This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject
Cortex XDR Articles
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Content Release Notes

Cortex XDR Content Release Notes January 29 2023 Release: Added a new Low Analytics BIOC: Kubernetes version disclosure (313b2109-4a11-49f6-b0be-0309eaabbddf) - added a new Low alert Improved logic of 2 Low Analytics BIOCs: Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs Improved logic of 2 Informational Analytics BIOCs: VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - improved logic of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Removed an old Informational Analytics BIOC: A user attempted to bypass OKTA MFA (3b7c5800-373a-11ed-98f6-acde48001122) - removed an old Informational alert January 23 2023 Release: Improved logic of a High Analytics BIOC: A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOC Improved logic of a Medium Analytics BIOC: Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a Medium Analytics BIOC Improved logic of 2 Low Analytics BIOCs: SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs Improved logic of a Low Analytics Alert: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alert Improved logic of 9 Informational Analytics BIOCs: Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs AWS Root account activity (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs Removed an old Informational Analytics BIOC: A user deactivated an OKTA MFA factor (eb53b9a8-3756-11ed-b4a7-acde48001122) - removed an old Informational alert   January 15 2023 Release: Decreased the severity to Medium for a BIOC: LOLBIN created a PowerShell script file (5cbee940-dfad-11ea-b820-faffc26aac4a) - decreased the severity to Medium Improved logic of 3 Medium Analytics BIOCs: Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs Added a new Low Analytics BIOC: Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - added a new Low alert Improved logic of 2 Low Analytics BIOCs: Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - improved logic of a Low Analytics BIOCs Decreased the severity to Informational for a BIOC: Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - decreased the severity to Informational Added a new Informational Analytics BIOC: Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - added a new Informational alert Improved logic of 5 Informational Analytics BIOCs: Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs Uncommon communication to instant messaging server (af7411c9-596e-4400-8088-30ac46eddde0) - improved logic of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs Removed an old Informational Analytics Alert: User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - removed an old Informational alert January 08 2023 Release: Increased the severity to High for an Analytics BIOC: Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - increased the severity to High Removed an old Medium BIOC: Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - removed an old Medium alert Changed metadata of a Medium Analytics BIOC: A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Medium Analytics BIOC Improved logic of a Low Analytics Alert: Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alert Added a new Informational Analytics BIOC: Uncommon communication to instant messaging server (af7411c9-596e-4400-8088-30ac46eddde0) - added a new Informational alert Improved logic of an Informational Analytics BIOC: Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOC   January 03 2023 Release: Improved logic of 2 High Analytics BIOCs: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs Improved logic of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert Added a new Medium Analytics BIOC: Kubernetes vulnerability scanner activity (01e27219-483a-4ec2-ba4c-641ee54b3059) - added a new Medium alert Improved logic of 5 Medium Analytics BIOCs: Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - improved logic of a Medium Analytics BIOCs A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - improved logic of a Medium Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert Changed metadata of a Medium Analytics Alert: A contained process attempted to escape using notify on release feature (7205a3a5-6c0e-4caf-95f1-c4444ec75b26) - changed metadata of a Medium Analytics Alert Improved logic of 15 Low Analytics BIOCs: Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs Removed an old Low Analytics BIOC: SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - removed an old Low alert Improved logic of 5 Low Analytics Alerts: Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - improved logic of a Low Analytics Alerts Removed 2 old Low Analytics Alerts: VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - removed an old Low alert Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - removed an old Low alert Decreased the severity to Informational for 5 Analytics BIOCs: VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - decreased the severity to Informational, and improved detection logic Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - decreased the severity to Informational, and improved detection logic Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - decreased the severity to Informational, and improved detection logic VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - decreased the severity to Informational, and improved detection logic First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - decreased the severity to Informational, and improved detection logic Added 2 new Informational Analytics BIOCs: Unusual access to the AD Sync credential files (f28618e6-2d55-4e8b-9f85-5107b2b544e5) - added a new Informational alert A cloud storage configuration was modified (2443ff34-fbdb-4281-9502-f1b1a33ccb3c4) - added a new Informational alert Improved logic of 89 Informational Analytics BIOCs: Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of an Informational Analytics BIOCs An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - improved logic of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - improved logic of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs An identity logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - improved logic of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs Removed 2 old Informational Analytics BIOCs: A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - removed an old Informational alert User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - removed an old Informational alert Improved logic of 4 Informational Analytics Alerts: Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts Removed an old Informational Analytics Alert: A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - removed an old Informational alert December 19 2022 Release: Improved logic of 2 Medium Analytics BIOCs: Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Added 2 new Low Analytics BIOCs: An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - added a new Low alert Stored credentials exported using credwiz.exe (97f50040-5670-43b3-9afc-1d0e5b1a76bb) - added a new Low alert Improved logic of 2 Low Analytics BIOCs: Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - improved logic of a Low Analytics BIOCs Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs Removed an old Low Analytics BIOC: Rundll32.exe used keymgr.dll to extract credentials (30d50445-32d4-4681-aefc-31ccc476cc14) - removed an old Low alert Improved logic of 2 Low Analytics Alerts: Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts Improved logic of 5 Informational Analytics BIOCs: Uncommon network tunnel creation (1be56e08-4817-4d49-852b-ec8affabf652) - improved logic of an Informational Analytics BIOCs Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - improved logic of an Informational Analytics BIOCs A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - improved logic of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs   December 11 2022 Release: Improved logic of 2 Medium Analytics BIOCs: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert Improved logic of a Low Analytics BIOC: Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOC Changed metadata of a Low Analytics BIOC: Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - changed metadata of a Low Analytics BIOC Improved logic of a Low Analytics Alert: TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - improved logic of a Low Analytics Alert Decreased the severity to Informational for 3 Analytics BIOCs: Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - decreased the severity to Informational, and improved detection logic A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - decreased the severity to Informational, and improved detection logic A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - decreased the severity to Informational, and improved detection logic Added 3 new Informational Analytics BIOCs: A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - added a new Informational alert Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - added a new Informational alert A user deactivated an OKTA MFA factor (eb53b9a8-3756-11ed-b4a7-acde48001122) - added a new Informational alert Improved logic of an Informational Analytics BIOC: Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOC December 04 2022 Release: Decreased the severity to Medium for an Analytics BIOC: Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - decreased the severity to Medium, and improved detection logic Improved logic of a Medium Analytics BIOC: Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOC Improved logic of 2 Low Analytics BIOCs: A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - improved logic of a Low Analytics BIOCs Changed metadata of 2 Low Analytics BIOCs: Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - changed metadata of a Low Analytics BIOCs Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - changed metadata of a Low Analytics BIOCs Improved logic of a Low Analytics Alert: Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alert Decreased the severity to Informational for an Analytics BIOC: Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - decreased the severity to Informational Added a new Informational Analytics BIOC: A user attempted to bypass OKTA MFA (3b7c5800-373a-11ed-98f6-acde48001122) - added a new Informational alert Improved logic of 6 Informational Analytics BIOCs: A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - added a new Informational alert November 27 2022 Release: Improved logic of 2 High Analytics BIOCs: Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs Improved logic of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert Improved logic of 4 Medium Analytics BIOCs: MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - improved logic of a Medium Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs Changed metadata of 6 Medium Analytics BIOCs: Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - changed metadata of a Medium Analytics BIOCs Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - changed metadata of a Medium Analytics BIOCs Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - changed metadata of a Medium Analytics BIOCs Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - changed metadata of a Medium Analytics BIOCs Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - changed metadata of a Medium Analytics BIOCs Improved logic of 2 Medium Analytics Alerts: New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alerts Added a new Low Analytics BIOC: Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - added a new Low alert Improved logic of 11 Low Analytics BIOCs: Suspicious DotNet log file created (064eebce-02fb-08e7-df1f-66ee933eefab) - improved logic of a Low Analytics BIOCs Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - improved logic of a Low Analytics BIOCs Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - improved logic of a Low Analytics BIOCs VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - improved logic of a Low Analytics BIOCs VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - improved logic of a Low Analytics BIOCs A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs Improved logic of 8 Low Analytics Alerts: Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - improved logic of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic  of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts Changed metadata of a Low Analytics Alert: Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - changed metadata of a Low Analytics Alert Decreased the severity to Informational for an Analytics BIOC: Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - decreased the severity to Informational, and improved detection logic Added a new Informational Analytics BIOC: Unpopular rsync process execution (86d4e55a-1d30-46de-a426-1876a973220f) - added a new Informational alert Improved logic of 31 Informational Analytics BIOCs: First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - improved logic of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs Tampering with the Windows User Account Controls (UAC) configuration (f161037f-b953-0828-69ba-5df0aac3f359) - improved logic of an Informational Analytics BIOCs VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - improved logic of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs An identity logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - improved logic of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - improved logic of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs Msiexec execution of an executable from an uncommon remote location (5172f78b-0e6f-48d4-8be3-e8a9e470e267) - improved logic of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs Improved logic of 5 Informational Analytics Alerts: Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - improved logic of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - improved logic of an Informational Analytics Alerts   November 21 2022 Release: Improved logic of a Medium Analytics BIOC: Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - improved logic of a Medium Analytics BIOC Changed metadata of 14 Medium Analytics BIOCs: Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - changed metadata of a Medium Analytics BIOCs Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - changed metadata of a Medium Analytics BIOCs Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - changed metadata of a Medium Analytics BIOCs Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - changed metadata of a Medium Analytics BIOCs A TCP stream was created directly in a shell (8a7a460a-420a-a42c-d8af-af5250f280ff) - changed metadata of a Medium Analytics BIOCs Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOCs Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - changed metadata of a Medium Analytics BIOCs Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - changed metadata of a Medium Analytics BIOCs Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - changed metadata of a Medium Analytics BIOCs Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - changed metadata of a Medium Analytics BIOCs Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - changed metadata of a Medium Analytics BIOCs Increased the severity to Low for an Analytics BIOC: Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - increased the severity to Low, and improved detection logic Improved logic of a Low Analytics BIOC: Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOC Changed metadata of 3 Low Analytics BIOCs: Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - changed metadata of a Low Analytics BIOCs Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - changed metadata of a Low Analytics BIOCs Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - changed metadata of a Low Analytics BIOCs Decreased the severity to Informational for an Analytics BIOC: Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - decreased the severity to Informational, and improved detection logic Improved logic of an Informational Analytics BIOC: Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOC Removed an old Informational Analytics BIOC: A suspicious file was written to the startup folder (5c9df403-aecc-4b54-99c5-50a779bae6ae) - removed an old Informational alert Improved logic of an Informational Analytics Alert: A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - improved logic of an Informational Analytics Alert   November 13 2022 Release: Improved logic of a High Analytics BIOC: Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOC Changed metadata of a High Analytics BIOC: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOC Improved logic of a High Analytics Alert: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - improved logic of a High Analytics Alert Changed metadata of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alert Changed metadata of 3 Medium BIOCs: Windows event logs cleared using wmic.exe (7316c8d9-07d8-40aa-b074-b452bc3d355c) - changed metadata of a Medium BIOCs Delete Volume USN Journal with fsutil (9d79f0ce-15c2-4ab8-b63e-2f22d74423e3) - changed metadata of a Medium BIOCs Clear logs - using dd and /dev/null (d5a156a9-d203-46ca-a53a-6090b173dfe0) - changed metadata of a Medium BIOCs Added a new Medium Analytics BIOC: A process was executed with a command line obfuscated by Unicode character substitution (2a0ea644-8181-470b-ad5d-d0c6c7c84946) - added a new Medium alert Changed metadata of 25 Medium Analytics BIOCs: Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - changed metadata of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Medium Analytics BIOCs Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - changed metadata of a Medium Analytics BIOCs Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - changed metadata of a Medium Analytics BIOCs Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - changed metadata of a Medium Analytics BIOCs Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - changed metadata of a Medium Analytics BIOCs Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - changed metadata of a Medium Analytics BIOCs Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - changed metadata of a Medium Analytics BIOCs Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - changed metadata of a Medium Analytics BIOCs Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - changed metadata of a Medium Analytics BIOCs Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - changed metadata of a Medium Analytics BIOCs Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - changed metadata of a Medium Analytics BIOCs Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - changed metadata of a Medium Analytics BIOCs Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - changed metadata of a Medium Analytics BIOCs Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - changed metadata of a Medium Analytics BIOCs Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - changed metadata of a Medium Analytics BIOCs Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - changed metadata of a Medium Analytics BIOCs Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - changed metadata of a Medium Analytics BIOCs Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOCs Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs Changed metadata of 5 Medium Analytics Alerts: DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of a Medium Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Medium Analytics Alerts Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alerts Changed metadata of 2 Low BIOCs: Accessing bash history file using bash commands (cb05480f-17d8-4138-9992-f0f9fb50b671) - changed metadata of a Low BIOCs Accessing bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - changed metadata of a Low BIOCs Improved logic of 4 Low Analytics BIOCs: Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Changed metadata of 39 Low Analytics BIOCs: Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOCs Suspicious data encryption (30df8779-1e1e-4c5a-a9de-40cb94d837e7) - changed metadata of a Low Analytics BIOCs Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - changed metadata of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - changed metadata of a Low Analytics BIOCs A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - changed metadata of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - changed metadata of a Low Analytics BIOCs Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - changed metadata of a Low Analytics BIOCs Kubectl administration command execution (8d013538-6e98-48ed-a018-fcf19866f367) - changed metadata of a Low Analytics BIOCs Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - changed metadata of a Low Analytics BIOCs Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - changed metadata of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs Contained process execution with a rare GitHub URL (eadd0b5c-94bb-4582-8115-765e48e19353) - changed metadata of a Low Analytics BIOCs An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - changed metadata of a Low Analytics BIOCs Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - changed metadata of a Low Analytics BIOCs An uncommon kubectl secret enumeration command was executed (d1d4f8ff-68d2-4c04-91ff-2a518ff60319) - changed metadata of a Low Analytics BIOCs Linux system firewall was disabled (d50eedfa-7888-47aa-b390-929ccab92d80) - changed metadata of a Low Analytics BIOCs Linux system firewall was modified (fac86d1c-01ac-4620-bcee-8330df48ad25) - changed metadata of a Low Analytics BIOCs Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - changed metadata of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - changed metadata of a Low Analytics BIOCs Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - changed metadata of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - changed metadata of a Low Analytics BIOCs Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - changed metadata of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs Suspicious container orchestration job (f358cda9-491e-4be6-af2a-6a5361ae23f9) - changed metadata of a Low Analytics BIOCs Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - changed metadata of a Low Analytics BIOCs Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - changed metadata of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs Suspicious systemd timer activity (6aa321b8-0f2e-4182-b36b-aa3ba7944f25) - changed metadata of a Low Analytics BIOCs Improved logic of 12 Low Analytics Alerts: VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - improved logic of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts Changed metadata of 9 Low Analytics Alerts: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of a Low Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - changed metadata of a Low Analytics Alerts Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - changed metadata of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - changed metadata of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - changed metadata of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - changed metadata of a Low Analytics Alerts Changed metadata of 9 Informational BIOCs: Log deletion using the truncate command (1afe4c22-2163-45ad-a90a-f130eaed6ff2) - changed metadata of an Informational BIOCs File timestamp tampering (624b8f91-842c-4f04-87e1-71aa7bdb727c) - changed metadata of an Informational BIOCs Possible ARP reconnaissance (69b6a970-5018-4e34-8bc9-8cfcfe48fac2) - changed metadata of an Informational BIOCs Possible log destruction using dd command (7620b496-3804-4b00-83eb-85378033b6bd) - changed metadata of an Informational BIOCs Clearing logs by executing cat /dev/null (787aa313-7ef6-40a9-a68c-bdcc9610c35f) - changed metadata of an Informational BIOCs Log deletion in known log file directories (4c91da94-296f-49c3-9e3d-4f040269391e) - changed metadata of an Informational BIOCs Clearing logs by copying /dev/null to a log file (62affbe1-1c47-4dc1-88d2-bd701e9be6d7) - changed metadata of an Informational BIOCs Log deletion via command-line tool (55ed9a90-b68b-4e55-a165-eda5d1cab906) - changed metadata of an Informational BIOCs Windows Security audit Log was cleared (afc6329f-ccec-4c56-963d-5da63bb8a27d) - changed metadata of an Informational BIOCs Decreased the severity to Informational for an Analytics BIOC: Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - decreased the severity to Informational, and improved detection logic Added 2 new Informational Analytics BIOCs: Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - added a new Informational alert A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - added a new Informational alert Improved logic of 5 Informational Analytics BIOCs: A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - improved logic of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs Changed metadata of 93 Informational Analytics BIOCs: Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs An identity logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - changed metadata of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - changed metadata of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs VM Detection attempt on Linux (5280dff5-14cd-4cf6-a70f-91c33bb43ae9) - changed metadata of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - changed metadata of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs Suspicious proxy environment variable setting (63e4b643-8da3-4552-b693-bc6515d6ea4f) - changed metadata of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - changed metadata of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - changed metadata of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs Rare Unix process divide files by size (64384c5f-40dd-4d5f-aa31-06907b60176d) - changed metadata of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - changed metadata of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - changed metadata of an Informational Analytics BIOCs Possible binary padding using dd (1a72139a-c453-4c91-839f-845561474775) - changed metadata of an Informational Analytics BIOCs Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - changed metadata of an Informational Analytics BIOCs System shutdown or reboot (3edad9ba-d804-4fd8-b8e6-7f353598d69e) - changed metadata of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - changed metadata of an Informational Analytics BIOCs Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - changed metadata of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs Python HTTP server started (b43d77ba-696e-48e6-87d1-64e229201c36) - changed metadata of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - changed metadata of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - changed metadata of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - changed metadata of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs Suspicious docker image download from an unusual repository (a4c3a156-5201-40e4-96fa-772ccbc3473d) - changed metadata of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - changed metadata of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - changed metadata of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - changed metadata of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs Added a new Informational Analytics Alert: A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - added a new Informational alert Improved logic of 10 Informational Analytics Alerts: SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alerts Possible brute force on sudo user (a5a4f979-da78-4195-a288-7cc55ae00a43) - improved logic of an Informational Analytics Alerts Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts Changed metadata of 7 Informational Analytics Alerts: A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - changed metadata of an Informational Analytics Alerts Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - changed metadata of an Informational Analytics Alerts Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - changed metadata of an Informational Analytics Alerts A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - changed metadata of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - changed metadata of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of an Informational Analytics Alert   November 06 2022 Release: Improved logic of a High Analytics BIOC: Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOC Improved logic of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert Improved logic of 3 Medium Analytics BIOCs: Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOCs Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs Changed metadata of a Medium Analytics BIOC: Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - changed metadata of a Medium Analytics BIOC Improved logic of 2 Medium Analytics Alerts: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alerts An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - improved logic of a Medium Analytics Alerts Improved logic of 3 Low Analytics BIOCs: Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs Improved logic of 4 Low Analytics Alerts: An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts Removed an old Low Analytics Alert: Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - removed an old Low alert Added 2 new Informational Analytics BIOCs: Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - added a new Informational alert An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - added a new Informational alert Improved logic of 17 Informational Analytics BIOCs: Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs An identity logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - improved logic of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - added a new Informational alert Improved logic of 2 Informational Analytics Alerts: Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts   October 30 2022 Release: Improved logic of 3 High Analytics BIOCs: A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - improved logic of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Improved logic of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert Improved logic of 3 Medium Analytics BIOCs: Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs Improved logic of 3 Medium Analytics Alerts: Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - improved logic of a Medium Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alerts Improved logic of 20 Low Analytics BIOCs: GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs Possible Kerberos relay attack (5d950b94-729a-4fd3-bcbe-a9fefa922d30) - improved logic of a Low Analytics BIOCs Possible Pass-the-Hash (ee4dad7a-348c-11eb-b388-acde48001122) - improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs Improved logic of 14 Low Analytics Alerts: Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - improved logic of a Low Analytics Alerts Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts Added 2 new Informational Analytics BIOCs: An identity logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - added a new Informational alert Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - added a new Informational alert Improved logic of 87 Informational Analytics BIOCs: Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - improved logic of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of an Informational Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs Tampering with the Windows User Account Controls (UAC) configuration (f161037f-b953-0828-69ba-5df0aac3f359) - improved logic of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - improved logic of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - improved logic of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - improved logic of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs Improved logic of 8 Informational Analytics Alerts: Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - improved logic of an Informational Analytics Alerts A user authenticated with weak NTLM to multiple hosts (01a04516-a112-4fe6-bacb-6ac1733f8fc2) - improved logic of an Informational Analytics Alerts User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts   October 24 2022 Release: Removed an old Medium BIOC: Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - removed an old Medium alert Improved logic of 3 Medium Analytics BIOCs: Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - improved logic of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - improved logic of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert Added 2 new Low Analytics BIOCs: Uncommon access to Microsoft Teams credential files (1bb7c565-fa59-4fd8-b779-7f32ad96caad) - added a new Low alert Rundll32.exe used keymgr.dll to extract credentials (30d50445-32d4-4681-aefc-31ccc476cc14) - added a new Low alert Improved logic of 3 Low Analytics BIOCs: Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs Added a new Low Analytics Alert: An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - added a new Low alert Improved logic of 2 Low Analytics Alerts: Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts Changed metadata of a Low Analytics Alert: Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alert Decreased the severity to Informational for an Analytics BIOC: Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - decreased the severity to Informational, and improved detection logic Added 3 new Informational Analytics BIOCs: User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - added a new Informational alert Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - added a new Informational alert Msiexec execution of an executable from an uncommon remote location (5172f78b-0e6f-48d4-8be3-e8a9e470e267) - added a new Informational alert Improved logic of 5 Informational Analytics BIOCs: Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs Improved logic of an Informational Analytics Alert: User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alert Changed metadata of 2 Informational Analytics Alerts: Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - changed metadata of an Informational Analytics Alerts A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - changed metadata of an Informational Analytics Alerts   October 03 2022 Release: Improved logic of 2 High Analytics BIOCs: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs Improved logic of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert Increased the severity to Medium for an Analytics BIOC: Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - increased the severity to Medium, and improved detection logic Improved logic of 3 Medium Analytics BIOCs: Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert Changed metadata of a Medium Analytics Alert: NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alert Improved logic of a Low BIOC: RDP connections enabled via Registry from a script host or rundll32.exe (0f705be9-8cd2-4263-9735-6d394f08b974) - improved logic of a Low BIOC Added a new Low Analytics BIOC: A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - added a new Low alert Improved logic of 12 Low Analytics BIOCs: An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs Added a new Low Analytics Alert: Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - added a new Low alert Improved logic of 5 Low Analytics Alerts: Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts Removed an old Informational BIOC: WebDAV connection to internet (e29a5545-68c2-4019-b72c-0b54345f0914) - removed an old Informational alert Added a new Informational Analytics BIOC: A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - added a new Informational alert Improved logic of 2 Informational Analytics Alerts: Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts   September 18 2022 Release: Improved logic of a High Analytics BIOC: Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - improved logic of a High Analytics BIOC Removed an old Medium BIOC: Tampering with the Windows User Account Controls (UAC) configuration (8efda7b1-30fe-49c7-b2b9-9c17f43bc951) - removed an old Medium alert Improved logic of 4 Medium Analytics BIOCs: Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - improved logic of a Medium Analytics BIOCs Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Changed metadata of 3 Medium Analytics BIOCs: Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - changed metadata of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Medium Analytics BIOCs Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert Changed metadata of 3 Medium Analytics Alerts: DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Medium Analytics Alerts Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alerts Decreased the severity to Low for a BIOC: RDP connections enabled via Registry from a script host or rundll32.exe (0f705be9-8cd2-4263-9735-6d394f08b974) - decreased the severity to Low Decreased the severity to Low for an Analytics BIOC: LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - decreased the severity to Low Added a new Low Analytics BIOC: Office process accessed an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - added a new Low alert Improved logic of 7 Low Analytics BIOCs: Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs Changed metadata of 5 Low Analytics BIOCs: Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - changed metadata of a Low Analytics BIOCs Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - changed metadata of a Low Analytics BIOCs Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - changed metadata of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - changed metadata of a Low Analytics BIOCs Removed an old Low Analytics BIOC: User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - removed an old Low alert Decreased the severity to Low for an Analytics Alert: Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - decreased the severity to Low, and improved detection logic Improved logic of 5 Low Analytics Alerts: IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts Changed metadata of 5 Low Analytics Alerts: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - changed metadata of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Decreased the severity to Informational for 4 BIOCs: Adobe Acrobat Reader drops an executable file to disk (61f01972-e07f-46d7-ba75-f1ec1309625a) - decreased the severity to Informational Windows Firewall disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - decreased the severity to Informational Manipulation of Windows Defender configuration (ee3e2e4a-0fca-4bc5-8b09-0e2b0681420c) - decreased the severity to Informational Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - decreased the severity to Informational Decreased the severity to Informational for an Analytics BIOC: Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - decreased the severity to Informational Added a new Informational Analytics BIOC: Tampering with the Windows User Account Controls (UAC) configuration (f161037f-b953-0828-69ba-5df0aac3f359) - added a new Informational alert Improved logic of 25 Informational Analytics BIOCs: Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs Changed metadata of an Informational Analytics BIOC: Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - changed metadata of an Informational Analytics BIOC Removed an old Informational Analytics BIOC: A process was executed with an obfuscated command line (2a0ea644-8181-470b-ad5d-d0c6c7c84946) - removed an old Informational alert Added a new Informational Analytics Alert: Multiple discovery commands on Linux host (1499fa5b-ad53-4d60-ba2d-a3c790e20ca8) - added a new Informational alert Improved logic of 4 Informational Analytics Alerts: Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts September 11 2022 Release: Added a new Low Analytics BIOC: Uncommon AT task-job creation by user (082e4d29-7037-47d0-b83f-a0226016139c) - added a new Low alert Added 2 new Informational BIOCs: Web browser cookie and credential access (94c75384-9e3f-4eaa-994d-b7315a893b94) - added a new Informational alert Credentials from Web Browsers (737d6f4d-8ddc-4334-abbd-dab5b9a6dc52) - added a new Informational alert Added a new Informational Analytics BIOC: A process was executed with an obfuscated command line (2a0ea644-8181-470b-ad5d-d0c6c7c84946) - added a new Informational alert Improved logic of 2 Informational Analytics BIOCs: VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs A service was disabled (9d96de8e-036e-414d-baac-064aef4271bc) - improved logic of an Informational Analytics BIOCs Added a new Informational Analytics Alert: A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - added a new Informational alert Improved logic of 2 Informational Analytics Alerts: A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - improved logic of an Informational Analytics Alerts Removed an old Informational Analytics Alert: A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - removed an old Informational alert September 06 2022 Release: Improved logic of a Medium Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert Removed an old Low BIOC: Remote process execution using WMI (5bab2bb9-882a-4101-ace1-700f84171a52) - removed an old Low alert Increased the severity to Low for 2 Analytics BIOCs: Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - increased the severity to Low, and improved detection logic Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - increased the severity to Low Improved logic of 3 Low Analytics BIOCs: Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs Improved logic of 3 Low Analytics Alerts: Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts Added a new Informational Analytics BIOC: User discovery via WMI query execution (d60b2b53-4d04-4b9a-b51b-9f7ce490c931) - added a new Informational alert Improved logic of 5 Informational Analytics BIOCs: Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs Removed an old Informational Analytics BIOC: Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - removed an old Informational alert Improved logic of an Informational Analytics Alert: Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alert   August 28 2022 Release: Changed metadata of 2 High BIOCs: Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - changed metadata of a High BIOCs Regsvr32 may have run code from an untrusted source (41fe171e-5b79-4b15-a3c1-18f015dddd38) - changed metadata of a High BIOCs Changed metadata of 7 Medium BIOCs: Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - changed metadata of a Medium BIOCs Rundll32.exe was used to run JavaScript (c9207f63-0b78-4488-9668-e24bc1b2f9d6) - changed metadata of a Medium BIOCs WerFault ReflectDebugger key set in Registry (e22a0cab-0e71-408c-bbbc-39bf225df5fc) - changed metadata of a Medium BIOCs Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - changed metadata of a Medium BIOCs Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - changed metadata of a Medium BIOCs Rundll32.exe with 'main' as EntryPoint (7f5b7042-dca4-11ea-81aa-faffc26aac4a) - changed metadata of a Medium BIOCs Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - changed metadata of a Medium BIOCs Changed metadata of 10 Medium Analytics BIOCs: Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - changed metadata of a Medium Analytics BIOCs Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - changed metadata of a Medium Analytics BIOCs MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - changed metadata of a Medium Analytics BIOCs Changed metadata of a Medium Analytics Alert: An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alert Changed metadata of 6 Low BIOCs: Mshta.exe spawns from a browser (85ebde0e-4969-4d8e-a185-6c27688e0189) - changed metadata of a Low BIOCs Microsoft Connection Manager Profile Installer loads a file from the users to temporary folder (6a53c562-8d65-4728-9fb3-46026904a1ca) - changed metadata of a Low BIOCs UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - changed metadata of a Low BIOCs Microsoft Connection Manager Profile Installer runs command line or PowerShell (c1252b9a-d057-4e08-871b-682148b7a9cc) - changed metadata of a Low BIOCs Microsoft Connection Manager Profile Installer makes connections to the network (860f288c-f1d1-48c3-8883-12864f0b2ccc) - changed metadata of a Low BIOCs Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - changed metadata of a Low BIOCs Added 3 new Low Analytics BIOCs: Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - added a new Low alert Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - added a new Low alert Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - added a new Low alert Improved logic of a Low Analytics BIOC: Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - improved logic of a Low Analytics BIOC Changed metadata of 7 Low Analytics BIOCs: A compiled HTML help file wrote a script file to the disk (6f2817a6-f6b4-4ff5-b03e-ed488e60cd8a) - changed metadata of a Low Analytics BIOCs Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - changed metadata of a Low Analytics BIOCs Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - changed metadata of a Low Analytics BIOCs Uncommon msiexec execution of an arbitrary file from remote location (8b919310-62f6-4035-b60b-ef61372947d9) - changed metadata of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - changed metadata of a Low Analytics BIOCs Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - changed metadata of a Low Analytics BIOCs Added a new Informational BIOC: Key Certificate Search And Exfiltrate (81756563-9257-4141-9e66-2f1ad4d4566a) - added a new Informational alert Improved logic of an Informational BIOC: SSH key pair discovery (76d3e2e8-77dc-47a4-902f-f8189da8e883) - improved logic of an Informational BIOC Changed metadata of 13 Informational BIOCs: Enumeration of Windows services from public IP addresses (e98b5d62-69cf-4c62-b3de-7636f669fd3d) - changed metadata of an Informational BIOCs Tampering with Windows Control Panel configuration (2ba4c53b-03de-4a34-92ec-225cfe1fe0b4) - changed metadata of an Informational BIOCs Compiled HTML (help file) makes network connections (858a4ed7-36c4-4c43-9bff-d142f300035d) - changed metadata of an Informational BIOCs Execution of regsvcs/regasm with uncommon paths (a1ce5d8b-5ea0-49d2-8d91-8ae4ea752ec0) - changed metadata of an Informational BIOCs Installation of networking security tools (45818abb-9462-4074-ae83-fd56f715ef11) - changed metadata of an Informational BIOCs Execution of commonly abused AutoIT script (13b17653-c885-4d10-bce2-51a63419cf8f) - changed metadata of an Informational BIOCs SyncAppvPublishingServer used to run PowerShell code (a3d1fa93-c193-44d8-a469-a25dd1db7695) - changed metadata of an Informational BIOCs Microsoft Office spawns curl/wget on a macOS device (3cbf66af-49c6-485c-b5fd-eacce8cc07ba) - changed metadata of an Informational BIOCs Microsoft HTML Application Host spawns from CMD or PowerShell (bfca0d1c-91f9-4ed3-b812-f207ba100a3b) - changed metadata of an Informational BIOCs Commonly abused process spawns out of rundll32.exe (3d7b9874-a18d-45c9-8002-f1f6575a4f3c) - changed metadata of an Informational BIOCs Rundll32 loads a known abused DLL (340fd5f7-7a5c-4c6e-8b54-9bfce08bd2a3) - changed metadata of an Informational BIOCs Browser downloads an .hta or .application file (ea25a4a1-5678-4674-b382-1a195e5dd25c) - changed metadata of an Informational BIOCs Microsoft HTML Application Host spawns from Explorer.exe (b4f5a743-ebc9-4e2e-89aa-fa2505a47eae) - changed metadata of an Informational BIOCs Decreased the severity to Informational for 2 Analytics BIOCs: Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - decreased the severity to Informational, and improved detection logic Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - decreased the severity to Informational, and improved detection logic  Added 4 new Informational Analytics BIOCs:  A suspicious file was written to the startup folder (5c9df403-aecc-4b54-99c5-50a779bae6ae) - added a new Informational alert Suspicious docker image download from an unusual repository (a4c3a156-5201-40e4-96fa-772ccbc3473d) - added a new Informational alert Creation or modification of the default command executed when opening an application (cd392d6e-e448-46d6-8af3-d2e8a6d79e71) - added a new Informational alert Uncommon network tunnel creation (1be56e08-4817-4d49-852b-ec8affabf652) - added a new Informational alert Improved logic of 2 Informational Analytics BIOCs: An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Changed metadata of 2 Informational Analytics BIOCs: Python HTTP server started (b43d77ba-696e-48e6-87d1-64e229201c36) - changed metadata of an Informational Analytics BIOCs Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs Improved logic of 2 Informational Analytics Alerts: Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - improved logic of an Informational Analytics Alerts Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts Changed metadata of an Informational Analytics Alert: Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - changed metadata of an Informational Analytics Alert   August 21 2022 Release: Added a new Medium Analytics BIOC: Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - added a new Medium alert Increased the severity to Low for 3 BIOCs: Port Monitor added in Registry (bc1df7df-f4a0-4470-bfbd-e042fc8cfe0a) - increased the severity to Low Print Processor Registration (d218018c-3fe1-43c3-816b-331dfb914401) - increased the severity to Low Active Setup Registry Autostart (6dedf6eb-38a0-467b-858c-cacef3ddb3bb) - increased the severity to Low Improved logic of a Low BIOC: Internet Explorer home page modification (e4cf6b6e-70cc-4b02-a82d-148e10c36f76) - improved logic of a Low BIOC Added a new Low Analytics BIOC: Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - added a new Low alert Improved logic of a Low Analytics BIOC: Uncommon msiexec execution of an arbitrary file from remote location (8b919310-62f6-4035-b60b-ef61372947d9) - improved logic of a Low Analytics BIOC Improved logic of a Low Analytics Alert: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alert Improved logic of an Informational BIOC: Shell history access (735fd839-4959-4e5d-9207-fdf517b977a1) - improved logic of an Informational BIOC Removed an old Informational BIOC: Time provider Registration (76d43800-76bb-459e-ad10-3e8b85e12a2f) - removed an old Informational alert Decreased the severity to Informational for an Analytics BIOC: Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - decreased the severity to Informational, and improved detection logic Improved logic of an Informational Analytics Alert: Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alert   August 14 2022 Release: Improved logic of 19 High Analytics BIOCs: A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - improved logic of a High Analytics BIOCs Process execution with a suspicious command line indicative of the Spring4Shell exploit (0fc034a9-36ce-432f-bddb-1cfda20be004) - improved logic of a High Analytics BIOCs Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - improved logic of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Possible Distributed File System Namespace Management (DFSNM) abuse (532490a8-f4fb-4eb7-a54d-8583bf54207d) - improved logic of a High Analytics BIOCs Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - improved logic of a High Analytics BIOCs Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - improved logic of a High Analytics BIOCs Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - improved logic of a High Analytics BIOCs Suspicious usage of File Server Remote VSS Protocol (FSRVP) (9f82d067-25e8-49da-bae3-62e7f9074943) - improved logic of a High Analytics BIOCs Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOCs A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - improved logic of a High Analytics BIOCs Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - improved logic of a High Analytics BIOCs PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - improved logic of a High Analytics BIOCs A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - improved logic of a High Analytics BIOCs Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - improved logic of a High Analytics BIOCs Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - improved logic of a High Analytics BIOCs Improved logic of 2 High Analytics Alerts: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alerts Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - improved logic of a High Analytics Alerts Improved logic of 83 Medium Analytics BIOCs: Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOCs Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - improved logic of a Medium Analytics BIOCs Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - improved logic of a Medium Analytics BIOCs A contained executable was executed by unusual process (d8c11b55-29b4-44b2-9e47-fd6c4cda4d7b) - improved logic of a Medium Analytics BIOCs A contained executable from a mounted share initiated a suspicious outbound network connection (423a9cc9-735f-48cd-8fb5-6e4aeecd5d6d) - improved logic of a Medium Analytics BIOCs Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Uncommon jsp file write by a Java process (acaa34fd-b2b8-4218-aab0-b8d717e9dcc5) - improved logic of a Medium Analytics BIOCs Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - improved logic of a Medium Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - improved logic of a Medium Analytics BIOCs Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - improved logic of a Medium Analytics BIOCs A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - improved logic of a Medium Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - improved logic of a Medium Analytics BIOCs Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Medium Analytics BIOCs Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - improved logic of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - improved logic of a Medium Analytics BIOCs Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - improved logic of a Medium Analytics BIOCs Service ticket request with a spoofed sAMAccountName (633ca673-5d09-11ec-b013-faffc26aac4a) - improved logic of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - improved logic of a Medium Analytics BIOCs Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - improved logic of a Medium Analytics BIOCs Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - improved logic of a Medium Analytics BIOCs Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - improved logic of a Medium Analytics BIOCs Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - improved logic of a Medium Analytics BIOCs PowerShell used to export mailbox contents (70b08c1e-ccfd-4ab9-bb92-66acaa83aa3a) - improved logic of a Medium Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - improved logic of a Medium Analytics BIOCs Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - improved logic of a Medium Analytics BIOCs Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - improved logic of a Medium Analytics BIOCs Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - improved logic of a Medium Analytics BIOCs Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - improved logic of a Medium Analytics BIOCs Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - improved logic of a Medium Analytics BIOCs Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - improved logic of a Medium Analytics BIOCs Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOCs A TCP stream was created directly in a shell (8a7a460a-420a-a42c-d8af-af5250f280ff) - improved logic of a Medium Analytics BIOCs Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - improved logic of a Medium Analytics BIOCs Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - improved logic of a Medium Analytics BIOCs Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - improved logic of a Medium Analytics BIOCs MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - improved logic of a Medium Analytics BIOCs Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Possible Search For Password Files (388d1fcc-4d9c-11ea-9daa-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs Uncommon Service Create/Config (4814ee91-468d-11ea-a78c-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - improved logic of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - improved logic of a Medium Analytics BIOCs Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - improved logic of a Medium Analytics BIOCs Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - improved logic of a Medium Analytics BIOCs Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - improved logic of a Medium Analytics BIOCs Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - improved logic of a Medium Analytics BIOCs Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - improved logic of a Medium Analytics BIOCs Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - improved logic of a Medium Analytics BIOCs Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - improved logic of a Medium Analytics BIOCs LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - improved logic of a Medium Analytics BIOCs Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - improved logic of a Medium Analytics BIOCs Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - improved logic of a Medium Analytics BIOCs A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - improved logic of a Medium Analytics BIOCs Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - improved logic of a Medium Analytics BIOCs Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - improved logic of a Medium Analytics BIOCs Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - improved logic of a Medium Analytics BIOCs Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - improved logic of a Medium Analytics BIOCs Mailbox Client Access Setting (CAS) changed (d44c2188-9769-497d-a509-b980e9420f33) - improved logic of a Medium Analytics BIOCs RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Bitsadmin.exe persistence using command-line callback (96e5bf6b-3ed4-42f2-b824-6cdb16a31608) - improved logic of a Medium Analytics BIOCs Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - improved logic of a Medium Analytics BIOCs Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - improved logic of a Medium Analytics BIOCs Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOCs Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - improved logic of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - improved logic of a Medium Analytics BIOCs Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - improved logic of a Medium Analytics BIOCs LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - improved logic of a Medium Analytics BIOCs Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - improved logic of a Medium Analytics BIOCs Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - improved logic of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - improved logic of a Medium Analytics BIOCs Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - improved logic of a Medium Analytics BIOCs Removed an old Medium Analytics BIOC: External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - removed an old Medium alert Improved logic of 12 Medium Analytics Alerts: A contained process attempted to escape using notify on release feature (7205a3a5-6c0e-4caf-95f1-c4444ec75b26) - improved logic of a Medium Analytics Alerts An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - improved logic of a Medium Analytics Alerts Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alerts New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts A new machine attempted Kerberos delegation (0f9a92bd-916c-40ad-80a9-58c2adaaa946) - improved logic of a Medium Analytics Alerts Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - improved logic of a Medium Analytics Alerts Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - improved logic of a Medium Analytics Alerts Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alerts Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - improved logic of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - improved logic of a Medium Analytics Alerts Added a new Low Analytics BIOC: Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - added a new Low alert Improved logic of 129 Low Analytics BIOCs: Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of a Low Analytics BIOCs Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - improved logic of a Low Analytics BIOCs Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs Possible Pass-the-Hash (ee4dad7a-348c-11eb-b388-acde48001122) - improved logic of a Low Analytics BIOCs Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - improved logic of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs Uncommon remote service start via sc.exe (85cdb57d-e953-11e9-859b-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - improved logic of a Low Analytics BIOCs Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - improved logic of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Suspicious systemd timer activity (6aa321b8-0f2e-4182-b36b-aa3ba7944f25) - improved logic of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - improved logic of a Low Analytics BIOCs Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - improved logic of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - improved logic of a Low Analytics BIOCs Uncommon msiexec execution of an arbitrary file from remote location (8b919310-62f6-4035-b60b-ef61372947d9) - improved logic of a Low Analytics BIOCs Suspicious DotNet log file created (064eebce-02fb-08e7-df1f-66ee933eefab) - improved logic of a Low Analytics BIOCs Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - improved logic of a Low Analytics BIOCs Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - improved logic of a Low Analytics BIOCs Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - improved logic of a Low Analytics BIOCs Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - improved logic of a Low Analytics BIOCs Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - improved logic of a Low Analytics BIOCs Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - improved logic of a Low Analytics BIOCs Suspicious PowerShell Command Line (d2aa3dde-4d73-11ea-923a-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs Kubectl administration command execution (8d013538-6e98-48ed-a018-fcf19866f367) - improved logic of a Low Analytics BIOCs VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - improved logic of a Low Analytics BIOCs Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs Uncommon IP Configuration Listing via ipconfig.exe (02501f5c-e953-11e9-954d-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Linux system firewall was disabled (d50eedfa-7888-47aa-b390-929ccab92d80) - improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - improved logic of a Low Analytics BIOCs Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Windows Event Log was cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - improved logic of a Low Analytics BIOCs Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - improved logic of a Low Analytics BIOCs New addition to Windows Defender exclusion list (97bd1ad3-df0f-459c-be72-88193ce7b667) - improved logic of a Low Analytics BIOCs System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - improved logic of a Low Analytics BIOCs VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - improved logic of a Low Analytics BIOCs Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - improved logic of a Low Analytics BIOCs Uncommon ARP cache listing via arp.exe (85a9b5a1-e953-11e9-939b-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs An uncommon kubectl secret enumeration command was executed (d1d4f8ff-68d2-4c04-91ff-2a518ff60319) - improved logic of a Low Analytics BIOCs Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - improved logic of a Low Analytics BIOCs Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - improved logic of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - improved logic of a Low Analytics BIOCs SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - improved logic of a Low Analytics BIOCs Suspicious data encryption (30df8779-1e1e-4c5a-a9de-40cb94d837e7) - improved logic of a Low Analytics BIOCs Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - improved logic of a Low Analytics BIOCs Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - improved logic of a Low Analytics BIOCs Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - improved logic of a Low Analytics BIOCs Suspicious PowerShell Enumeration of Running Processes (9ed9d8ee-6dbb-11ea-a5d9-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - improved logic of a Low Analytics BIOCs Suspicious container orchestration job (f358cda9-491e-4be6-af2a-6a5361ae23f9) - improved logic of a Low Analytics BIOCs A compiled HTML help file wrote a script file to the disk (6f2817a6-f6b4-4ff5-b03e-ed488e60cd8a) - improved logic of a Low Analytics BIOCs Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - improved logic of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - improved logic of a Low Analytics BIOCs Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - improved logic of a Low Analytics BIOCs Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - improved logic of a Low Analytics BIOCs Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - improved logic of a Low Analytics BIOCs Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - improved logic of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - improved logic of a Low Analytics BIOCs Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - improved logic of a Low Analytics BIOCs Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - improved logic of a Low Analytics BIOCs Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - improved logic of a Low Analytics BIOCs Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - improved logic of a Low Analytics BIOCs Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - improved logic of a Low Analytics BIOCs SecureBoot was disabled (e8a6caaf-89c1-4e19-8e27-1ced582293e0) - improved logic of a Low Analytics BIOCs A disabled user successfully authenticated via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of a Low Analytics BIOCs Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - improved logic of a Low Analytics BIOCs Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - improved logic of a Low Analytics BIOCs Possible Kerberos relay attack (5d950b94-729a-4fd3-bcbe-a9fefa922d30) - improved logic of a Low Analytics BIOCs Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - improved logic of a Low Analytics BIOCs Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - improved logic of a Low Analytics BIOCs Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - improved logic of a Low Analytics BIOCs Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - improved logic of a Low Analytics BIOCs Attempt to execute a command on a remote host using PsExec.exe (ddf3b8d9-53e0-8410-c76a-d2e6b5203438) - improved logic of a Low Analytics BIOCs Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - improved logic of a Low Analytics BIOCs A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - improved logic of a Low Analytics BIOCs Command running with COMSPEC in the command line argument (2feeb01f-0a81-476a-8ec0-d49fd2bf807b) - improved logic of a Low Analytics BIOCs Linux system firewall was modified (fac86d1c-01ac-4620-bcee-8330df48ad25) - improved logic of a Low Analytics BIOCs User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - improved logic of a Low Analytics BIOCs Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - improved logic of a Low Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of a Low Analytics BIOCs Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - improved logic of a Low Analytics BIOCs Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs Contained process execution with a rare GitHub URL (eadd0b5c-94bb-4582-8115-765e48e19353) - improved logic of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs Uncommon routing table listing via route.exe (758e8ed7-e953-11e9-b4ee-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - improved logic of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - improved logic of a Low Analytics BIOCs MpCmdRun.exe was used to download files into the system (bae10b1e-5850-452a-9623-d86e959d34d4) - improved logic of a Low Analytics BIOCs Improved logic of 34 Low Analytics Alerts: Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - improved logic of a Low Analytics Alerts Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - improved logic of a Low Analytics Alerts Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - improved logic of a Low Analytics Alerts Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alerts Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - improved logic of a Low Analytics Alerts Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alerts A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - improved logic of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - improved logic of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - improved logic of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts Improved logic of 180 Informational Analytics BIOCs: Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs System shutdown or reboot (3edad9ba-d804-4fd8-b8e6-7f353598d69e) - improved logic of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs Possible binary padding using dd (1a72139a-c453-4c91-839f-845561474775) - improved logic of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - improved logic of an Informational Analytics BIOCs Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - improved logic of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - improved logic of an Informational Analytics BIOCs Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - improved logic of an Informational Analytics BIOCs Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - improved logic of an Informational Analytics BIOCs Rare Unix process divide files by size (64384c5f-40dd-4d5f-aa31-06907b60176d) - improved logic of an Informational Analytics BIOCs Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - improved logic of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - improved logic of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs A user connected a USB storage device for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - improved logic of an Informational Analytics BIOCs Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - improved logic of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - improved logic of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - improved logic of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - improved logic of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - improved logic of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - improved logic of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - improved logic of an Informational Analytics BIOCs A suspicious file was written to the startup folder (5c9df403-aecc-4b54-99c5-50a779bae6ae) - improved logic of an Informational Analytics BIOCs Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs A service was disabled (9d96de8e-036e-414d-baac-064aef4271bc) - improved logic of an Informational Analytics BIOCs Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - improved logic of an Informational Analytics BIOCs VM Detection attempt on Linux (5280dff5-14cd-4cf6-a70f-91c33bb43ae9) - improved logic of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - improved logic of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs PsExec was executed with a suspicious command line (a3a029c0-dbb8-10d2-9109-8cc458cf1e6e) - improved logic of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - improved logic of an Informational Analytics BIOCs Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - improved logic of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - improved logic of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - improved logic of an Informational Analytics BIOCs Suspicious proxy environment variable setting (63e4b643-8da3-4552-b693-bc6515d6ea4f) - improved logic of an Informational Analytics BIOCs System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - improved logic of an Informational Analytics BIOCs Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - improved logic of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - improved logic of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - improved logic of an Informational Analytics BIOCs Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - improved logic of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - improved logic of an Informational Analytics BIOCs Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - improved logic of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - improved logic of an Informational Analytics BIOCs A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - improved logic of an Informational Analytics BIOCs Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - improved logic of an Informational Analytics BIOCs Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - improved logic of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - improved logic of an Informational Analytics BIOCs Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - improved logic of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - improved logic of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - improved logic of an Informational Analytics BIOCs Iptables configuration command was executed (bbb7b421-2de6-438d-a270-e28ed2a95b35) - improved logic of an Informational Analytics BIOCs Python HTTP server started (b43d77ba-696e-48e6-87d1-64e229201c36) - improved logic of an Informational Analytics BIOCs Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - improved logic of an Informational Analytics BIOCs Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - improved logic of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - improved logic of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - improved logic of an Informational Analytics BIOCs A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - improved logic of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - improved logic of an Informational Analytics BIOCs Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - improved logic of an Informational Analytics BIOCs Removed an old Informational Analytics BIOC: External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - removed an old Informational alert Added 3 new Informational Analytics Alerts: A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - added a new Informational alert User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - added a new Informational alert A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - added a new Informational alert Improved logic of 24 Informational Analytics Alerts: A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - improved logic of an Informational Analytics Alerts A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - improved logic of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - improved logic of an Informational Analytics Alerts Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts Possible brute force on sudo user (a5a4f979-da78-4195-a288-7cc55ae00a43) - improved logic of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - improved logic of an Informational Analytics Alerts A user accessed multiple time-wasting websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - improved logic of an Informational Analytics Alerts SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts A user authenticated with weak NTLM to multiple hosts (01a04516-a112-4fe6-bacb-6ac1733f8fc2) - improved logic of an Informational Analytics Alerts Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - improved logic of an Informational Analytics Alerts Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts   August 07 2022 Release: Added a new High Analytics BIOC: Possible Distributed File System Namespace Management (DFSNM) abuse (532490a8-f4fb-4eb7-a54d-8583bf54207d) - added a new High alert Improved logic of 3 High Analytics BIOCs: Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Improved logic of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert Improved logic of 7 Medium Analytics BIOCs: External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - improved logic of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs Improved logic of a Medium Analytics Alert: Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert Improved logic of 30 Low Analytics BIOCs: Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - improved logic of a Low Analytics BIOCs Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - improved logic of a Low Analytics BIOCs Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs Uncommon msiexec execution of an arbitrary file from remote location (8b919310-62f6-4035-b60b-ef61372947d9) - improved logic of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - improved logic of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - improved logic of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs Removed 2 old Low Analytics BIOCs: Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - removed an old Low alert Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - removed an old Low alert Increased the severity to Low for an Analytics Alert: Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - increased the severity to Low, and improved detection logic Improved logic of 8 Low Analytics Alerts: Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of a Low Analytics Alerts Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts Improved logic of 91 Informational Analytics BIOCs: AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - improved logic of an Informational Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - improved logic of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs A suspicious file was written to the startup folder (5c9df403-aecc-4b54-99c5-50a779bae6ae) - improved logic of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs Iptables configuration command was executed (bbb7b421-2de6-438d-a270-e28ed2a95b35) - improved logic of an Informational Analytics BIOCs Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs Added a new Informational Analytics Alert: Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - added a new Informational alert Improved logic of 8 Informational Analytics Alerts: A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts    
View full article
91% helpful (49/54)
‎01-29-2023 08:38 AM

Cortex XDR PoC: Software Installations Blocking

Let's walkthrough a PoC of  using Cortex XDR to block software installations —.msi and .exe file extensions — in a test environment.
View full article
100% helpful (1/1)
‎01-02-2023 12:06 PM

Cortex XDR Postman API Collection

Simplify each step of building an API and streamline collaboration so you can create better APIs faster with Postman.  
View full article
No ratings
Rate this article:
‎12-15-2022 06:41 AM

Cortex XDR Global Analytics & Supply Chain Attacks

Cortex XDR Global Analytics & Supply Chain Attacks Read this instructive article about Cortex XDR Global Analytics and how it protects against Supply chain attacks.  We invite you to watch our customer success webinar:  XDR Global Analytics     Cortex XDR   
View full article
No ratings
‎09-16-2022 12:32 PM

Blog Spotlight: Playbook of the Week: Automating Cortex XDR Investigation and Response in Cortex XSOAR

Automating XDR Investigation and Response Learn how SOC teams can utilize the best of both XDR’s extended endpoint threat detection and response with XSOAR’s workflow automation, orchestration, and threat intelligence capabilities to become more effective using the Palo Alto Networks Cortex XDR — Investigation and Response content pack. Read the lasted playbook of the week blog   and learn more about case management using Cortex XDR and Cortex XSOAR. Cortex XDR    Have a question about it? Post it on the Cortex XDR discussion page  
View full article
No ratings
‎08-18-2022 08:17 AM
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Check for updates

Learn how to subscribe to and receive email notifications here.

Celebrate with us!
LIVEcommunity Wins 2022 Khoros Kudos Award
LIVEcommunity Wins 2022 Khoros Kudos Award
Join us to celebrate!
Top Contributors
Top Liked Posts in LIVEcommunity Article
View All
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks