) - improved logic of an Informational Analytics BIOCs
    • Kubernetes nsenter container escape (ded945bf-4c89-4051-8f47-d6126daef9df) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace Role privilege was deleted (118ca7c8-b14c-11ed-b3af-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs
    • Cloud Unusual Instance Metadata Service (IMDS) access (82db653d-869c-4540-91d8-1c15c9ff7765) - improved logic of an Informational Analytics BIOCs
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - improved logic of an Informational Analytics BIOCs
    • Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - improved logic of an Informational Analytics BIOCs
    • Gmail delegation was turned on for the organization (ed3841f0-49f2-4994-94f8-77b7217983d8) - improved logic of an Informational Analytics BIOCs
    • Penetration testing tool activity attempt (a3b75d38-fbc6-47ab-b59b-d6d2298c1e90) - improved logic of an Informational Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs
    • Admin privileges were granted to a Google Workspace user (f0a3f8ae-b14b-11ed-a775-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - improved logic of an Informational Analytics BIOCs
    • Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - improved logic of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon IP address connection from a signed process (118dc3a3-e2b2-44d4-af74-b77cf095c6a9) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
    • A third-party application was authorized to access the Google Workspace APIs (05a883e6-b14c-11ed-b038-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 15 Informational Analytics BIOCs:
    • Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs
    • Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs
    • AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs
    • Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs
    • Injection into rundll32.exe (d3d7a57f-de5f-76f5-2d39-9fa48b1d51ad) - changed metadata of an Informational Analytics BIOCs
    • AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs
    • Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs
    • Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs
    • AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs
    • Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOCs for improvement:
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - temporarily removed Informational alert for improvement
    • A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - temporarily removed Informational alert for improvement
    • A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - temporarily removed Informational alert for improvement
    • A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - temporarily removed Informational alert for improvement
    • A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - temporarily removed Informational alert for improvement
  • Decreased the severity to Informational for an Analytics Alert:
    • Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - decreased the severity to Informational, and improved detection logic
  • Added a new Informational Analytics Alert:
    • Brute-force attempt on a local account (417dab31-55ab-4311-8ed7-29373fed752d) - added a new Informational alert
  • Improved logic of 34 Informational Analytics Alerts:
    • Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - improved logic of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of an Informational Analytics Alerts
    • Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts
    • Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - improved logic of an Informational Analytics Alerts
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts
    • External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - improved logic of an Informational Analytics Alerts
    • Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - improved logic of an Informational Analytics Alerts
    • Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - improved logic of an Informational Analytics Alerts
    • A user logged on to multiple workstations via Schannel (a56e4555-5fbc-485b-85ec-2c25026525d6) - improved logic of an Informational Analytics Alerts
    • Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts
    • NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - improved logic of an Informational Analytics Alerts
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts
    • Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - improved logic of an Informational Analytics Alerts
    • Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts
    • A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts
    • Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - improved logic of an Informational Analytics Alerts
    • A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts
    • Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts
  • Temporarily removed a Informational Analytics Alerts for improvement:
    • Kubernetes environment enumeration activity (13c1ff62-8bcb-452b-8cc8-b31402aab401) - temporarily removed Informational alert for improvement
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - temporarily removed Informational alert for improvement

 

December 27 2023 Release:

  • Changed metadata of a High Analytics BIOC:
    • Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOC
  • Improved logic of 3 Medium Analytics BIOCs:
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of 3 Medium Analytics BIOCs:
    • Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs
    • Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs
    • Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Medium Analytics BIOCs
  • Removed an old Medium Analytics BIOC:
    • Possible Cloud Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - removed an old Medium alert
  • Temporarily removed a Medium Analytics BIOCs for improvement:
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - temporarily removed Medium alert for improvement
    • Kubernetes vulnerability scanner activity by API server logs (f4bc86e7-9189-4048-ac0d-702311d3d7e0) - temporarily removed Medium alert for improvement
  • Improved logic of a Medium Analytics Alert:
    • Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - improved logic of a Medium Analytics Alert
  • Decreased the severity to Low for an Analytics BIOC:
    • Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - decreased the severity to Low, and improved detection logic
  • Added a new Low Analytics BIOC:
    • Possible DLL Search Order Hijacking (e6c4d87b-4904-4154-b6d9-03fbb0bcdb97) - added a new Low alert
  • Improved logic of 16 Low Analytics BIOCs:
    • Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - improved logic of a Low Analytics BIOCs
    • Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
    • Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
    • Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs
    • A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - improved logic of a Low Analytics BIOCs
    • An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs
    • Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs
    • MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - improved logic of a Low Analytics BIOCs
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs
    • Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 17 Low Analytics BIOCs:
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs
    • Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - changed metadata of a Low Analytics BIOCs
    • A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Low Analytics BIOCs
    • A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - changed metadata of a Low Analytics BIOCs
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs
    • Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - changed metadata of a Low Analytics BIOCs
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - changed metadata of a Low Analytics BIOCs
    • Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - changed metadata of a Low Analytics BIOCs
    • Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs
    • Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOCs
    • A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs
    • Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs
  • Added a new Low Analytics Alert:
    • Multiple discovery commands on a Windows host by the same process (b930e097-ae70-4372-94a7-c4ae4e1bd6c6) - added a new Low alert
  • Improved logic of 9 Low Analytics Alerts:
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
    • Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts
  • Changed metadata of 2 Low Analytics Alerts:
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - changed metadata of a Low Analytics Alerts
  • Added 53 new Informational Analytics BIOCs:
    • An Azure DNS Zone was modified (964d4524-b743-11ed-9835-acde48001122) - added a new Informational alert
    • An Azure VPN Connection was modified (b6309f90-b6c0-11ed-b3e4-acde48001122) - added a new Informational alert
    • AWS STS temporary credentials were generated (cb2a08a4-b095-11ed-97cf-acde48001122) - added a new Informational alert
    • An AWS S3 bucket configuration was modified (cb35ca90-b095-11ed-aa36-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Role or Cluster-Role was modified (b3def2e8-b743-11ed-9cec-acde48001122) - added a new Informational alert
    • An identity disabled bucket logging (60b28a82-96ff-402b-a64d-f0dd043b5dd6) - added a new Informational alert
    • An AWS Lambda Function was created (cada7046-b095-11ed-8064-acde48001122) - added a new Informational alert
    • An Email address was added to AWS SES (35757db4-c253-11ed-b745-acde48001122) - added a new Informational alert
    • An AWS RDS master password was changed (cb462fb6-b095-11ed-adfd-acde48001122) - added a new Informational alert
    • An Azure firewall rule group was modified (bedc4338-b6c0-11ed-ba3b-acde48001122) - added a new Informational alert
    • Removal of an Azure Owner from an Application or Service Principal (d7ee38c8-b741-11ed-a1f0-acde48001122) - added a new Informational alert
    • A user logged in from an abnormal country or ASN (b470fe41-351e-485f-a755-e0709b0e15ba) - added a new Informational alert
    • A Service Principal was removed from Azure (a9038750-b743-11ed-b5e9-acde48001122) - added a new Informational alert
    • An AWS GuardDuty IP set was created (cb03739c-b095-11ed-9211-acde48001122) - added a new Informational alert
    • Azure Kubernetes events were deleted (e31af74a-b741-11ed-b996-acde48001122) - added a new Informational alert
    • An AWS EFS file-share was deleted (cb2df5b8-b095-11ed-9972-acde48001122) - added a new Informational alert
    • An Azure virtual network Device was modified (6d9c8858-b741-11ed-b0e7-acde48001122) - added a new Informational alert
    • An Azure Key Vault key was modified (02a05bd2-b742-11ed-8c2c-acde48001122) - added a new Informational alert
    • An identity was granted permissions to manage user access to Azure resources (79046206-b743-11ed-9133-acde48001122) - added a new Informational alert
    • An Azure Key Vault was modified (94e3d9cc-b742-11ed-94cd-acde48001122) - added a new Informational alert
    • An AWS SES Email sending settings were modified (cb5a1bf4-b095-11ed-bf05-acde48001122) - added a new Informational alert
    • PIM privilege member removal (f26e97d2-b6c0-11ed-b9b6-acde48001122) - added a new Informational alert
    • An AWS EFS File-share mount was deleted (cae12134-b095-11ed-bee2-acde48001122) - added a new Informational alert
    • An Azure Point-to-Site VPN was modified (bf00d118-b743-11ed-bb97-acde48001122) - added a new Informational alert
    • Granting Access to an Account (249d8988-b744-11ed-a9e8-acde48001122) - added a new Informational alert
    • An identity accessed Azure Kubernetes Secrets (8965581e-b742-11ed-9c12-acde48001122) - added a new Informational alert
    • An AWS Route 53 domain was transferred to another AWS account (caf53a02-b095-11ed-86c3-acde48001122) - added a new Informational alert
    • An AWS ElastiCache security group was modified or deleted (cb631bb4-b095-11ed-ad10-acde48001122) - added a new Informational alert
    • Azure Key Vault Secrets were modified (d261af90-b744-11ed-b217-acde48001122) - added a new Informational alert
    • An Azure Suppression Rule was created (74914062-b742-11ed-8108-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Cluster was created or deleted (fb88f09c-b6c0-11ed-ae53-acde48001122) - added a new Informational alert
    • AWS SecurityHub findings were modified (cb4a260c-b095-11ed-bde9-acde48001122) - added a new Informational alert
    • Modification or Deletion of an Azure Application Gateway Detected (c96e5e48-b743-11ed-be3a-acde48001122) - added a new Informational alert
    • An AWS RDS instance was created from a snapshot (caeaf466-b095-11ed-afef-acde48001122) - added a new Informational alert
    • An AWS ElastiCache security group was created (d417b2b4-b091-11ed-9b28-acde48001122) - added a new Informational alert
    • An AWS SAML provider was modified (cb561ad4-b095-11ed-86c9-acde48001122) - added a new Informational alert
    • An AWS Lambda function was modified (cb2184e8-b095-11ed-bda0-acde48001122) - added a new Informational alert
    • An Azure Firewall was modified (7f431eb8-b742-11ed-96f7-acde48001122) - added a new Informational alert
    • A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - added a new Informational alert
    • An AWS SES identity was deleted (caf89d0a-b095-11ed-8f65-acde48001122) - added a new Informational alert
    • Globally uncommon IP address by a common process (sha256) (aff38296-6019-474c-9de0-c423eda168e1) - added a new Informational alert
    • An Azure Container Registry was created or removed (5dd2d962-b742-11ed-9e0e-acde48001122) - added a new Informational alert
    • An Azure Network Security Group was modified (72e1c8fa-b744-11ed-8a9d-acde48001122) - added a new Informational alert
    • An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - added a new Informational alert
    • A cloud identity invoked IAM related persistence operations (ae95a625-1740-4de3-abe1-3e884eef0dc3) - added a new Informational alert
    • An Azure virtual network was modified (b29d99a8-b744-11ed-ac5e-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted (f2c9e2b4-b743-11ed-bec8-acde48001122) - added a new Informational alert
    • A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment (0e24887e-b6c1-11ed-a5dc-acde48001122) - added a new Informational alert
    • An Azure Cloud Shell was Created (88376c0a-b741-11ed-ae05-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Service Account was modified or deleted (edc0393a-b741-11ed-8947-acde48001122) - added a new Informational alert
    • An Azure Kubernetes network policy was modified (1952944c-b742-11ed-bd1c-acde48001122) - added a new Informational alert
    • An AWS EKS cluster was created or deleted (cb25ae8a-b095-11ed-b476-acde48001122) - added a new Informational alert
    • An Azure Firewall Rule Collection was modified (2dd88838-b742-11ed-96a1-acde48001122) - added a new Informational alert
  • Improved logic of 35 Informational Analytics BIOCs:
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon image load from a signed process (b5bf287d-a780-4258-a642-9e473aef709b) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - improved logic of an Informational Analytics BIOCs
    • Google Workspace organizational unit was modified (0c085dd2-ea10-4537-bbea-44ceb57bf29a) - improved logic of an Informational Analytics BIOCs
    • Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - improved logic of an Informational Analytics BIOCs
    • Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - improved logic of an Informational Analytics BIOCs
    • An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - improved logic of an Informational Analytics BIOCs
    • Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - improved logic of an Informational Analytics BIOCs
    • Gmail delegation was turned on for the organization (ed3841f0-49f2-4994-94f8-77b7217983d8) - improved logic of an Informational Analytics BIOCs
    • Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
    • A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs
    • Kubernetes nsenter container escape (ded945bf-4c89-4051-8f47-d6126daef9df) - improved logic of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
    • An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - improved logic of an Informational Analytics BIOCs
    • Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - improved logic of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - improved logic of an Informational Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon IP address connection from a signed process (118dc3a3-e2b2-44d4-af74-b77cf095c6a9) - improved logic of an Informational Analytics BIOCs
    • Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - improved logic of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs
    • External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - improved logic of an Informational Analytics BIOCs
    • An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - improved logic of an Informational Analytics BIOCs
    • A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - improved logic of an Informational Analytics BIOCs
    • Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
    • Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 18 Informational Analytics BIOCs:
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs
    • Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - changed metadata of an Informational Analytics BIOCs
    • Injection into rundll32.exe (d3d7a57f-de5f-76f5-2d39-9fa48b1d51ad) - changed metadata of an Informational Analytics BIOCs
    • AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs
    • Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs
    • LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - changed metadata of an Informational Analytics BIOCs
    • AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs
    • Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs
    • Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs
    • Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs
    • Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs
    • AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOCs for improvement:
    • A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - temporarily removed Informational alert for improvement
    • A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - temporarily removed Informational alert for improvement
    • A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - temporarily removed Informational alert for improvement
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - temporarily removed Informational alert for improvement
    • A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - temporarily removed Informational alert for improvement
  • Improved logic of 20 Informational Analytics Alerts:
    • A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts
    • A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - improved logic of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
    • Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - improved logic of an Informational Analytics Alerts
    • A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - improved logic of an Informational Analytics Alerts
    • External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - improved logic of an Informational Analytics Alerts
    • Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - improved logic of an Informational Analytics Alerts
    • Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - improved logic of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts
    • A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - improved logic of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
    • Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts
    • Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
  • Temporarily removed a Informational Analytics Alerts for improvement:
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - temporarily removed Informational alert for improvement
    • Kubernetes environment enumeration activity (13c1ff62-8bcb-452b-8cc8-b31402aab401) - temporarily removed Informational alert for improvement

 

November 19 2023 Release:

  • Improved logic of a High Analytics BIOC:
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOC
  • Removed an old Medium BIOC:
    • PHP script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b677) - removed an old Medium alert
  • Improved logic of a Medium Analytics BIOC:
    • PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOC
  • Improved logic of 2 Low Analytics BIOCs:
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
  • Improved logic of 3 Low Analytics Alerts:
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
  • Removed an old Informational BIOC:
    • Setgid on file (0826210d-ddd8-44e7-98fb-399083b15e97) - removed an old Informational alert
  • Added 2 new Informational Analytics BIOCs:
    • Globally uncommon high entropy module was loaded (29621cda-7dd0-4c92-9c1d-52124db38f62) - added a new Informational alert
    • Globally uncommon high entropy process was executed (0871da76-eb4a-429c-8f3e-cfa9fa83a221) - added a new Informational alert
  • Improved logic of 14 Informational Analytics BIOCs:
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Improved logic of 6 Informational Analytics Alerts:
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts
    • Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
  • Changed metadata of an Informational Analytics Alert:
    • Suspicious DNS traffic (2a77fad6-c6f9-4dd1-ab5a-43ce1d203fd4) - changed metadata of an Informational Analytics Alert
  • Temporarily removed a Informational Analytics Alert for improvement:
    • Port Sweep (01c1f692-2652-4cfe-8817-b48b1b0efb95) - temporarily removed Informational alert for improvement

November 08 2023 Release:

  • Removed an old High BIOC:
    • Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - removed an old High alert
  • Added a new High Analytics BIOC:
    • Mimikatz command-line arguments (b869d46a-8723-4ae3-63a7-a5da6435d78e) - added a new High alert
  • Improved logic of a High Analytics BIOC:
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOC
  • Improved logic of a High Analytics Alert:
    • Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert
  • Improved logic of 4 Medium Analytics BIOCs:
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - improved logic of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs
    • Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of 2 Medium Analytics Alerts:
    • An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alerts
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts
  • Increased the severity to Low for an Analytics BIOC:
    • Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - increased the severity to Low, and improved detection logic
  • Decreased the severity to Low for an Analytics BIOC:
    • Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - decreased the severity to Low
  • Added 3 new Low Analytics BIOCs:
    • Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - added a new Low alert
    • RDP connections enabled remotely via Registry (547fb017-ead4-8c05-f32e-77902bdd0f7a) - added a new Low alert
    • Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - added a new Low alert
  • Improved logic of 9 Low Analytics BIOCs:
    • Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Low Analytics BIOCs
    • A compute-attached identity executed API calls outside the instance's region (586f270d-8423-402f-98c1-b136cf45309c) - improved logic of a Low Analytics BIOCs
    • Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs
    • A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs
    • A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs
    • Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - improved logic of a Low Analytics BIOCs
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 5 Low Analytics BIOCs:
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - changed metadata of a Low Analytics BIOCs
    • Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - changed metadata of a Low Analytics BIOCs
    • Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - changed metadata of a Low Analytics BIOCs
    • Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of a Low Analytics BIOCs
    • A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs
  • Improved logic of 6 Low Analytics Alerts:
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
    • Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Low Analytics Alerts
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
    • A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - improved logic of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts
  • Changed metadata of 2 Low Analytics Alerts:
    • VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - changed metadata of a Low Analytics Alerts
    • Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - changed metadata of a Low Analytics Alerts
  • Removed an old Informational BIOC:
    • Mimikatz command-line arguments (fa4867c0-bf95-4c44-b9e3-0460650b8e07) - removed an old Informational alert
  • Decreased the severity to Informational for an Analytics BIOC:
    • Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - decreased the severity to Informational, and improved detection logic
  • Added 5 new Informational Analytics BIOCs:
    • Cloud unusual access key creation (4aa215fb-e64d-4b00-9251-4d84774c27f3) - added a new Informational alert
    • Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - added a new Informational alert
    • Cloud Unusual Instance Metadata Service (IMDS) access (82db653d-869c-4540-91d8-1c15c9ff7765) - added a new Informational alert
    • A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - added a new Informational alert
    • Network sniffing detected in Cloud environment (932986f4-e765-40a5-9517-aa9ba5bf2e7a) - added a new Informational alert
  • Improved logic of 32 Informational Analytics BIOCs:
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs
    • Unusual resource modification by newly seen IAM user (37eb241a-d1b5-4bba-b65e-002863c99365) - improved logic of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
    • Cloud impersonation attempt by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
    • Unusual use of a 'SysInternals' tool (ad9f86ad-eaea-4f25-ada7-8d42f3305d04) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
    • Unusual resource modification/creation (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs
    • Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs
    • A user logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - improved logic of an Informational Analytics BIOCs
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs
    • Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 4 Informational Analytics BIOCs:
    • Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Cloud Organizational policy was created or modified (300b125d-c632-43f2-9a56-5abfd022a4de) - changed metadata of an Informational Analytics BIOCs
    • Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - changed metadata of an Informational Analytics BIOCs
    • A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - changed metadata of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOCs for improvement:
    • Unusual Kubernetes service account file read (a525eff8-3990-4b8e-b763-7e9c8f88737d) - temporarily removed Informational alert for improvement
    • Remote code execution into Kubernetes Pod (8d013538-6e98-48ed-a018-fcf19866f367) - temporarily removed Informational alert for improvement
  • Added 2 new Informational Analytics Alerts:
    • A user logged on to multiple workstations via Schannel (a56e4555-5fbc-485b-85ec-2c25026525d6) - added a new Informational alert
    • External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - added a new Informational alert
  • Improved logic of 14 Informational Analytics Alerts:
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts
    • Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - improved logic of an Informational Analytics Alerts
    • Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts
    • Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts
  • Changed metadata of 4 Informational Analytics Alerts:
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts
    • Storage enumeration activity (107578a3-3e09-4db1-88e0-2f060fb24a29) - changed metadata of an Informational Analytics Alerts
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts
    • NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - changed metadata of an Informational Analytics Alerts

October 05 2023 Release:

  • Improved logic of a Medium Analytics BIOC:
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - improved logic of a Medium Analytics BIOC
  • Changed metadata of a Low Analytics BIOC:
    • Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - changed metadata of a Low Analytics BIOC
  • Removed 2 old Low Analytics BIOCs:
    • Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - removed an old Low alert
    • Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - removed an old Low alert
  • Improved logic of 7 Informational Analytics BIOCs:
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - improved logic of an Informational Analytics BIOCs
    • Successful unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs
    • Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of an Informational Analytics BIOC:
    • Unpopular rsync process execution (86d4e55a-1d30-46de-a426-1876a973220f) - changed metadata of an Informational Analytics BIOC
  • Added a new Informational Analytics Alert:
    • Port Sweep (01c1f692-2652-4cfe-8817-b48b1b0efb95) - added a new Informational alert
  • Improved logic of 2 Informational Analytics Alerts:
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alerts
    • An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts

September 27 2023 Release:

  • Changed metadata of a Low Analytics BIOC:
    • Masquerading as the Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOC
  • Decreased the severity to Informational for 4 Analytics BIOCs:
    • Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - decreased the severity to Informational
    • Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - decreased the severity to Informational
    • Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - decreased the severity to Informational
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - decreased the severity to Informational, and improved detection logic
  • Improved logic of 5 Informational Analytics BIOCs:
    • Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - improved logic of an Informational Analytics BIOCs
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs
    • A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs
    • GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOC for improvement:
    • LOLBIN created a PSScriptPolicyTest PowerShell script file (4bf08e31-5da8-8c61-0f97-02c7f9bc9d57) - temporarily removed Informational alert for improvement
  • Decreased the severity to Informational for 2 Analytics Alerts:
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - decreased the severity to Informational
    • NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - decreased the severity to Informational
  • Added a new Informational Analytics Alert:
    • Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - added a new Informational alert
  • Improved logic of 4 Informational Analytics Alerts:
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts
    • Multiple cloud snapshots export (260551b5-3a19-44f6-b9c0-820da4c9fc9c) - improved logic of an Informational Analytics Alerts
    • Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - improved logic of an Informational Analytics Alerts

September 13 2023 Release:

  • Increased the severity to Medium for 2 Analytics BIOCs:
    • A Possible crypto miner was detected on a host (4ad3b056-d273-41b7-b3db-90f5d5950faa) - increased the severity to Medium
    • Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - increased the severity to Medium, and improved detection logic
  • Changed metadata of 9 Low Analytics BIOCs:
    • Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - changed metadata of a Low Analytics BIOCs
    • Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - changed metadata of a Low Analytics BIOCs
    • Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs
    • Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs
    • Masquerading as the Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOCs
    • Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - changed metadata of a Low Analytics BIOCs
    • Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - changed metadata of a Low Analytics BIOCs
    • An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - changed metadata of a Low Analytics BIOCs
    • Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - changed metadata of a Low Analytics BIOCs
  • Added a new Low Analytics Alert:
    • Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - added a new Low alert
  • Changed metadata of a Low Analytics Alert:
    • Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - changed metadata of a Low Analytics Alert
  • Added a new Informational Analytics BIOC:
    • Suspicious container runtime connection from within a Kubernetes Pod (b233c447-3312-429a-ab01-3a607104bb3a) - added a new Informational alert
  • Changed metadata of 11 Informational Analytics BIOCs:
    • Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - changed metadata of an Informational Analytics BIOCs
    • Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - changed metadata of an Informational Analytics BIOCs
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - changed metadata of an Informational Analytics BIOCs
    • Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - changed metadata of an Informational Analytics BIOCs
    • File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - changed metadata of an Informational Analytics BIOCs
    • Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - changed metadata of an Informational Analytics BIOCs
    • Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - changed metadata of an Informational Analytics BIOCs
    • A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - changed metadata of an Informational Analytics BIOCs
    • Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs
    • Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - changed metadata of an Informational Analytics BIOCs
  • Improved logic of 2 Informational Analytics Alerts:
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts
    • An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts

September 06 2023 Release:

  • Improved logic of a High Analytics BIOC:
    • Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOC
  • Changed metadata of a High Analytics BIOC:
    • Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - changed metadata of a High Analytics BIOC
  • Added a new Medium Analytics BIOC:
    • A mail forwarding rule was configured in Google Workspace (227ff69a-14aa-4c40-a328-a846c73b1d07) - added a new Medium alert
  • Improved logic of 2 Medium Analytics BIOCs:
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of a Medium Analytics BIOC:
    • Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOC
  • Improved logic of a Medium Analytics Alert:
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
  • Increased the severity to Low for an Analytics BIOC:
    • Scheduled Task hidden by registry modification (21dabd4a-1e37-4753-a8ed-be6a7e947f40) - increased the severity to Low
  • Added 2 new Low Analytics BIOCs:
    • Unusual cross projects activity (f0b7d81f-5518-4295-a081-e19b21c4b474) - added a new Low alert
    • Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - added a new Low alert
  • Improved logic of 12 Low Analytics BIOCs:
    • Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs
    • LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs
    • An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Low Analytics BIOCs
    • Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Low Analytics BIOCs
    • Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs
    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of a Low Analytics BIOCs
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
    • Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs
  • Changed metadata of a Low Analytics BIOC:
    • Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - changed metadata of a Low Analytics BIOC
  • Improved logic of 2 Low Analytics Alerts:
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
  • Decreased the severity to Informational for an Analytics BIOC:
    • Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - decreased the severity to Informational, and improved detection logic
  • Added a new Informational Analytics BIOC:
    • An operation was performed by an identity from a domain that was not seen in the organization (16d5b9bf-3bb9-47d9-b2bd-3e2477b1a554) - added a new Informational alert
  • Improved logic of 18 Informational Analytics BIOCs:
    • Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - improved logic of an Informational Analytics BIOCs
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - improved logic of an Informational Analytics BIOCs
    • Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs
    • Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs
    • Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • LOLBIN created a PSScriptPolicyTest PowerShell script file (4bf08e31-5da8-8c61-0f97-02c7f9bc9d57) - improved logic of an Informational Analytics BIOCs
    • Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs
    • LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs
    • Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
    • A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs
    • LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs
    • A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs
    • An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - improved logic of an Informational Analytics BIOCs
    • A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - improved logic of an Informational Analytics BIOCs
    • Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 4 Informational Analytics BIOCs:
    • File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - changed metadata of an Informational Analytics BIOCs
    • Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - changed metadata of an Informational Analytics BIOCs
    • Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - changed metadata of an Informational Analytics BIOCs
    • Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs
  • Removed an old Informational Analytics BIOC:
    • Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - removed an old Informational alert
  • Added a new Informational Analytics Alert:
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - added a new Informational alert
  • Improved logic of 2 Informational Analytics Alerts:
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts

August 28 2023 Release:

  • Changed metadata of 21 High Analytics BIOCs:
    • Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs
    • Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - changed metadata of a High Analytics BIOCs
    • Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - changed metadata of a High Analytics BIOCs
    • Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOCs
    • Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - changed metadata of a High Analytics BIOCs
    • Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - changed metadata of a High Analytics BIOCs
    • PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - changed metadata of a High Analytics BIOCs
    • Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs
    • Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs
    • Possible Distributed File System Namespace Management (DFSNM) abuse (532490a8-f4fb-4eb7-a54d-8583bf54207d) - changed metadata of a High Analytics BIOCs
    • Suspicious usage of File Server Remote VSS Protocol (FSRVP) (9f82d067-25e8-49da-bae3-62e7f9074943) - changed metadata of a High Analytics BIOCs
    • A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs
    • Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - changed metadata of a High Analytics BIOCs
    • Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - changed metadata of a High Analytics BIOCs
    • A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs
    • Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - changed metadata of a High Analytics BIOCs
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOCs
    • Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs
    • Process execution with a suspicious command line indicative of the Spring4Shell exploit (0fc034a9-36ce-432f-bddb-1cfda20be004) - changed metadata of a High Analytics BIOCs
    • Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - changed metadata of a High Analytics BIOCs
  • Changed metadata of 2 High Analytics Alerts:
    • Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alerts
    • Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alerts
  • Changed metadata of 84 Medium Analytics BIOCs:
    • Uncommon Service Create/Config (4814ee91-468d-11ea-a78c-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - changed metadata of a Medium Analytics BIOCs
    • Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - changed metadata of a Medium Analytics BIOCs
    • A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - changed metadata of a Medium Analytics BIOCs
    • MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - changed metadata of a Medium Analytics BIOCs
    • Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - changed metadata of a Medium Analytics BIOCs
    • Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs
    • Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - changed metadata of a Medium Analytics BIOCs
    • Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
    • Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - changed metadata of a Medium Analytics BIOCs
    • TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - changed metadata of a Medium Analytics BIOCs
    • Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - changed metadata of a Medium Analytics BIOCs
    • LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - changed metadata of a Medium Analytics BIOCs
    • Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs
    • Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOCs
    • PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - changed metadata of a Medium Analytics BIOCs
    • Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - changed metadata of a Medium Analytics BIOCs
    • Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - changed metadata of a Medium Analytics BIOCs
    • Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - changed metadata of a Medium Analytics BIOCs
    • Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs
    • Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata of a Medium Analytics BIOCs
    • Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - changed metadata of a Medium Analytics BIOCs
    • Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - changed metadata of a Medium Analytics BIOCs
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - changed metadata of a Medium Analytics BIOCs
    • Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - changed metadata of a Medium Analytics BIOCs
    • Azure AD PIM alert disabled (8d5ce951-909b-44e7-aca6-1c8203f95c35) - changed metadata of a Medium Analytics BIOCs
    • Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs
    • Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - changed metadata of a Medium Analytics BIOCs
    • Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs
    • A process was executed with a command line obfuscated by Unicode character substitution (2a0ea644-8181-470b-ad5d-d0c6c7c84946) - changed metadata of a Medium Analytics BIOCs
    • Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - changed metadata of a Medium Analytics BIOCs
    • Kubernetes vulnerability scanner activity (01e27219-483a-4ec2-ba4c-641ee54b3059) - changed metadata of a Medium Analytics BIOCs
    • A contained executable was executed by an unusual process (d8c11b55-29b4-44b2-9e47-fd6c4cda4d7b) - changed metadata of a Medium Analytics BIOCs
    • Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - changed metadata of a Medium Analytics BIOCs
    • A suspicious executable with multiple file extensions was created (8a80d179-6ce0-4d38-8087-287b18ed5f27) - changed metadata of a Medium Analytics BIOCs
    • Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - changed metadata of a Medium Analytics BIOCs
    • Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - changed metadata of a Medium Analytics BIOCs
    • Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - changed metadata of a Medium Analytics BIOCs
    • Service ticket request with a spoofed sAMAccountName (633ca673-5d09-11ec-b013-faffc26aac4a) - changed metadata of a Medium Analytics BIOCs
    • Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - changed metadata of a Medium Analytics BIOCs
    • A TCP stream was created directly in a shell (8a7a460a-420a-a42c-d8af-af5250f280ff) - changed metadata of a Medium Analytics BIOCs
    • Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - changed metadata of a Medium Analytics BIOCs
    • Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - changed metadata of a Medium Analytics BIOCs
    • Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Possible Cloud Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - changed metadata of a Medium Analytics BIOCs
    • Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs
    • Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - changed metadata of a Medium Analytics BIOCs
    • The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - changed metadata of a Medium Analytics BIOCs
    • Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOCs
    • Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - changed metadata of a Medium Analytics BIOCs
    • Possible collection of screen captures with Windows Problem Steps Recorder (28f11a20-9611-4099-8c05-f6437a5ea9d5) - changed metadata of a Medium Analytics BIOCs
    • Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs
    • Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - changed metadata of a Medium Analytics BIOCs
    • Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - changed metadata of a Medium Analytics BIOCs
    • Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - changed metadata of a Medium Analytics BIOCs
    • Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - changed metadata of a Medium Analytics BIOCs
    • Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs
    • Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Uncommon jsp file write by a Java process (acaa34fd-b2b8-4218-aab0-b8d717e9dcc5) - changed metadata of a Medium Analytics BIOCs
    • Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - changed metadata of a Medium Analytics BIOCs
    • PowerShell used to export mailbox contents (70b08c1e-ccfd-4ab9-bb92-66acaa83aa3a) - changed metadata of a Medium Analytics BIOCs
    • TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - changed metadata of a Medium Analytics BIOCs
    • Kubernetes vulnerability scanner activity by API server logs (f4bc86e7-9189-4048-ac0d-702311d3d7e0) - changed metadata of a Medium Analytics BIOCs
    • Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - changed metadata of a Medium Analytics BIOCs
    • Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - changed metadata of a Medium Analytics BIOCs
    • Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Medium Analytics BIOCs
    • Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - changed metadata of a Medium Analytics BIOCs
    • Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - changed metadata of a Medium Analytics BIOCs
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - changed metadata of a Medium Analytics BIOCs
    • Bitsadmin.exe persistence using command-line callback (96e5bf6b-3ed4-42f2-b824-6cdb16a31608) - changed metadata of a Medium Analytics BIOCs
    • PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Possible Search For Password Files (388d1fcc-4d9c-11ea-9daa-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Medium Analytics BIOCs
    • Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - changed metadata of a Medium Analytics BIOCs
    • A contained executable from a mounted share initiated a suspicious outbound network connection (423a9cc9-735f-48cd-8fb5-6e4aeecd5d6d) - changed metadata of a Medium Analytics BIOCs
    • Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - changed metadata of a Medium Analytics BIOCs
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
    • Mailbox Client Access Setting (CAS) changed (d44c2188-9769-497d-a509-b980e9420f33) - changed metadata of a Medium Analytics BIOCs
    • Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - changed metadata of a Medium Analytics BIOCs
    • Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - changed metadata of a Medium Analytics BIOCs
    • Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - changed metadata of a Medium Analytics BIOCs
    • Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs
  • Changed metadata of 10 Medium Analytics Alerts:
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Medium Analytics Alerts
    • Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alerts
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts
    • NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts
    • Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts
    • A new machine attempted Kerberos delegation (0f9a92bd-916c-40ad-80a9-58c2adaaa946) - changed metadata of a Medium Analytics Alerts
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alerts
    • Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts
    • An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alerts
    • A contained process attempted to escape using the 'notify on release' feature (7205a3a5-6c0e-4caf-95f1-c4444ec75b26) - changed metadata of a Medium Analytics Alerts
  • Increased the severity to Low for an Analytics BIOC:
    • Unusual Azure AD sync module load (512ac45c-fd8c-4110-834b-1cfe578aaafb) - increased the severity to Low, and improved detection logic
  • Improved logic of 3 Low Analytics BIOCs:
    • Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 166 Low Analytics BIOCs:
    • Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - changed metadata of a Low Analytics BIOCs
    • A Possible crypto miner was detected on a host (4ad3b056-d273-41b7-b3db-90f5d5950faa) - changed metadata of a Low Analytics BIOCs
    • Exchange malware filter policy removed (664b4bc9-aeba-43b7-b657-92a6ab3cd4c6) - changed metadata of a Low Analytics BIOCs
    • Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - changed metadata of a Low Analytics BIOCs
    • A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - changed metadata of a Low Analytics BIOCs
    • Conditional Access policy removed (f667c079-ed9c-4ee1-a604-964440c92051) - changed metadata of a Low Analytics BIOCs
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Kubernetes version disclosure (313b2109-4a11-49f6-b0be-0309eaabbddf) - changed metadata of a Low Analytics BIOCs
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - changed metadata of a Low Analytics BIOCs
    • Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - changed metadata of a Low Analytics BIOCs
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs
    • Suspicious systemd timer activity (6aa321b8-0f2e-4182-b36b-aa3ba7944f25) - changed metadata of a Low Analytics BIOCs
    • Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - changed metadata of a Low Analytics BIOCs
    • MFA was disabled for an Azure identity (2f62698c-13e4-11ed-9d12-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Exchange mailbox audit bypass (d75ef860-59d4-43bd-ad3e-663edd42b7d2) - changed metadata of a Low Analytics BIOCs
    • A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs
    • Uncommon IP Configuration Listing via ipconfig.exe (02501f5c-e953-11e9-954d-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - changed metadata of a Low Analytics BIOCs
    • Suspicious PowerShell Enumeration of Running Processes (9ed9d8ee-6dbb-11ea-a5d9-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - changed metadata of a Low Analytics BIOCs
    • Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOCs
    • VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - changed metadata of a Low Analytics BIOCs
    • Possible Pass-the-Hash (ee4dad7a-348c-11eb-b388-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - changed metadata of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs
    • Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - changed metadata of a Low Analytics BIOCs
    • Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOCs
    • Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - changed metadata of a Low Analytics BIOCs
    • Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs
    • Possible Kerberos relay attack (5d950b94-729a-4fd3-bcbe-a9fefa922d30) - changed metadata of a Low Analytics BIOCs
    • Uncommon access to Microsoft Teams credential files (1bb7c565-fa59-4fd8-b779-7f32ad96caad) - changed metadata of a Low Analytics BIOCs
    • LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs
    • MpCmdRun.exe was used to download files into the system (bae10b1e-5850-452a-9623-d86e959d34d4) - changed metadata of a Low Analytics BIOCs
    • System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - changed metadata of a Low Analytics BIOCs
    • Suspicious PowerShell Command Line (d2aa3dde-4d73-11ea-923a-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Low Analytics BIOCs
    • LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - changed metadata of a Low Analytics BIOCs
    • SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - changed metadata of a Low Analytics BIOCs
    • Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - changed metadata of a Low Analytics BIOCs
    • Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - changed metadata of a Low Analytics BIOCs
    • Contained process execution with a rare GitHub URL (eadd0b5c-94bb-4582-8115-765e48e19353) - changed metadata of a Low Analytics BIOCs
    • Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - changed metadata of a Low Analytics BIOCs
    • Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - changed metadata of a Low Analytics BIOCs
    • Suspicious modification of the AdminSDHolder's ACL (e0db7194-3131-4f0c-9591-7f28ac59669a) - changed metadata of a Low Analytics BIOCs
    • Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - changed metadata of a Low Analytics BIOCs
    • Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - changed metadata of a Low Analytics BIOCs
    • Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs
    • AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs
    • First Azure AD PowerShell operation for a user (04db68a0-bfda-47dc-b2ff-0f8d2d700eee) - changed metadata of a Low Analytics BIOCs
    • Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - changed metadata of a Low Analytics BIOCs
    • Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - changed metadata of a Low Analytics BIOCs
    • Uncommon AT task-job creation by user (082e4d29-7037-47d0-b83f-a0226016139c) - changed metadata of a Low Analytics BIOCs
    • Suspicious container orchestration job (f358cda9-491e-4be6-af2a-6a5361ae23f9) - changed metadata of a Low Analytics BIOCs
    • SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Exchange DKIM signing configuration disabled (7b779bf4-d488-47d0-ae35-cf380881b7d7) - changed metadata of a Low Analytics BIOCs
    • An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - changed metadata of a Low Analytics BIOCs
    • Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - changed metadata of a Low Analytics BIOCs
    • An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs
    • Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Exchange Safe Link policy disabled or removed (02b65466-c898-4713-b473-01268db8dbb7) - changed metadata of a Low Analytics BIOCs
    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - changed metadata of a Low Analytics BIOCs
    • Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs
    • Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - changed metadata of a Low Analytics BIOCs
    • A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - changed metadata of a Low Analytics BIOCs
    • A compiled HTML help file wrote a script file to the disk (6f2817a6-f6b4-4ff5-b03e-ed488e60cd8a) - changed metadata of a Low Analytics BIOCs
    • Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs
    • Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - changed metadata of a Low Analytics BIOCs
    • Unusual Kubernetes API server communication from a pod (ffa2e838-57be-4d1d-ae93-aa17fb738c37) - changed metadata of a Low Analytics BIOCs
    • Billing admin role was removed (2a6e6c44-40cf-47c1-8276-67dea08eb4c6) - changed metadata of a Low Analytics BIOCs
    • Stored credentials exported using credwiz.exe (97f50040-5670-43b3-9afc-1d0e5b1a76bb) - changed metadata of a Low Analytics BIOCs
    • Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - changed metadata of a Low Analytics BIOCs
    • Uncommon remote service start via sc.exe (85cdb57d-e953-11e9-859b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Uncommon routing table listing via route.exe (758e8ed7-e953-11e9-b4ee-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - changed metadata of a Low Analytics BIOCs
    • Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - changed metadata of a Low Analytics BIOCs
    • Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs
    • Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - changed metadata of a Low Analytics BIOCs
    • AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs
    • Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - changed metadata of a Low Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOCs
    • Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - changed metadata of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs
    • Download a script using the python requests module (73619608-e776-4837-98dd-1ac6339ce4d5) - changed metadata of a Low Analytics BIOCs
    • Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - changed metadata of a Low Analytics BIOCs
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs
    • Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Windows Event Log was cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - changed metadata of a Low Analytics BIOCs
    • Linux system firewall was disabled (d50eedfa-7888-47aa-b390-929ccab92d80) - changed metadata of a Low Analytics BIOCs
    • Unusual Kubernetes dashboard communication from a pod (545d7ae0-f862-4f06-8ec0-ec043afd81a1) - changed metadata of a Low Analytics BIOCs
    • AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs
    • Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - changed metadata of a Low Analytics BIOCs
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - changed metadata of a Low Analytics BIOCs
    • Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - changed metadata of a Low Analytics BIOCs
    • Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs
    • New addition to Windows Defender exclusion list (97bd1ad3-df0f-459c-be72-88193ce7b667) - changed metadata of a Low Analytics BIOCs
    • Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - changed metadata of a Low Analytics BIOCs
    • Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs
    • Compressing data using python (1a8bbf16-65ad-46de-86aa-0091f0e529a1) - changed metadata of a Low Analytics BIOCs
    • Office process accessed an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - changed metadata of a Low Analytics BIOCs
    • Uncommon msiexec execution of an arbitrary file from a remote location (8b919310-62f6-4035-b60b-ef61372947d9) - changed metadata of a Low Analytics BIOCs
    • Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - changed metadata of a Low Analytics BIOCs
    • Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - changed metadata of a Low Analytics BIOCs
    • Suspicious data encryption (30df8779-1e1e-4c5a-a9de-40cb94d837e7) - changed metadata of a Low Analytics BIOCs
    • Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - changed metadata of a Low Analytics BIOCs
    • Linux system firewall was modified (fac86d1c-01ac-4620-bcee-8330df48ad25) - changed metadata of a Low Analytics BIOCs
    • Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs
    • Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - changed metadata of a Low Analytics BIOCs
    • Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - changed metadata of a Low Analytics BIOCs
    • Suspicious Print System Remote Protocol usage by a process (f9d3b9e8-68f0-4510-bc01-895fd1e45256) - changed metadata of a Low Analytics BIOCs
    • Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - changed metadata of a Low Analytics BIOCs
    • An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - changed metadata of a Low Analytics BIOCs
    • Azure domain federation settings modification attempt (0dff4bd1-0db3-44dc-a42d-aa473b96e841) - changed metadata of a Low Analytics BIOCs
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs
    • Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - changed metadata of a Low Analytics BIOCs
    • Exchange Safe Attachment policy disabled or removed (fa5ffb2b-9259-4091-a36a-3960433051d5) - changed metadata of a Low Analytics BIOCs
    • Azure account deletion by a non-standard account (b3cffc99-7a38-4e6f-a2ad-19a3325c38b3) - changed metadata of a Low Analytics BIOCs
    • A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - changed metadata of a Low Analytics BIOCs
    • Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - changed metadata of a Low Analytics BIOCs
    • Exchange anti-phish policy disabled or removed (253c6332-24f3-4ad4-a8d6-e6e94b4e0beb) - changed metadata of a Low Analytics BIOCs
    • Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - changed metadata of a Low Analytics BIOCs
    • Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs
    • A compute-attached identity executed API calls outside the instance's region (586f270d-8423-402f-98c1-b136cf45309c) - changed metadata of a Low Analytics BIOCs
    • Azure Temporary Access Pass (TAP) registered to an account (91368e38-b8af-43a4-bc84-3f9f4ad5acff) - changed metadata of a Low Analytics BIOCs
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - changed metadata of a Low Analytics BIOCs
    • Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - changed metadata of a Low Analytics BIOCs
    • A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - changed metadata of a Low Analytics BIOCs
    • Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - changed metadata of a Low Analytics BIOCs
    • SecureBoot was disabled (e8a6caaf-89c1-4e19-8e27-1ced582293e0) - changed metadata of a Low Analytics BIOCs
    • Suspicious DotNet log file created (064eebce-02fb-08e7-df1f-66ee933eefab) - changed metadata of a Low Analytics BIOCs
    • Command running with COMSPEC in the command line argument (2feeb01f-0a81-476a-8ec0-d49fd2bf807b) - changed metadata of a Low Analytics BIOCs
    • Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Suspicious ICMP packet (f3389ebd-c09d-412d-b507-fb0d4f692130) - changed metadata of a Low Analytics BIOCs
    • Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - changed metadata of a Low Analytics BIOCs
    • Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - changed metadata of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs
    • MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of a Low Analytics BIOCs
    • Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - changed metadata of a Low Analytics BIOCs
    • PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - changed metadata of a Low Analytics BIOCs
    • Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - changed metadata of a Low Analytics BIOCs
    • A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Attempt to execute a command on a remote host using PsExec.exe (ddf3b8d9-53e0-8410-c76a-d2e6b5203438) - changed metadata of a Low Analytics BIOCs
    • Uncommon ARP cache listing via arp.exe (85a9b5a1-e953-11e9-939b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - changed metadata of a Low Analytics BIOCs
    • Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - changed metadata of a Low Analytics BIOCs
    • Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - changed metadata of a Low Analytics BIOCs
    • Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - changed metadata of a Low Analytics BIOCs
    • Copy a user's GnuPG directory with rsync (759d73fc-246b-4d3a-bd34-027174dfb9fc) - changed metadata of a Low Analytics BIOCs
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - changed metadata of a Low Analytics BIOCs
    • AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs
    • Azure AD PIM role settings change (65c6e962-2fe1-41f8-bc7f-12452f2d4831) - changed metadata of a Low Analytics BIOCs
    • Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - changed metadata of a Low Analytics BIOCs
    • Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - changed metadata of a Low Analytics BIOCs
  • Changed metadata of 41 Low Analytics Alerts:
    • Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - changed metadata of a Low Analytics Alerts
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - changed metadata of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts
    • A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts
    • Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of a Low Analytics Alerts
    • Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - changed metadata of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts
    • Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - changed metadata of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - changed metadata of a Low Analytics Alerts
    • Multiple Azure AD admin role removals (fea22348-d47e-4b5f-9896-6ab8e34d00a1) - changed metadata of a Low Analytics Alerts
    • Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - changed metadata of a Low Analytics Alerts
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - changed metadata of a Low Analytics Alerts
    • Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - changed metadata of a Low Analytics Alerts
    • Allocation of compute resources in multiple regions (30f4d71c-a3f7-43b0-82ca-f2951995e420) - changed metadata of a Low Analytics Alerts
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - changed metadata of a Low Analytics Alerts
    • VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - changed metadata of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - changed metadata of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts
    • Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
    • Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - changed metadata of a Low Analytics Alerts
    • Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of a Low Analytics Alerts
    • Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - changed metadata of a Low Analytics Alerts
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - changed metadata of a Low Analytics Alerts
    • New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - changed metadata of a Low Analytics Alerts
    • User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of a Low Analytics Alerts
    • Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
    • Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - changed metadata of a Low Analytics Alerts
    • Rare LDAP enumeration (fcb12ef3-ac18-40c0-947c-c2891c6ecaf7) - changed metadata of a Low Analytics Alerts
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
    • Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - changed metadata of a Low Analytics Alerts
    • TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - changed metadata of a Low Analytics Alerts
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts
    • A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - changed metadata of a Low Analytics Alerts
    • NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts
  • Added a new Informational Analytics BIOC:
    • Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - added a new Informational alert
  • Improved logic of 10 Informational Analytics BIOCs:
    • A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon IP address connection from a signed process (118dc3a3-e2b2-44d4-af74-b77cf095c6a9) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - improved logic of an Informational Analytics BIOCs
    • A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon image load from a signed process (b5bf287d-a780-4258-a642-9e473aef709b) - improved logic of an Informational Analytics BIOCs
    • Unpopular rsync process execution (86d4e55a-1d30-46de-a426-1876a973220f) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 269 Informational Analytics BIOCs:
    • Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - changed metadata of an Informational Analytics BIOCs
    • Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs
    • GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs
    • Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - changed metadata of an Informational Analytics BIOCs
    • Creation or modification of the default command executed when opening an application (cd392d6e-e448-46d6-8af3-d2e8a6d79e71) - changed metadata of an Informational Analytics BIOCs
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs
    • Exchange email-hiding inbox rule (f339930e-ef11-4a4c-81dd-23503b05b0bf) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace identity performed an unusual admin console activity (1ef69c3e-56d5-41c5-843b-ebfe1160e661) - changed metadata of an Informational Analytics BIOCs
    • AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs
    • Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs
    • Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs
    • Cloud impersonation attempt by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - changed metadata of an Informational Analytics BIOCs
    • A service was disabled (9d96de8e-036e-414d-baac-064aef4271bc) - changed metadata of an Informational Analytics BIOCs
    • Unverified domain added to Azure AD (030963fb-eb31-4cf7-ab0a-4e9681dda8a8) - changed metadata of an Informational Analytics BIOCs
    • A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs
    • GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs
    • Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs
    • Penetration testing tool activity attempt (a3b75d38-fbc6-47ab-b59b-d6d2298c1e90) - changed metadata of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs
    • LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - changed metadata of an Informational Analytics BIOCs
    • Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOCs
    • A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - changed metadata of an Informational Analytics BIOCs
    • Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - changed metadata of an Informational Analytics BIOCs
    • Uncommon communication to an instant messaging server (af7411c9-596e-4400-8088-30ac46eddde0) - changed metadata of an Informational Analytics BIOCs
    • Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
    • System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - changed metadata of an Informational Analytics BIOCs
    • SharePoint Site Collection admin group addition (78de7350-5ea3-4c19-9a0f-f15dc7732226) - changed metadata of an Informational Analytics BIOCs
    • Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs
    • Gmail routing settings changed (393eae6b-0394-4a2f-bf46-ae4efbd0c94b) - changed metadata of an Informational Analytics BIOCs
    • Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs
    • GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs
    • Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - changed metadata of an Informational Analytics BIOCs
    • Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
    • Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - changed metadata of an Informational Analytics BIOCs
    • Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - changed metadata of an Informational Analytics BIOCs
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - changed metadata of an Informational Analytics BIOCs
    • Exchange mailbox folder permission modification (1568735a-c4a6-4ed4-b7dc-bd70accca4ca) - changed metadata of an Informational Analytics BIOCs
    • Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process execution in a privileged container (b87fb2e8-4904-4d30-9125-d12d87fb3d17) - changed metadata of an Informational Analytics BIOCs
    • Injection into rundll32.exe (d3d7a57f-de5f-76f5-2d39-9fa48b1d51ad) - changed metadata of an Informational Analytics BIOCs
    • An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - changed metadata of an Informational Analytics BIOCs
    • Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace identity used the security investigation tool (c1effd9b-2fde-4141-a894-f01b7fdaffd0) - changed metadata of an Informational Analytics BIOCs
    • Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - changed metadata of an Informational Analytics BIOCs
    • File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - changed metadata of an Informational Analytics BIOCs
    • Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - changed metadata of an Informational Analytics BIOCs
    • A user logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - changed metadata of an Informational Analytics BIOCs
    • A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - changed metadata of an Informational Analytics BIOCs
    • Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - changed metadata of an Informational Analytics BIOCs
    • Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - changed metadata of an Informational Analytics BIOCs
    • Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - changed metadata of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs
    • Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - changed metadata of an Informational Analytics BIOCs
    • Unusual access to the Windows Internal Database on an ADFS server (4e37d789-4249-4dc1-b390-57216ee663c8) - changed metadata of an Informational Analytics BIOCs
    • Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - changed metadata of an Informational Analytics BIOCs
    • Owner added to Azure application (ec5ede9b-e3b9-4963-8b04-711c0683a9e9) - changed metadata of an Informational Analytics BIOCs
    • PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - changed metadata of an Informational Analytics BIOCs
    • Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs
    • Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - changed metadata of an Informational Analytics BIOCs
    • Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs
    • An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - changed metadata of an Informational Analytics BIOCs
    • Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - changed metadata of an Informational Analytics BIOCs
    • An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs
    • Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • A user logged in at an unusual time via VPN (85baec39-fafd-4bc9-b360-e20fb417721c) - changed metadata of an Informational Analytics BIOCs
    • Suspicious docker image download from an unusual repository (a4c3a156-5201-40e4-96fa-772ccbc3473d) - changed metadata of an Informational Analytics BIOCs
    • A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - changed metadata of an Informational Analytics BIOCs
    • Unusual resource modification by newly seen IAM user (37eb241a-d1b5-4bba-b65e-002863c99365) - changed metadata of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - changed metadata of an Informational Analytics BIOCs
    • Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - changed metadata of an Informational Analytics BIOCs
    • Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Iptables configuration command was executed (bbb7b421-2de6-438d-a270-e28ed2a95b35) - changed metadata of an Informational Analytics BIOCs
    • An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - changed metadata of an Informational Analytics BIOCs
    • Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - changed metadata of an Informational Analytics BIOCs
    • Azure service principal assigned app role (c74b7c0c-6fc6-485a-973b-768701841f2f) - changed metadata of an Informational Analytics BIOCs
    • Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - changed metadata of an Informational Analytics BIOCs
    • Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - changed metadata of an Informational Analytics BIOCs
    • Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - changed metadata of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of an Informational Analytics BIOCs
    • S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs
    • Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - changed metadata of an Informational Analytics BIOCs
    • A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - changed metadata of an Informational Analytics BIOCs
    • Azure AD PIM elevation request (c2d1d670-fe63-4676-8bdb-f147d6823d48) - changed metadata of an Informational Analytics BIOCs
    • Device Registration Policy modification (9894abc5-7d4c-4ee5-9840-3614a05cd409) - changed metadata of an Informational Analytics BIOCs
    • Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs
    • Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - changed metadata of an Informational Analytics BIOCs
    • VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - changed metadata of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of an Informational Analytics BIOCs
    • Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • Remote code execution into Kubernetes Pod (8d013538-6e98-48ed-a018-fcf19866f367) - changed metadata of an Informational Analytics BIOCs
    • Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs
    • Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of an Informational Analytics BIOCs
    • Kubernetes nsenter container escape (ded945bf-4c89-4051-8f47-d6126daef9df) - changed metadata of an Informational Analytics BIOCs
    • User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
    • Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs
    • LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - changed metadata of an Informational Analytics BIOCs
    • A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs
    • Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - changed metadata of an Informational Analytics BIOCs
    • AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs
    • VM Detection attempt on Linux (5280dff5-14cd-4cf6-a70f-91c33bb43ae9) - changed metadata of an Informational Analytics BIOCs
    • Possible binary padding using dd (1a72139a-c453-4c91-839f-845561474775) - changed metadata of an Informational Analytics BIOCs
    • Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - changed metadata of an Informational Analytics BIOCs
    • Suspicious proxy environment variable setting (63e4b643-8da3-4552-b693-bc6515d6ea4f) - changed metadata of an Informational Analytics BIOCs
    • Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - changed metadata of an Informational Analytics BIOCs
    • First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - changed metadata of an Informational Analytics BIOCs
    • GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs
    • Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs
    • An identity attached an administrative policy to an IAM user (a0aa6d99-ab79-41f0-9c3b-e23ffee74e39) - changed metadata of an Informational Analytics BIOCs
    • AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs
    • Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs
    • Azure application consent (16fc6d88-d6c7-4c90-9c31-f6d0598330d3) - changed metadata of an Informational Analytics BIOCs
    • New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - changed metadata of an Informational Analytics BIOCs
    • AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Kubernetes secret enumeration activity (d1d4f8ff-68d2-4c04-91ff-2a518ff60319) - changed metadata of an Informational Analytics BIOCs
    • Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs
    • A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Unusual resource modification/creation (e4606659-2c15-4ac6-9282-8d9e1843eff0) - changed metadata of an Informational Analytics BIOCs
    • A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - changed metadata of an Informational Analytics BIOCs
    • A cloud storage configuration was modified (2443ff34-fbdb-4281-9502-f1b1a33ccb3c4) - changed metadata of an Informational Analytics BIOCs
    • VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - changed metadata of an Informational Analytics BIOCs
    • A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - changed metadata of an Informational Analytics BIOCs
    • Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs
    • IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs
    • GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs
    • A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of an Informational Analytics BIOCs
    • Msiexec execution of an executable from an uncommon remote location (5172f78b-0e6f-48d4-8be3-e8a9e470e267) - changed metadata of an Informational Analytics BIOCs
    • Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs
    • A third-party application was authorized to access the Google Workspace APIs (05a883e6-b14c-11ed-b038-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • A third-party application's access to the Google Workspace domain's resources was revoked (01bb79b4-b14c-11ed-b01a-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - changed metadata of an Informational Analytics BIOCs
    • GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs
    • Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - changed metadata of an Informational Analytics BIOCs
    • A user connected a USB storage device for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - changed metadata of an Informational Analytics BIOCs
    • Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs
    • Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs
    • Possible use of IPFS was detected (6089c9b0-1842-4641-adc4-64165886ae19) - changed metadata of an Informational Analytics BIOCs
    • Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs
    • An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - changed metadata of an Informational Analytics BIOCs
    • AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs
    • Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - changed metadata of an Informational Analytics BIOCs
    • A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - changed metadata of an Informational Analytics BIOCs
    • System shutdown or reboot (3edad9ba-d804-4fd8-b8e6-7f353598d69e) - changed metadata of an Informational Analytics BIOCs
    • A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - changed metadata of an Informational Analytics BIOCs
    • PsExec was executed with a suspicious command line (a3a029c0-dbb8-10d2-9109-8cc458cf1e6e) - changed metadata of an Informational Analytics BIOCs
    • GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs
    • Unusual access to the AD Sync credential files (f28618e6-2d55-4e8b-9f85-5107b2b544e5) - changed metadata of an Informational Analytics BIOCs
    • Unusual Kubernetes service account file read (a525eff8-3990-4b8e-b763-7e9c8f88737d) - changed metadata of an Informational Analytics BIOCs
    • Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
    • Gmail delegation was turned on for the organization (ed3841f0-49f2-4994-94f8-77b7217983d8) - changed metadata of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - changed metadata of an Informational Analytics BIOCs
    • An identity created or updated password for an IAM user (a9bf8f7d-8d01-40b6-b1fc-a6126e9e7656) - changed metadata of an Informational Analytics BIOCs
    • Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs
    • Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - changed metadata of an Informational Analytics BIOCs
    • A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Google Workspace organizational unit was modified (0c085dd2-ea10-4537-bbea-44ceb57bf29a) - changed metadata of an Informational Analytics BIOCs
    • Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - changed metadata of an Informational Analytics BIOCs
    • GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs
    • An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - changed metadata of an Informational Analytics BIOCs
    • GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs
    • User discovery via WMI query execution (d60b2b53-4d04-4b9a-b51b-9f7ce490c931) - changed metadata of an Informational Analytics BIOCs
    • AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs
    • EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs
    • Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - changed metadata of an Informational Analytics BIOCs
    • Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - changed metadata of an Informational Analytics BIOCs
    • A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - changed metadata of an Informational Analytics BIOCs
    • A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - changed metadata of an Informational Analytics BIOCs
    • Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - changed metadata of an Informational Analytics BIOCs
    • Uncommon network tunnel creation (1be56e08-4817-4d49-852b-ec8affabf652) - changed metadata of an Informational Analytics BIOCs
    • Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - changed metadata of an Informational Analytics BIOCs
    • AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs
    • Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - changed metadata of an Informational Analytics BIOCs
    • Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - changed metadata of an Informational Analytics BIOCs
    • BitLocker key retrieval (c6c906ca-ebb0-4b79-8af7-7a054c37d5a0) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - changed metadata of an Informational Analytics BIOCs
    • Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs
    • Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs
    • A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs
    • AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs
    • VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - changed metadata of an Informational Analytics BIOCs
    • Possible IPFS traffic was detected (7db8528e-829d-4b64-94ad-815e054da2f8) - changed metadata of an Informational Analytics BIOCs
    • Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • DSC (Desired State Configuration) lateral movement using PowerShell (db8cf34e-eb16-445a-a4b0-cd36ba1366a0) - changed metadata of an Informational Analytics BIOCs
    • A Torrent client was detected on a host (5fcceaca-8602-4b62-a2a7-d16fb61f0e41) - changed metadata of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs
    • First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - changed metadata of an Informational Analytics BIOCs
    • Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - changed metadata of an Informational Analytics BIOCs
    • Rare Unix process divided files by size (64384c5f-40dd-4d5f-aa31-06907b60176d) - changed metadata of an Informational Analytics BIOCs
    • Unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - changed metadata of an Informational Analytics BIOCs
    • Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs
    • Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs
    • LOLBIN created a PSScriptPolicyTest PowerShell script file (4bf08e31-5da8-8c61-0f97-02c7f9bc9d57) - changed metadata of an Informational Analytics BIOCs
    • User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace Role privilege was deleted (118ca7c8-b14c-11ed-b3af-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Scheduled Task hide by registry modification (21dabd4a-1e37-4753-a8ed-be6a7e947f40) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs
    • Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - changed metadata of an Informational Analytics BIOCs
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - changed metadata of an Informational Analytics BIOCs
    • Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - changed metadata of an Informational Analytics BIOCs
    • AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs
    • Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Cloud Organizational policy was created or modified (300b125d-c632-43f2-9a56-5abfd022a4de) - changed metadata of an Informational Analytics BIOCs
    • A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - changed metadata of an Informational Analytics BIOCs
    • Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - changed metadata of an Informational Analytics BIOCs
    • Microsoft 365 DLP policy disabled or removed (7e53db42-aeb1-4087-9e32-fd9418591d68) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs
    • A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - changed metadata of an Informational Analytics BIOCs
    • Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - changed metadata of an Informational Analytics BIOCs
    • Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - changed metadata of an Informational Analytics BIOCs
    • First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - changed metadata of an Informational Analytics BIOCs
    • Tampering with the Windows User Account Controls (UAC) configuration (f161037f-b953-0828-69ba-5df0aac3f359) - changed metadata of an Informational Analytics BIOCs
    • GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs
    • Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs
    • Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Python HTTP server started (b43d77ba-696e-48e6-87d1-64e229201c36) - changed metadata of an Informational Analytics BIOCs
    • External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - changed metadata of an Informational Analytics BIOCs
    • Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs
    • Admin privileges were granted to a Google Workspace user (f0a3f8ae-b14b-11ed-a775-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - changed metadata of an Informational Analytics BIOCs
    • MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs
    • A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - changed metadata of an Informational Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of an Informational Analytics BIOCs
    • VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - changed metadata of an Informational Analytics BIOCs
    • AWS Root account activity (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs
    • Exchange email-hiding transport rule (fd633ec0-afaf-465d-95f8-0de0d1780151) - changed metadata of an Informational Analytics BIOCs
    • Unusual use of a 'SysInternals' tool (ad9f86ad-eaea-4f25-ada7-8d42f3305d04) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs
    • GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOC for improvement:
    • Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - temporarily removed Informational alert for improvement
  • Improved logic of an Informational Analytics Alert:
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alert
  • Changed metadata of 50 Informational Analytics Alerts:
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts
    • Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - changed metadata of an Informational Analytics Alerts
    • A user authenticated with weak NTLM to multiple hosts (01a04516-a112-4fe6-bacb-6ac1733f8fc2) - changed metadata of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - changed metadata of an Informational Analytics Alerts
    • Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - changed metadata of an Informational Analytics Alerts
    • Suspicious DNS traffic (2a77fad6-c6f9-4dd1-ab5a-43ce1d203fd4) - changed metadata of an Informational Analytics Alerts
    • Storage enumeration activity (107578a3-3e09-4db1-88e0-2f060fb24a29) - changed metadata of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - changed metadata of an Informational Analytics Alerts
    • Possible brute force on sudo user (a5a4f979-da78-4195-a288-7cc55ae00a43) - changed metadata of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - changed metadata of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - changed metadata of an Informational Analytics Alerts
    • NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - changed metadata of an Informational Analytics Alerts
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - changed metadata of an Informational Analytics Alerts
    • Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - changed metadata of an Informational Analytics Alerts
    • A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - changed metadata of an Informational Analytics Alerts
    • Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts
    • A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - changed metadata of an Informational Analytics Alerts
    • Upload pattern that resembles Peer to Peer traffic (56641a1d-2201-4113-998c-fe4b958bf34d) - changed metadata of an Informational Analytics Alerts
    • Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts
    • Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - changed metadata of an Informational Analytics Alerts
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts
    • Multiple discovery commands on Linux host (1499fa5b-ad53-4d60-ba2d-a3c790e20ca8) - changed metadata of an Informational Analytics Alerts
    • Kubernetes environment enumeration activity (13c1ff62-8bcb-452b-8cc8-b31402aab401) - changed metadata of an Informational Analytics Alerts
    • Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - changed metadata of an Informational Analytics Alerts
    • A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - changed metadata of an Informational Analytics Alerts
    • A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - changed metadata of an Informational Analytics Alerts
    • Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Suspicious container reconnaissance activity in a Kubernetes pod (ec0013e8-b43b-4e84-ad42-b80ebcf1c0a0) - changed metadata of an Informational Analytics Alerts
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts
    • Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - changed metadata of an Informational Analytics Alerts
    • Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - changed metadata of an Informational Analytics Alerts
    • Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of an Informational Analytics Alerts
    • SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - changed metadata of an Informational Analytics Alerts
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Impossible travel by a cloud identity (1a4aae10-38f7-436e-aa77-ad3db460b4c3) - changed metadata of an Informational Analytics Alerts
    • A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - changed metadata of an Informational Analytics Alerts
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - changed metadata of an Informational Analytics Alerts
    • A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - changed metadata of an Informational Analytics Alerts
    • An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - changed metadata of an Informational Analytics Alerts
    • Multiple cloud snapshots export (260551b5-3a19-44f6-b9c0-820da4c9fc9c) - changed metadata of an Informational Analytics Alerts
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - changed metadata of an Informational Analytics Alerts
    • Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Short-lived Azure AD user account (0e060502-5e8b-4454-b275-4e510a7aa413) - changed metadata of an Informational Analytics Alerts
    • User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - changed metadata of an Informational Analytics Alerts

August 21 2023 Release:

  • Added 2 new Low Analytics BIOCs:
    • Billing admin role was removed (2a6e6c44-40cf-47c1-8276-67dea08eb4c6) - added a new Low alert
    • A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - added a new Low alert
  • Improved logic of 3 Low Analytics BIOCs:
    • Office process accessed an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - improved logic of a Low Analytics BIOCs
    • Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Low Analytics BIOCs
  • Improved logic of a Low Analytics Alert:
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alert
  • Temporarily removed a Low Analytics Alert for improvement:
    • Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - temporarily removed Low alert for improvement
  • Decreased the severity to Informational for an Analytics BIOC:
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - decreased the severity to Informational, and improved detection logic
  • Added 2 new Informational Analytics BIOCs:
    • A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - added a new Informational alert
    • Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - added a new Informational alert
  • Improved logic of 5 Informational Analytics BIOCs:
    • Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - improved logic of an Informational Analytics BIOCs
    • Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - improved logic of an Informational Analytics BIOCs
    • Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs
    • An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - improved logic of an Informational Analytics BIOCs
  • Improved logic of 4 Informational Analytics Alerts:
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alerts

 

August 14 2023 Release:

  • Increased the severity to High for an Analytics BIOC:
    • Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - increased the severity to High, and improved detection logic
  • Improved logic of 4 High Analytics BIOCs:
    • Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - improved logic of a High Analytics BIOCs
    • Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - improved logic of a High Analytics BIOCs
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs
    • A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs
  • Improved logic of 4 Medium Analytics BIOCs:
    • Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - improved logic of a Medium Analytics BIOCs
    • Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - improved logic of a Medium Analytics BIOCs
    • A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs
    • PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOCs
  • Removed an old Medium Analytics BIOC:
    • Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - removed an old Medium alert
  • Improved logic of a Medium Analytics Alert:
    • Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - improved logic of a Medium Analytics Alert
  • Changed metadata of a Medium Analytics Alert:
    • NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alert
  • Decreased the severity to Low for 2 Analytics BIOCs:
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - decreased the severity to Low
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - decreased the severity to Low, and improved detection logic
  • Added 5 new Low Analytics BIOCs:
    • Copy a user's GnuPG directory with rsync (759d73fc-246b-4d3a-bd34-027174dfb9fc) - added a new Low alert
    • Download a script using the python requests module (73619608-e776-4837-98dd-1ac6339ce4d5) - added a new Low alert
    • Suspicious Print System Remote Protocol usage by a process (f9d3b9e8-68f0-4510-bc01-895fd1e45256) - added a new Low alert
    • Compressing data using python (1a8bbf16-65ad-46de-86aa-0091f0e529a1) - added a new Low alert
    • A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - added a new Low alert
  • Improved logic of 7 Low Analytics BIOCs:
    • An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - improved logic of a Low Analytics BIOCs
    • Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - improved logic of a Low Analytics BIOCs
    • Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - improved logic of a Low Analytics BIOCs
    • Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - improved logic of a Low Analytics BIOCs
    • Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - improved logic of a Low Analytics BIOCs
    • Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - improved logic of a Low Analytics BIOCs
    • Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 3 Low Analytics BIOCs:
    • Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - changed metadata of a Low Analytics BIOCs
    • Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs
  • Added a new Low Analytics Alert:
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - added a new Low alert
  • Improved logic of 8 Low Analytics Alerts:
    • Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - improved logic of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - improved logic of a Low Analytics Alerts
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts
  • Changed metadata of 6 Low Analytics Alerts:
    • Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts
    • VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts
    • Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - changed metadata of a Low Analytics Alerts
  • Decreased the severity to Informational for an Analytics BIOC:
    • A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - decreased the severity to Informational
  • Added 8 new Informational Analytics BIOCs:
    • A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - added a new Informational alert
    • A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - added a new Informational alert
    • A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - added a new Informational alert
    • Unusual access to the Windows Internal Database on an ADFS server (4e37d789-4249-4dc1-b390-57216ee663c8) - added a new Informational alert
    • A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - added a new Informational alert
    • Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - added a new Informational alert
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - added a new Informational alert
    • Cloud Disk Snapshot Creation or Modification (a41624fc-22e0-11ed-acc2-00155d825142) - added a new Informational alert
  • Improved logic of 12 Informational Analytics BIOCs:
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs
    • Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - improved logic of an Informational Analytics BIOCs
    • File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - improved logic of an Informational Analytics BIOCs
    • Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - improved logic of an Informational Analytics BIOCs
    • A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - improved logic of an Informational Analytics BIOCs
    • Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - improved logic of an Informational Analytics BIOCs
    • Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - improved logic of an Informational Analytics BIOCs
    • Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - improved logic of an Informational Analytics BIOCs
    • A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - improved logic of an Informational Analytics BIOCs
    • Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 15 Informational Analytics BIOCs:
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of an Informational Analytics BIOCs
    • Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
    • A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - changed metadata of an Informational Analytics BIOCs
    • First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of an Informational Analytics BIOCs
    • First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - changed metadata of an Informational Analytics BIOCs
    • First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - changed metadata of an Informational Analytics BIOCs
    • Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - changed metadata of an Informational Analytics BIOCs
    • Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs
    • An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - changed metadata of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs
  • Removed an old Informational Analytics BIOC:
    • A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - removed an old Informational alert
  • Added a new Informational Analytics Alert:
    • Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - added a new Informational alert
  • Improved logic of 5 Informational Analytics Alerts:
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts
    • A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts
    • Multiple cloud snapshots export (260551b5-3a19-44f6-b9c0-820da4c9fc9c) - improved logic of an Informational Analytics Alerts
  • Changed metadata of 10 Informational Analytics Alerts:
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - changed metadata of an Informational Analytics Alerts
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts
    • A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - changed metadata of an Informational Analytics Alerts
    • A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - changed metadata of an Informational Analytics Alerts
    • Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - changed metadata of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - changed metadata of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - changed metadata of an Informational Analytics Alerts
    • A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - changed metadata of an Informational Analytics Alerts
    • A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - changed metadata of an Informational Analytics Alerts
  • Removed 3 old Informational Analytics Alerts:
    • Download pattern that resembles Peer to Peer traffic (4c325fcd-7574-435d-a83d-46d6633749f8) - removed an old Informational alert
    • Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - removed an old Informational alert
    • Suspicious ICMP traffic (bd17a758-e4b8-43fc-a6a6-4510f71b5d07) - removed an old Informational alert

 

July 17 2023 Release:

  • Improved logic of a High Analytics BIOC:
    • A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOC
  • Improved logic of 2 Medium Analytics BIOCs:
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs
    • Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs
  • Removed an old Medium Analytics BIOC:
    • Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - removed an old Medium alert
  • Improved logic of 5 Medium Analytics Alerts:
    • NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - improved logic of a Medium Analytics Alerts
    • Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - improved logic of a Medium Analytics Alerts
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts
    • An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - improved logic of a Medium Analytics Alerts
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alerts
  • Improved logic of 7 Low Analytics BIOCs:
    • Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - improved logic of a Low Analytics BIOCs
    • Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - improved logic of a Low Analytics BIOCs
    • A Possible crypto miner was detected on a host (4ad3b056-d273-41b7-b3db-90f5d5950faa) - improved logic of a Low Analytics BIOCs
    • Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - improved logic of a Low Analytics BIOCs
    • A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs
    • Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - improved logic of a Low Analytics BIOCs
    • Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - improved logic of a Low Analytics BIOCs
  • Improved logic of 17 Low Analytics Alerts:
    • Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - improved logic of a Low Analytics Alerts
    • Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts
    • NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts
    • A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
    • User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of a Low Analytics Alerts
    • NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - improved logic of a Low Analytics Alerts
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts
    • Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts
    • Rare LDAP enumeration (fcb12ef3-ac18-40c0-947c-c2891c6ecaf7) - improved logic of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts
  • Added a new Informational Analytics BIOC:
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - added a new Informational alert
  • Improved logic of 6 Informational Analytics BIOCs:
    • Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs
    • Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - improved logic of an Informational Analytics BIOCs
    • Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - improved logic of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs
    • Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - improved logic of an Informational Analytics BIOCs
    • Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 2 Informational Analytics BIOCs:
    • Unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - changed metadata of an Informational Analytics BIOCs
    • Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - changed metadata of an Informational Analytics BIOCs
  • Improved logic of 15 Informational Analytics Alerts:
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
    • Upload pattern that resembles Peer to Peer traffic (56641a1d-2201-4113-998c-fe4b958bf34d) - improved logic of an Informational Analytics Alerts
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts
    • Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
    • Download pattern that resembles Peer to Peer traffic (4c325fcd-7574-435d-a83d-46d6633749f8) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts
    • Suspicious ICMP traffic (bd17a758-e4b8-43fc-a6a6-4510f71b5d07) - improved logic of an Informational Analytics Alerts
    • Suspicious DNS traffic (2a77fad6-c6f9-4dd1-ab5a-43ce1d203fd4) - improved logic of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - improved logic of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts
    • SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts
  •  

 

Rate this article:
(1)
Comments
L0 Member

Hi, can I ask you where I can find the content update version with the release date?

By example: the Cortex XDR agent content version 172-54504, when was released? 

 

Thanks

L3 Networker

Hi @mfranzonYou view the release notes to the Cortex XDR agent conten versions on the customer support portal in the Updates > Dynamic Updates > Traps section. 

 

L0 Member

Thanks @WSeldenIII, found it.

L1 Bithead

Hi,

 

For this Added Medium Analytics BIOCs:

  • Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - added a new Medium alert

Is it possible to alert this kind of attack?

No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loade...

 

Thank You.

L0 Member

Hi,


the Info that something changed for the better is nice, but it'd be even better if there is a possibility to review the changes made.
To this day I think there isn't a possibility to view Analytics BIOC Rules.
The fact that Cortex XDR isn't a "black box" like other XDR/EDR products, that it's possible to view and alter standard BIOC Rules was the deciding factor for us to take the product into our MSSP program.

 

Best regards

L1 Bithead

Hi @vcotton ,
Could you please provide information on the changes that came with content 700-18331 released on 22 September 2022?

A customer of mine is having issues with their SQL servers since the content version was installed.

Thanks,

Tim

L0 Member

Hi @vcotton ,

 

shouldn't this page be only available to people who login ? as not to give too much information to TAs ? Just thinking. 

This page is for the moment available to anybody.

 

Regards

Frank

L1 Bithead

A successful SSO sign-in from TOR..... =   Failed

Several customers get this alert now, and it is login from local 10..x.x.x IP-addresses

L1 Bithead

We are suddenly being flooded with "A Successful login from TOR" events in our org. Anyone else?

L3 Networker

Seeing the same as @NilsGab, multiple alerts after the release of 2023.03.27.1020 on agent 7.9.1.26645.

All from local logins on 192.168.x.x networks, and all Tor exit nodes are blocked for in- and outbound traffic in the firewall using the list from PAN.

L0 Member
We had to disable that one!
L1 Bithead

Getting flooded with "A Successful login from TOR' alerts detected by XDR Analytics BIOC" over here as well.

L1 Bithead

We are also getting flooded with "A Successful login from TOR' alerts detected by XDR Analytics BIOC" too

L1 Bithead

The same here...

L0 Member

Same here...

 

L1 Bithead

The same here

L0 Member

Hey, from panw research. We have disabled the detector and will investigate what went wrong.

L2 Linker

Same here!

L1 Bithead

We just turned this off.

 

Settings  > Configurations > Cortex XDR - Analytics ,and in the Featured in Analytics section, DISABLE Identity Analytics.

L1 Bithead

wouldn't it be better to just exlude the alerts instead of disabling analytics ?

 

L1 Bithead

Can verify we are also getting flooded with "'A Successful login from TOR' alerts detected by XDR Analytics BIOC" alerts. Can anyone clarify what BIOC needs to be disabled in order to stop these alerts?

L0 Member

We began seeing the '"A Successful login from TOR' generated by XDR Analytics BIOC detected on host XXXX involving user YYYY" incidents at 21:10 UTC in our environment.

Looking into to Parkerjr2's post to turn off Identity Analytics.  Anyone else done this (or other temporary mitigation) with success?  Thanks.

L0 Member

same issue here, please advise!

L0 Member

You can disable the alert by going to this page, finding the rule, right-click 'disable'.

 

Just fill in the url with your tenant name and region and it should work.

https://<tenant>.<region>.paloaltonetworks.com/rules/analytic-bioc

L0 Member
Go into BIOC.. then select analytics bioc’s at the top of the screen.. This is the fastest way to make it stop. We only disabled that one: “ A successful login from TOR”

L1 Bithead

We are getting the same here.... lots of "Successful login from TOR' alerts".

 

L0 Member

No need to do any modifications. This was disabled on the backend 

L1 Bithead

My earlier comment was our initial reaction. Not saying it is/was the right move. Disabling the alert sounds more like the right move unless it has been fixed on the backend as mentioned. 

L0 Member

A combination of disabling the BIOC rule and excluding the alerts seems to do the trick. If your tenant has a few thousand endpoints, then you will need to wait whilst it plays catchup and processes all the events.

Given how much Identity Analytics does, I wouldn't disable that feature. It's clear the new content update is flagging BAU traffic as TOR.

  • 4572290 Views
  • 29 comments
  • 13 Likes
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎03-19-2024 03:51 AM
Updated by: