This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Content Release Notes

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Content Release Notes

vcotton
L3 Networker

on ‎03-14-2021 12:49 PM - edited on ‎05-30-2023 07:35 AM by

92% helpful (52/57)

Cortex XDR Content Release Notes

May 30 2023 Release:

  • Improved logic of 3 High Analytics BIOCs:
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs
    • Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - improved logic of a High Analytics BIOCs
  • Improved logic of a High Analytics Alert:
    • Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert
  • Improved logic of 7 Medium Analytics BIOCs:
    • Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - improved logic of a Medium Analytics BIOCs
    • Azure AD PIM alert disabled (8d5ce951-909b-44e7-aca6-1c8203f95c35) - improved logic of a Medium Analytics BIOCs
    • Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Kubernetes vulnerability scanner activity by API server logs (f4bc86e7-9189-4048-ac0d-702311d3d7e0) - improved logic of a Medium Analytics BIOCs
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of 2 Medium Analytics BIOCs:
    • Kubernetes vulnerability scanner activity (01e27219-483a-4ec2-ba4c-641ee54b3059) - changed metadata of a Medium Analytics BIOCs
    • Possible Cloud Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - changed metadata of a Medium Analytics BIOCs
  • Added 2 new Low Analytics BIOCs:
    • Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - added a new Low alert
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - added a new Low alert
  • Improved logic of 34 Low Analytics BIOCs:
    • Exchange malware filter policy removed (664b4bc9-aeba-43b7-b657-92a6ab3cd4c6) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
    • Exchange anti-phish policy disabled or removed (253c6332-24f3-4ad4-a8d6-e6e94b4e0beb) - improved logic of a Low Analytics BIOCs
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - improved logic of a Low Analytics BIOCs
    • First Azure AD PowerShell operation for a user (04db68a0-bfda-47dc-b2ff-0f8d2d700eee) - improved logic of a Low Analytics BIOCs
    • Exchange Safe Attachment policy disabled or removed (fa5ffb2b-9259-4091-a36a-3960433051d5) - improved logic of a Low Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of a Low Analytics BIOCs
    • A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs
    • Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs
    • AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs
    • Azure domain federation settings modification attempt (0dff4bd1-0db3-44dc-a42d-aa473b96e841) - improved logic of a Low Analytics BIOCs
    • Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - improved logic of a Low Analytics BIOCs
    • Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - improved logic of a Low Analytics BIOCs
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs
    • AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs
    • A compute-attached identity executed API calls outside the instance's region (586f270d-8423-402f-98c1-b136cf45309c) - improved logic of a Low Analytics BIOCs
    • AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs
    • MFA was disabled for an Azure identity (2f62698c-13e4-11ed-9d12-acde48001122) - improved logic of a Low Analytics BIOCs
    • Azure Temporary Access Pass (TAP) registered to an account (91368e38-b8af-43a4-bc84-3f9f4ad5acff) - improved logic of a Low Analytics BIOCs
    • Exchange mailbox audit bypass (d75ef860-59d4-43bd-ad3e-663edd42b7d2) - improved logic of a Low Analytics BIOCs
    • Exchange Safe Link policy disabled or removed (02b65466-c898-4713-b473-01268db8dbb7) - improved logic of a Low Analytics BIOCs
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - improved logic of a Low Analytics BIOCs
    • Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs
    • Conditional Access policy removed (f667c079-ed9c-4ee1-a604-964440c92051) - improved logic of a Low Analytics BIOCs
    • Exchange DKIM signing configuration disabled (7b779bf4-d488-47d0-ae35-cf380881b7d7) - improved logic of a Low Analytics BIOCs
    • Azure AD PIM role settings change (65c6e962-2fe1-41f8-bc7f-12452f2d4831) - improved logic of a Low Analytics BIOCs
    • An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs
    • Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - improved logic of a Low Analytics BIOCs
    • Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
    • AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 3 Low Analytics BIOCs:
    • Kubernetes version disclosure (313b2109-4a11-49f6-b0be-0309eaabbddf) - changed metadata of a Low Analytics BIOCs
    • Unusual Kubernetes API server communication from a pod (ffa2e838-57be-4d1d-ae93-aa17fb738c37) - changed metadata of a Low Analytics BIOCs
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - changed metadata of a Low Analytics BIOCs
  • Improved logic of 5 Low Analytics Alerts:
    • Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Low Analytics Alerts
    • Allocation of compute resources in multiple regions (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts
    • Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
  • Added a new Informational Analytics BIOC:
    • Unusual use of a 'SysInternals' tool (ad9f86ad-eaea-4f25-ada7-8d42f3305d04) - added a new Informational alert
  • Improved logic of 120 Informational Analytics BIOCs:
    • AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs
    • Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs
    • Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs
    • GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs
    • GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
    • AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs
    • An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs
    • Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs
    • Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - improved logic of an Informational Analytics BIOCs
    • Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs
    • An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - improved logic of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding transport rule (fd633ec0-afaf-465d-95f8-0de0d1780151) - improved logic of an Informational Analytics BIOCs
    • Penetration testing tool activity attempt (a3b75d38-fbc6-47ab-b59b-d6d2298c1e90) - improved logic of an Informational Analytics BIOCs
    • Azure AD PIM elevation request (c2d1d670-fe63-4676-8bdb-f147d6823d48) - improved logic of an Informational Analytics BIOCs
    • Exchange mailbox folder permission modification (1568735a-c4a6-4ed4-b7dc-bd70accca4ca) - improved logic of an Informational Analytics BIOCs
    • Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs
    • GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding inbox rule (f339930e-ef11-4a4c-81dd-23503b05b0bf) - improved logic of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
    • GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs
    • AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs
    • IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs
    • Unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs
    • AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs
    • GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs
    • Unusual resource modification by newly seen IAM user (37eb241a-d1b5-4bba-b65e-002863c99365) - improved logic of an Informational Analytics BIOCs
    • Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs
    • A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
    • AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs
    • Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs
    • Azure application consent attempt (16fc6d88-d6c7-4c90-9c31-f6d0598330d3) - improved logic of an Informational Analytics BIOCs
    • Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs
    • AWS Root account activity (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs
    • AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs
    • Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - improved logic of an Informational Analytics BIOCs
    • Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A third-party application's access to the Google Workspace domain's resources was revoked (01bb79b4-b14c-11ed-b01a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace Role privilege was deleted (118ca7c8-b14c-11ed-b3af-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs
    • Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
    • Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs
    • GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs
    • GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs
    • Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added or updated (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
    • A user logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - improved logic of an Informational Analytics BIOCs
    • Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs
    • Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
    • Admin privileges were granted to a Google Workspace user (f0a3f8ae-b14b-11ed-a775-acde48001122) - improved logic of an Informational Analytics BIOCs
    • An identity created or updated password for an IAM user (a9bf8f7d-8d01-40b6-b1fc-a6126e9e7656) - improved logic of an Informational Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs
    • Cloud impersonation attempt by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs
    • Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - improved logic of an Informational Analytics BIOCs
    • AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs
    • Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
    • An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - improved logic of an Informational Analytics BIOCs
    • Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs
    • Unverified domain added to Azure AD (030963fb-eb31-4cf7-ab0a-4e9681dda8a8) - improved logic of an Informational Analytics BIOCs
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs
    • An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - improved logic of an Informational Analytics BIOCs
    • EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity performed an unusual admin console activity (1ef69c3e-56d5-41c5-843b-ebfe1160e661) - improved logic of an Informational Analytics BIOCs
    • BitLocker key retrieval (c6c906ca-ebb0-4b79-8af7-7a054c37d5a0) - improved logic of an Informational Analytics BIOCs
    • Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
    • Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - improved logic of an Informational Analytics BIOCs
    • Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
    • GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs
    • AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs
    • GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
    • GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
    • GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs
    • GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs
    • Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs
    • Gmail routing settings changed (393eae6b-0394-4a2f-bf46-ae4efbd0c94b) - improved logic of an Informational Analytics BIOCs
    • A cloud storage configuration was modified (2443ff34-fbdb-4281-9502-f1b1a33ccb3c4) - improved logic of an Informational Analytics BIOCs
    • AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs
    • AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs
    • S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs
    • GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • Owner added to Azure application (ec5ede9b-e3b9-4963-8b04-711c0683a9e9) - improved logic of an Informational Analytics BIOCs
    • External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - improved logic of an Informational Analytics BIOCs
    • AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs
    • GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs
    • Microsoft 365 DLP policy disabled or removed (7e53db42-aeb1-4087-9e32-fd9418591d68) - improved logic of an Informational Analytics BIOCs
    • Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs
    • Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs
    • An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of an Informational Analytics BIOCs
    • Unusual resource modification/creation (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs
    • A third-party application was authorized to access the Google Workspace APIs (05a883e6-b14c-11ed-b038-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • An identity attached an administrative policy to an IAM user (a0aa6d99-ab79-41f0-9c3b-e23ffee74e39) - improved logic of an Informational Analytics BIOCs
    • Azure service principal assigned app role (c74b7c0c-6fc6-485a-973b-768701841f2f) - improved logic of an Informational Analytics BIOCs
    • Device Registration Policy modification (9894abc5-7d4c-4ee5-9840-3614a05cd409) - improved logic of an Informational Analytics BIOCs
    • GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs
    • GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Cloud Organizational policy was created or modified (300b125d-c632-43f2-9a56-5abfd022a4de) - improved logic of an Informational Analytics BIOCs
    • AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs
    • GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs
    • MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs
    • Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 2 Informational Analytics BIOCs:
    • Unusual Kubernetes service account file read (a525eff8-3990-4b8e-b763-7e9c8f88737d) - changed metadata of an Informational Analytics BIOCs
    • VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - changed metadata of an Informational Analytics BIOCs
  • Added a new Informational Analytics Alert:
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - added a new Informational alert
  • Improved logic of 16 Informational Analytics Alerts:
    • Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
    • An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of an Informational Analytics Alerts
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
    • Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - improved logic of an Informational Analytics Alerts
    • Storage enumeration activity (107578a3-3e09-4db1-88e0-2f060fb24a29) - improved logic of an Informational Analytics Alerts
    • Multiple cloud virtual machines export (260551b5-3a19-44f6-b9c0-820da4c9fc9c) - improved logic of an Informational Analytics Alerts
    • Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - improved logic of an Informational Analytics Alerts
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts
    • Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts
    • Short-lived Azure AD user account (0e060502-5e8b-4454-b275-4e510a7aa413) - improved logic of an Informational Analytics Alerts
  • Changed metadata of an Informational Analytics Alert:
    • Kubernetes environment enumeration activity (13c1ff62-8bcb-452b-8cc8-b31402aab401) - changed metadata of an Informational Analytics Alert

May 23 2023 Release:

  • Improved logic of a Medium Analytics BIOC:
    • Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOC
  • Changed metadata of a Medium Analytics BIOC:
    • Kubernetes vulnerability scanner activity (01e27219-483a-4ec2-ba4c-641ee54b3059) - changed metadata of a Medium Analytics BIOC
  • Added a new Low Analytics BIOC:
    • Unusual Kubernetes API server communication from a pod (ffa2e838-57be-4d1d-ae93-aa17fb738c37) - added a new Low alert
  • Improved logic of 12 Low Analytics BIOCs:
    • A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs
    • Exchange mailbox audit bypass (d75ef860-59d4-43bd-ad3e-663edd42b7d2) - improved logic of a Low Analytics BIOCs
    • Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - improved logic of a Low Analytics BIOCs
    • Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - improved logic of a Low Analytics BIOCs
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - improved logic of a Low Analytics BIOCs
    • Azure Temporary Access Pass (TAP) registered to an account (91368e38-b8af-43a4-bc84-3f9f4ad5acff) - improved logic of a Low Analytics BIOCs
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - improved logic of a Low Analytics BIOCs
    • Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - improved logic of a Low Analytics BIOCs
    • Exchange DKIM signing configuration disabled (7b779bf4-d488-47d0-ae35-cf380881b7d7) - improved logic of a Low Analytics BIOCs
    • Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - improved logic of a Low Analytics BIOCs
    • Azure AD PIM role settings change (65c6e962-2fe1-41f8-bc7f-12452f2d4831) - improved logic of a Low Analytics BIOCs
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 2 Low Analytics BIOCs:
    • A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - changed metadata of a Low Analytics BIOCs
    • SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - changed metadata of a Low Analytics BIOCs
  • Temporarily removed a Low Analytics BIOC for improvement:
    • Kubectl administration command execution (8d013538-6e98-48ed-a018-fcf19866f367) - temporarily removed Low alert for improvement
  • Improved logic of 4 Low Analytics Alerts:
    • Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
    • Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts
  • Changed metadata of 3 Low Analytics Alerts:
    • Allocation of compute resources in multiple regions (30f4d71c-a3f7-43b0-82ca-f2951995e420) - changed metadata of a Low Analytics Alerts
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - changed metadata of a Low Analytics Alerts
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts
  • Added a new Informational Analytics BIOC:
    • DSC (Desired State Configuration) lateral movement using PowerShell (db8cf34e-eb16-445a-a4b0-cd36ba1366a0) - added a new Informational alert
  • Improved logic of 22 Informational Analytics BIOCs:
    • A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - improved logic of an Informational Analytics BIOCs
    • Suspicious docker image download from an unusual repository (a4c3a156-5201-40e4-96fa-772ccbc3473d) - improved logic of an Informational Analytics BIOCs
    • User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Owner added to Azure application (ec5ede9b-e3b9-4963-8b04-711c0683a9e9) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding transport rule (fd633ec0-afaf-465d-95f8-0de0d1780151) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding inbox rule (f339930e-ef11-4a4c-81dd-23503b05b0bf) - improved logic of an Informational Analytics BIOCs
    • Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - improved logic of an Informational Analytics BIOCs
    • A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs
    • Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs
    • Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of an Informational Analytics BIOCs
    • Exchange mailbox folder permission modification (1568735a-c4a6-4ed4-b7dc-bd70accca4ca) - improved logic of an Informational Analytics BIOCs
    • A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Azure application consent attempt (16fc6d88-d6c7-4c90-9c31-f6d0598330d3) - improved logic of an Informational Analytics BIOCs
    • Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • Azure service principal assigned app role (c74b7c0c-6fc6-485a-973b-768701841f2f) - improved logic of an Informational Analytics BIOCs
    • Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - improved logic of an Informational Analytics BIOCs
    • External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 16 Informational Analytics BIOCs:
    • A user logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - changed metadata of an Informational Analytics BIOCs
    • Microsoft 365 DLP policy disabled or removed (7e53db42-aeb1-4087-9e32-fd9418591d68) - changed metadata of an Informational Analytics BIOCs
    • A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs
    • Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - changed metadata of an Informational Analytics BIOCs
    • Unverified domain added to Azure AD (030963fb-eb31-4cf7-ab0a-4e9681dda8a8) - changed metadata of an Informational Analytics BIOCs
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs
    • Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs
    • Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - changed metadata of an Informational Analytics BIOCs
    • VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - changed metadata of an Informational Analytics BIOCs
    • Unusual resource modification/creation (e4606659-2c15-4ac6-9282-8d9e1843eff0) - changed metadata of an Informational Analytics BIOCs
    • Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - changed metadata of an Informational Analytics BIOCs
    • Unusual Kubernetes service account file read (a525eff8-3990-4b8e-b763-7e9c8f88737d) - changed metadata of an Informational Analytics BIOCs
    • Cloud impersonation attempt by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - changed metadata of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOC for improvement:
    • Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - temporarily removed Informational alert for improvement
  • Improved logic of 3 Informational Analytics Alerts:
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
    • Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts
  • Changed metadata of 7 Informational Analytics Alerts:
    • Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts
    • A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - changed metadata of an Informational Analytics Alerts
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - changed metadata of an Informational Analytics Alerts
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - changed metadata of an Informational Analytics Alerts
    • A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - changed metadata of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - changed metadata of an Informational Analytics Alerts

 

May 17 2023 Release:

  • Improved logic of 5 High Analytics BIOCs:
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs
    • Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - improved logic of a High Analytics BIOCs
    • Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - improved logic of a High Analytics BIOCs
    • Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - improved logic of a High Analytics BIOCs
    • Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - improved logic of a High Analytics BIOCs
  • Changed metadata of a Medium BIOC:
    • Possible Firefox browser history and bookmarks collection via command-line tool (59bcaa15-6a26-49a9-b8db-4978b1148f13) - changed metadata of a Medium BIOC
  • Improved logic of 20 Medium Analytics BIOCs:
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOCs
    • Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - improved logic of a Medium Analytics BIOCs
    • Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - improved logic of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - improved logic of a Medium Analytics BIOCs
    • Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - improved logic of a Medium Analytics BIOCs
    • Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • A contained executable from a mounted share initiated a suspicious outbound network connection (423a9cc9-735f-48cd-8fb5-6e4aeecd5d6d) - improved logic of a Medium Analytics BIOCs
    • Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - improved logic of a Medium Analytics BIOCs
    • Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs
    • Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - improved logic of a Medium Analytics BIOCs
    • Possible Cloud Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOCs
    • Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - improved logic of a Medium Analytics BIOCs
    • Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of a Medium Analytics BIOC:
    • PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - changed metadata of a Medium Analytics BIOC
  • Improved logic of a Medium Analytics Alert:
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert
  • Decreased the severity to Low for a BIOC:
    • Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - decreased the severity to Low
  • Improved logic of 37 Low Analytics BIOCs:
    • Exchange DKIM signing configuration disabled (7b779bf4-d488-47d0-ae35-cf380881b7d7) - improved logic of a Low Analytics BIOCs
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - improved logic of a Low Analytics BIOCs
    • Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - improved logic of a Low Analytics BIOCs
    • Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - improved logic of a Low Analytics BIOCs
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
    • Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
    • Suspicious ICMP packet (f3389ebd-c09d-412d-b507-fb0d4f692130) - improved logic of a Low Analytics BIOCs
    • PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - improved logic of a Low Analytics BIOCs
    • Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs
    • Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs
    • Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs
    • Exchange anti-phish policy disabled or removed (253c6332-24f3-4ad4-a8d6-e6e94b4e0beb) - improved logic of a Low Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of a Low Analytics BIOCs
    • Exchange mailbox audit bypass (d75ef860-59d4-43bd-ad3e-663edd42b7d2) - improved logic of a Low Analytics BIOCs
    • Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs
    • Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - improved logic of a Low Analytics BIOCs
    • Exchange Safe Attachment policy disabled or removed (fa5ffb2b-9259-4091-a36a-3960433051d5) - improved logic of a Low Analytics BIOCs
    • Attempt to execute a command on a remote host using PsExec.exe (ddf3b8d9-53e0-8410-c76a-d2e6b5203438) - improved logic of a Low Analytics BIOCs
    • Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs
    • Uncommon msiexec execution of an arbitrary file from a remote location (8b919310-62f6-4035-b60b-ef61372947d9) - improved logic of a Low Analytics BIOCs
    • Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - improved logic of a Low Analytics BIOCs
    • Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
    • Exchange malware filter policy removed (664b4bc9-aeba-43b7-b657-92a6ab3cd4c6) - improved logic of a Low Analytics BIOCs
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
    • Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - improved logic of a Low Analytics BIOCs
    • Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - improved logic of a Low Analytics BIOCs
    • A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs
    • Exchange Safe Link policy disabled or removed (02b65466-c898-4713-b473-01268db8dbb7) - improved logic of a Low Analytics BIOCs
    • Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - improved logic of a Low Analytics BIOCs
  • Changed metadata of a Low Analytics BIOC:
    • Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOC
  • Added 2 new Low Analytics Alerts:
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - added a new Low alert
    • Abnormal SMB activity to multiples hosts (629119e4-611d-43bf-8a0e-38b5ff3e281e) - added a new Low alert
  • Improved logic of 3 Low Analytics Alerts:
    • TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - improved logic of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
  • Decreased the severity to Informational for a BIOC:
    • Microsoft Office executes an unsigned process in a suspicious directory (e1befc42-a6f8-403f-94db-2bb4d0e70439) - decreased the severity to Informational
  • Added a new Informational Analytics BIOC:
    • An identity attached an administrative policy to an IAM user (a0aa6d99-ab79-41f0-9c3b-e23ffee74e39) - added a new Informational alert
  • Improved logic of 51 Informational Analytics BIOCs:
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
    • Exchange mailbox folder permission modification (1568735a-c4a6-4ed4-b7dc-bd70accca4ca) - improved logic of an Informational Analytics BIOCs
    • Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - improved logic of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • A third-party application was authorized to access the Google Workspace APIs (05a883e6-b14c-11ed-b038-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Uncommon communication to an instant messaging server (af7411c9-596e-4400-8088-30ac46eddde0) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - improved logic of an Informational Analytics BIOCs
    • Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - improved logic of an Informational Analytics BIOCs
    • External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity performed an unusual admin console activity (1ef69c3e-56d5-41c5-843b-ebfe1160e661) - improved logic of an Informational Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • Suspicious network traffic to a crypto miner related domain (b843081b-fa48-4b12-959c-5b994d3de01c) - improved logic of an Informational Analytics BIOCs
    • An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs
    • File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - improved logic of an Informational Analytics BIOCs
    • A third-party application's access to the Google Workspace domain's resources was revoked (01bb79b4-b14c-11ed-b01a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
    • Microsoft 365 DLP policy disabled or removed (7e53db42-aeb1-4087-9e32-fd9418591d68) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace Role privilege was deleted (118ca7c8-b14c-11ed-b3af-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
    • Possible use of IPFS was detected (6089c9b0-1842-4641-adc4-64165886ae19) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
    • An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - improved logic of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs
    • Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
    • Possible IPFS traffic was detected (7db8528e-829d-4b64-94ad-815e054da2f8) - improved logic of an Informational Analytics BIOCs
    • Gmail routing settings changed (393eae6b-0394-4a2f-bf46-ae4efbd0c94b) - improved logic of an Informational Analytics BIOCs
    • A Torrent client was detected on a host (5fcceaca-8602-4b62-a2a7-d16fb61f0e41) - improved logic of an Informational Analytics BIOCs
    • A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
    • An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
    • A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs
    • Admin privileges were granted to a Google Workspace user (f0a3f8ae-b14b-11ed-a775-acde48001122) - improved logic of an Informational Analytics BIOCs
    • An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - improved logic of an Informational Analytics BIOCs
    • Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs
    • Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding transport rule (fd633ec0-afaf-465d-95f8-0de0d1780151) - improved logic of an Informational Analytics BIOCs
    • A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - improved logic of an Informational Analytics BIOCs
    • LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
    • Penetration testing tool activity attempt (a3b75d38-fbc6-47ab-b59b-d6d2298c1e90) - improved logic of an Informational Analytics BIOCs
    • Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
    • Uncommon network tunnel creation (1be56e08-4817-4d49-852b-ec8affabf652) - improved logic of an Informational Analytics BIOCs
    • Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding inbox rule (f339930e-ef11-4a4c-81dd-23503b05b0bf) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of an Informational Analytics BIOC:
    • Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - changed metadata of an Informational Analytics BIOC
  • Improved logic of 6 Informational Analytics Alerts:
    • A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts
    • Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts
    • Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - improved logic of an Informational Analytics Alerts
    • Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts
  • Changed metadata of 2 Informational Analytics Alerts:
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - changed metadata of an Informational Analytics Alerts

 

May 09 2023 Release:

  • Improved logic of 3 High Analytics BIOCs:
    • Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - improved logic of a High Analytics BIOCs
    • Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - improved logic of a High Analytics BIOCs
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs
  • Added 2 new Medium Analytics BIOCs:
    • Possible collection of screen captures with Windows Problem Steps Recorder (28f11a20-9611-4099-8c05-f6437a5ea9d5) - added a new Medium alert
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - added a new Medium alert
  • Improved logic of 9 Medium Analytics BIOCs:
    • A contained executable from a mounted share initiated a suspicious outbound network connection (423a9cc9-735f-48cd-8fb5-6e4aeecd5d6d) - improved logic of a Medium Analytics BIOCs
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs
    • Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - improved logic of a Medium Analytics BIOCs
    • Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - improved logic of a Medium Analytics BIOCs
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - improved logic of a Medium Analytics BIOCs
    • Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - improved logic of a Medium Analytics BIOCs
    • PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
  • Improved logic of 18 Low Analytics BIOCs:
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - improved logic of a Low Analytics BIOCs
    • Exchange DKIM signing configuration disabled (7b779bf4-d488-47d0-ae35-cf380881b7d7) - improved logic of a Low Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of a Low Analytics BIOCs
    • Exchange anti-phish policy disabled or removed (253c6332-24f3-4ad4-a8d6-e6e94b4e0beb) - improved logic of a Low Analytics BIOCs
    • Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - improved logic of a Low Analytics BIOCs
    • Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - improved logic of a Low Analytics BIOCs
    • Exchange malware filter policy removed (664b4bc9-aeba-43b7-b657-92a6ab3cd4c6) - improved logic of a Low Analytics BIOCs
    • Exchange Safe Link policy disabled or removed (02b65466-c898-4713-b473-01268db8dbb7) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
    • Exchange Safe Attachment policy disabled or removed (fa5ffb2b-9259-4091-a36a-3960433051d5) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
    • Exchange mailbox audit bypass (d75ef860-59d4-43bd-ad3e-663edd42b7d2) - improved logic of a Low Analytics BIOCs
    • Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
    • A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs
    • Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - improved logic of a Low Analytics BIOCs
  • Changed metadata of a Low Analytics BIOC:
    • Stored credentials exported using credwiz.exe (97f50040-5670-43b3-9afc-1d0e5b1a76bb) - changed metadata of a Low Analytics BIOC
  • Temporarily removed a Low Analytics BIOC for improvement:
    • An uncommon kubectl secret enumeration command was executed (d1d4f8ff-68d2-4c04-91ff-2a518ff60319) - temporarily removed Low alert for improvement
  • Improved logic of 3 Low Analytics Alerts:
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
  • Decreased the severity to Informational for an Analytics BIOC:
    • Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - decreased the severity to Informational, and improved detection logic
  • Improved logic of 35 Informational Analytics BIOCs:
    • Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity performed an unusual admin console activity (1ef69c3e-56d5-41c5-843b-ebfe1160e661) - improved logic of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs
    • Microsoft 365 DLP policy disabled or removed (7e53db42-aeb1-4087-9e32-fd9418591d68) - improved logic of an Informational Analytics BIOCs
    • A third-party application's access to the Google Workspace domain's resources was revoked (01bb79b4-b14c-11ed-b01a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - improved logic of an Informational Analytics BIOCs
    • Penetration testing tool activity attempt (a3b75d38-fbc6-47ab-b59b-d6d2298c1e90) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace Role privilege was deleted (118ca7c8-b14c-11ed-b3af-acde48001122) - improved logic of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding inbox rule (f339930e-ef11-4a4c-81dd-23503b05b0bf) - improved logic of an Informational Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
    • Admin privileges were granted to a Google Workspace user (f0a3f8ae-b14b-11ed-a775-acde48001122) - improved logic of an Informational Analytics BIOCs
    • An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - improved logic of an Informational Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs
    • Gmail routing settings changed (393eae6b-0394-4a2f-bf46-ae4efbd0c94b) - improved logic of an Informational Analytics BIOCs
    • An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - improved logic of an Informational Analytics BIOCs
    • Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - improved logic of an Informational Analytics BIOCs
    • A third-party application was authorized to access the Google Workspace APIs (05a883e6-b14c-11ed-b038-acde48001122) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
    • A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs
    • First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs
    • Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - improved logic of an Informational Analytics BIOCs
    • Exchange mailbox folder permission modification (1568735a-c4a6-4ed4-b7dc-bd70accca4ca) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding transport rule (fd633ec0-afaf-465d-95f8-0de0d1780151) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 2 Informational Analytics BIOCs:
    • AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - changed metadata of an Informational Analytics BIOCs
  • Decreased the severity to Informational for an Analytics Alert:
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - decreased the severity to Informational, and improved detection logic
  • Improved logic of 5 Informational Analytics Alerts:
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
    • Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts

May 01 2023 Release:

  • Increased the severity to Low for an Analytics BIOC:
    • Azure AD PIM role settings change (65c6e962-2fe1-41f8-bc7f-12452f2d4831) - increased the severity to Low, and improved detection logic
  • Improved logic of 2 Low Analytics BIOCs:
    • Azure Temporary Access Pass (TAP) registered to an account (91368e38-b8af-43a4-bc84-3f9f4ad5acff) - improved logic of a Low Analytics BIOCs
    • A compute-attached identity executed API calls outside the instance's region (586f270d-8423-402f-98c1-b136cf45309c) - improved logic of a Low Analytics BIOCs
  • Decreased the severity to Informational for an Analytics BIOC:
    • Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - decreased the severity to Informational, and improved detection logic
  • Added a new Informational Analytics BIOC:
    • Cloud Organizational policy was created or modified (300b125d-c632-43f2-9a56-5abfd022a4de) - added a new Informational alert
  • Improved logic of 6 Informational Analytics BIOCs:
    • Owner added to Azure application (ec5ede9b-e3b9-4963-8b04-711c0683a9e9) - improved logic of an Informational Analytics BIOCs
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs
    • Azure service principal assigned app role (c74b7c0c-6fc6-485a-973b-768701841f2f) - improved logic of an Informational Analytics BIOCs
    • Unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs
    • Azure application consent attempt (16fc6d88-d6c7-4c90-9c31-f6d0598330d3) - improved logic of an Informational Analytics BIOCs
    • Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - improved logic of an Informational Analytics BIOCs
  • Decreased the severity to Informational for an Analytics Alert:
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - decreased the severity to Informational, and improved detection logic
  • Temporarily removed a Informational Analytics Alert for improvement:
    • Multiple discovery commands on Linux host (1499fa5b-ad53-4d60-ba2d-a3c790e20ca8) - temporarily removed Informational alert for improvement

 

Labels:
Rate this article:
Comments
mfranzon
L0 Member
‎03-19-2021 02:58 AM

Hi, can I ask you where I can find the content update version with the release date?

By example: the Cortex XDR agent content version 172-54504, when was released? 

 

Thanks

WSeldenIII
L3 Networker
‎03-19-2021 07:00 AM

Hi @mfranzonYou view the release notes to the Cortex XDR agent conten versions on the customer support portal in the Updates > Dynamic Updates > Traps section. 

 

mfranzon
L0 Member
‎03-19-2021 07:47 AM

Thanks @WSeldenIII, found it.

BoonHwee
L1 Bithead
‎10-11-2021 06:14 PM

Hi,

 

For this Added Medium Analytics BIOCs:

  • Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - added a new Medium alert

Is it possible to alert this kind of attack?

No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loade...

 

Thank You.

MateoSosa
L0 Member
‎11-25-2021 02:29 AM

Hi,


the Info that something changed for the better is nice, but it'd be even better if there is a possibility to review the changes made.
To this day I think there isn't a possibility to view Analytics BIOC Rules.
The fact that Cortex XDR isn't a "black box" like other XDR/EDR products, that it's possible to view and alter standard BIOC Rules was the deciding factor for us to take the product into our MSSP program.

 

Best regards

Tim_Adelmann
L1 Bithead
‎09-27-2022 03:00 AM

Hi @vcotton ,
Could you please provide information on the changes that came with content 700-18331 released on 22 September 2022?

A customer of mine is having issues with their SQL servers since the content version was installed.

Thanks,

Tim

FrankBussink2
L0 Member
‎01-20-2023 01:01 AM

Hi @vcotton ,

 

shouldn't this page be only available to people who login ? as not to give too much information to TAs ? Just thinking. 

This page is for the moment available to anybody.

 

Regards

Frank

NilsGab
L1 Bithead
‎03-27-2023 01:25 PM

A successful SSO sign-in from TOR..... =   Failed

Several customers get this alert now, and it is login from local 10..x.x.x IP-addresses

parkerjr2
L1 Bithead
‎03-27-2023 01:39 PM

We are suddenly being flooded with "A Successful login from TOR" events in our org. Anyone else?

as-mg
L3 Networker
‎03-27-2023 01:40 PM

Seeing the same as @NilsGab, multiple alerts after the release of 2023.03.27.1020 on agent 7.9.1.26645.

All from local logins on 192.168.x.x networks, and all Tor exit nodes are blocked for in- and outbound traffic in the firewall using the list from PAN.

sl1c3r
L0 Member
‎03-27-2023 01:44 PM
We had to disable that one!
LeifAlire
L1 Bithead
‎03-27-2023 01:45 PM

Getting flooded with "A Successful login from TOR' alerts detected by XDR Analytics BIOC" over here as well.

sbergeron
L0 Member
‎03-27-2023 01:46 PM

We are also getting flooded with "A Successful login from TOR' alerts detected by XDR Analytics BIOC" too

PMBTTSI
L1 Bithead
‎03-27-2023 01:46 PM

The same here...

JLewis12
L0 Member
‎03-27-2023 01:54 PM

Same here...

 

ZAB3115
L1 Bithead
‎03-27-2023 01:58 PM

The same here

yallon
L0 Member
‎03-27-2023 02:01 PM

Hey, from panw research. We have disabled the detector and will investigate what went wrong.

libbyguenther
L1 Bithead
‎03-27-2023 02:01 PM

Same here!

parkerjr2
L1 Bithead
‎03-27-2023 02:03 PM

We just turned this off.

 

Settings  > Configurations > Cortex XDR - Analytics ,and in the Featured in Analytics section, DISABLE Identity Analytics.

ZAB3115
L1 Bithead
‎03-27-2023 02:07 PM

wouldn't it be better to just exlude the alerts instead of disabling analytics ?

 

Cars_Admin
L1 Bithead
‎03-27-2023 02:10 PM

Can verify we are also getting flooded with "'A Successful login from TOR' alerts detected by XDR Analytics BIOC" alerts. Can anyone clarify what BIOC needs to be disabled in order to stop these alerts?

JasonSDavis
L0 Member
‎03-27-2023 02:11 PM

We began seeing the '"A Successful login from TOR' generated by XDR Analytics BIOC detected on host XXXX involving user YYYY" incidents at 21:10 UTC in our environment.

Looking into to Parkerjr2's post to turn off Identity Analytics.  Anyone else done this (or other temporary mitigation) with success?  Thanks.

URichter
L0 Member
‎03-27-2023 02:17 PM

same issue here, please advise!

justin_smi
L0 Member
‎03-27-2023 02:17 PM

You can disable the alert by going to this page, finding the rule, right-click 'disable'.

 

Just fill in the url with your tenant name and region and it should work.

https://<tenant>.<region>.paloaltonetworks.com/rules/analytic-bioc

sl1c3r
L0 Member
‎03-27-2023 02:18 PM
Go into BIOC.. then select analytics bioc’s at the top of the screen.. This is the fastest way to make it stop. We only disabled that one: “ A successful login from TOR”

JoaoPGBotelho
L0 Member
‎03-27-2023 02:25 PM

We are getting the same here.... lots of "Successful login from TOR' alerts".

 

yallon
L0 Member
‎03-27-2023 02:26 PM

No need to do any modifications. This was disabled on the backend 

parkerjr2
L1 Bithead
‎03-27-2023 03:13 PM

My earlier comment was our initial reaction. Not saying it is/was the right move. Disabling the alert sounds more like the right move unless it has been fixed on the backend as mentioned. 

anmcin
L0 Member
‎03-27-2023 03:51 PM

A combination of disabling the BIOC rule and excluding the alerts seems to do the trick. If your tenant has a few thousand endpoints, then you will need to wait whilst it plays catchup and processes all the events.

Given how much Identity Analytics does, I wouldn't disable that feature. It's clear the new content update is flagging BAU traffic as TOR.

Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎05-30-2023 07:35 AM
Updated by:
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks