Simplify each step of building an API and streamline collaboration so you can create better APIs faster with Postman.  

Don't miss our monthly announcements, How-to Videos, and latest blogs in the Customer Success What's New Newsletter!

Read all the latest and greatest from Cortex XDR Customer Success! 

    April 2024 UPCOMING EVENTS Alert Tuning Webinar Series  Join us for a Customer Success webinar series, Alert Tuning, starting on April 24! You may register below for the series in advance. Register here:  Part 1 | Part 2  Symphony 2024: AI and Automation  Come see where security operations are headed next! Join us on April 17-18 for a virtual event. Register below  >> Register here   Investigation and Threat Hunting Virtual Workshop  Calling all customers to join our 3-hour virtual workshop designed to sharpen your investigation and threat-hunting skills with hands-on experience.  >> Register here  CS Webinar Survey We value your input! Help shape our next webinars by sharing the topic you'd like to learn more about.  >> Fill out the form    Recent CS Webinar Watch Part 3 of the webinar series: Improving Application Security with Parsing & Correlation Rules  Watch All   New How-to Videos Learn how to build a custom dashboard and level up your performance: XDR Agent Vulnerability - Dashboard Creation   Watch this video and learn how to get more out of the add-on: Host Insights - Malicious Daemon on Linux Machine  Watch All   Latest Security Blogs & Articles Read this blog to learn more about XDR and XSOAR automation opportunities: Automating Management of XDR Identity Analytics Alerts   Read about the challenges of AI: 5 Unique Challenges for AI in Cybersecurity Read All PRODUCT ANNOUNCEMENTS & RELEASE NOTES XDR Agent 8.1 reached its End-of-Life on April 9, 2024. We recommend reviewing the EOL page to stay informed on the next End-of-Life dates. Click on the following links for the latest release notes: Cortex XDR Release Notes (Help Center) Cortex XDR Agent Release Notes (Help Center) Cortex XDR Analytics Release Notes (LIVEcommunity) Note: Content Update release notes for the Cortex XDR agent can be found in the Customer Support Portal under 'Dynamic updates'.  

Cortex XDR Content Release Notes   *Deprecation alert* This page has been deprecated and all newer release notes can be found here   February 28 2024 Release: Improved logic of a Low Analytics BIOC: Unusual cross projects activity (f0b7d81f-5518-4295-a081-e19b21c4b474) - improved logic of a Low Analytics BIOC Improved logic of 2 Low Analytics Alerts: Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - improved logic of a Low Analytics Alerts An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts Improved logic of 15 Informational Analytics BIOCs: Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs Cloud compute serial console access (4fa4a3ce-ce13-4dca-bbf5-629476822259) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs A cloud identity invoked IAM related persistence operations (ae95a625-1740-4de3-abe1-3e884eef0dc3) - improved logic of an Informational Analytics BIOCs A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - improved logic of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual resource modification/creation (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs Network sniffing detected in Cloud environment (932986f4-e765-40a5-9517-aa9ba5bf2e7a) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual resource modification by newly seen IAM user (37eb241a-d1b5-4bba-b65e-002863c99365) - improved logic of an Informational Analytics BIOCs A container registry was created or deleted (5dd2d962-b742-11ed-9e0e-acde48001122) - improved logic of an Informational Analytics BIOCs Improved logic of 8 Informational Analytics Alerts: An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts Impossible travel by a cloud identity (1a4aae10-38f7-436e-aa77-ad3db460b4c3) - improved logic of an Informational Analytics Alerts Storage enumeration activity (107578a3-3e09-4db1-88e0-2f060fb24a29) - improved logic of an Informational Analytics Alerts Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - improved logic of an Informational Analytics Alerts Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - improved logic of an Informational Analytics Alerts Cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of an Informational Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of an Informational Analytics Alerts Increased the severity to Low for a BIOC: Out of band testing domain connection (ac36d4cc-d764-419c-8970-54916b05bda4) - increased the severity to Low   February 21 2024 Release: Improved logic of 2 High Analytics BIOCs: A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - improved logic of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs Improved logic of 6 Medium Analytics BIOCs: Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - improved logic of a Medium Analytics BIOCs Azure AD PIM alert disabled (8d5ce951-909b-44e7-aca6-1c8203f95c35) - improved logic of a Medium Analytics BIOCs Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a Medium Analytics BIOCs Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - improved logic of a Medium Analytics BIOCs A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs Improved logic of 13 Low Analytics BIOCs: First Azure AD PowerShell operation for a user (04db68a0-bfda-47dc-b2ff-0f8d2d700eee) - improved logic of a Low Analytics BIOCs MFA was disabled for an Azure identity (2f62698c-13e4-11ed-9d12-acde48001122) - improved logic of a Low Analytics BIOCs Azure Temporary Access Pass (TAP) registered to an account (91368e38-b8af-43a4-bc84-3f9f4ad5acff) - improved logic of a Low Analytics BIOCs Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - improved logic of a Low Analytics BIOCs Azure account deletion by a non-standard account (b3cffc99-7a38-4e6f-a2ad-19a3325c38b3) - improved logic of a Low Analytics BIOCs SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - improved logic of a Low Analytics BIOCs Suspicious modification of the AdminSDHolder's ACL (e0db7194-3131-4f0c-9591-7f28ac59669a) - improved logic of a Low Analytics BIOCs Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - improved logic of a Low Analytics BIOCs Azure domain federation settings modification attempt (0dff4bd1-0db3-44dc-a42d-aa473b96e841) - improved logic of a Low Analytics BIOCs Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs Azure AD PIM role settings change (65c6e962-2fe1-41f8-bc7f-12452f2d4831) - improved logic of a Low Analytics BIOCs Added a new Low Analytics Alert: Multiple discovery commands (921ffd42-455f-4182-9209-8fe9893c85e0) - added a new Low alert Improved logic of 7 Low Analytics Alerts: Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alerts New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts Multiple Azure AD admin role removals (fea22348-d47e-4b5f-9896-6ab8e34d00a1) - improved logic of a Low Analytics Alerts Added 2 new Informational Analytics BIOCs: Cloud compute serial console access (4fa4a3ce-ce13-4dca-bbf5-629476822259) - added a new Informational alert An identity started an AWS SSM session (e08bf777-125c-422b-985c-cb98939cad79) - added a new Informational alert Improved logic of 44 Informational Analytics BIOCs: Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs Azure application consent (16fc6d88-d6c7-4c90-9c31-f6d0598330d3) - improved logic of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs A user logged in from an abnormal country or ASN (b470fe41-351e-485f-a755-e0709b0e15ba) - improved logic of an Informational Analytics BIOCs Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - improved logic of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs Device Registration Policy modification (9894abc5-7d4c-4ee5-9840-3614a05cd409) - improved logic of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs Owner added to Azure application (ec5ede9b-e3b9-4963-8b04-711c0683a9e9) - improved logic of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs BitLocker key retrieval (c6c906ca-ebb0-4b79-8af7-7a054c37d5a0) - improved logic of an Informational Analytics BIOCs Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - improved logic of an Informational Analytics BIOCs A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - improved logic of an Informational Analytics BIOCs Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - improved logic of an Informational Analytics BIOCs Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - improved logic of an Informational Analytics BIOCs A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - improved logic of an Informational Analytics BIOCs A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs Azure device code authentication flow used (c4a24d4f-1c7b-4a3d-a775-1e2a363d917e) - improved logic of an Informational Analytics BIOCs Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - improved logic of an Informational Analytics BIOCs Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - improved logic of an Informational Analytics BIOCs AWS SSM send command attempt (2cc1b5c3-e424-45a9-ab84-17ea9ceb55b7) - improved logic of an Informational Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - improved logic of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs Successful unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOCs User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs Azure service principal assigned app role (c74b7c0c-6fc6-485a-973b-768701841f2f) - improved logic of an Informational Analytics BIOCs Decreased the severity to Informational for 2 Analytics Alerts: Multiple discovery-like commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - decreased the severity to Informational A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - decreased the severity to Informational, and improved detection logic Improved logic of 5 Informational Analytics Alerts: User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alerts Short-lived Azure AD user account (0e060502-5e8b-4454-b275-4e510a7aa413) - improved logic of an Informational Analytics Alerts Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts A user logged on to multiple workstations via Schannel (a56e4555-5fbc-485b-85ec-2c25026525d6) - improved logic of an Informational Analytics Alerts Changed metadata of an Informational Analytics Alert: External Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of an Informational Analytics Alert   February 14 2024 Release: Improved logic of a Medium Analytics BIOC: Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOC Changed metadata of a Medium Analytics BIOC: Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOC Added 3 new Low Analytics BIOCs: Rare DCOM RPC activity (9c37ef68-75ae-4f33-87c7-6381bd5f3470) - added a new Low alert Rare Scheduled Task RPC activity (fc8b21f4-5cc9-4b9b-b4b2-e33ac1b0d744) - added a new Low alert An uncommon executable was remotely written over SMB to an uncommon destination (a859158d-fc75-4d4d-9a2c-56365fe35d63) - added a new Low alert Improved logic of 9 Low Analytics BIOCs: An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - improved logic of a Low Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Low Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Low Analytics BIOCs A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - improved logic of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs Unusual cross projects activity (f0b7d81f-5518-4295-a081-e19b21c4b474) - improved logic of a Low Analytics BIOCs Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - improved logic of a Low Analytics BIOCs Changed metadata of a Low Analytics BIOC: MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - changed metadata of a Low Analytics BIOC Improved logic of 5 Low Analytics Alerts: New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Multiple discovery commands on a Windows host by the same process (b930e097-ae70-4372-94a7-c4ae4e1bd6c6) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Improved logic of 12 Informational Analytics BIOCs: A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - improved logic of an Informational Analytics BIOCs Uncommon communication to an instant messaging server (af7411c9-596e-4400-8088-30ac46eddde0) - improved logic of an Informational Analytics BIOCs A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs An operation was performed by an identity from a domain that was not seen in the organization (16d5b9bf-3bb9-47d9-b2bd-3e2477b1a554) - improved logic of an Informational Analytics BIOCs AWS SSM send command attempt (2cc1b5c3-e424-45a9-ab84-17ea9ceb55b7) - improved logic of an Informational Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - improved logic of an Informational Analytics BIOCs Suspicious docker image download from an unusual repository (a4c3a156-5201-40e4-96fa-772ccbc3473d) - improved logic of an Informational Analytics BIOCs Changed metadata of 2 Informational Analytics BIOCs: A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - changed metadata of an Informational Analytics BIOCs Improved logic of 4 Informational Analytics Alerts: A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - improved logic of an Informational Analytics Alerts Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - improved logic of an Informational Analytics Alerts Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts   January 31 2024 Release: Improved logic of a Medium Analytics BIOC: Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - improved logic of a Medium Analytics BIOC Changed metadata of 2 Low Analytics BIOCs: Possible DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs Possible DLL Search Order Hijacking (e6c4d87b-4904-4154-b6d9-03fbb0bcdb97) - changed metadata of a Low Analytics BIOCs Added a new Informational Analytics BIOC: Globally uncommon root-domain port combination by a common process (sha256) (bab5b000-ad72-4901-9527-9c7c15aceed2) - added a new Informational alert Improved logic of an Informational Analytics BIOC: User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOC Changed metadata of 2 Informational Analytics BIOCs: A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - changed metadata of an Informational Analytics BIOCs Possible DLL Side-Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - changed metadata of an Informational Analytics BIOCs   January 24 2024 Release: Improved logic of a High Analytics BIOC: Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOC Improved logic of 3 Medium Analytics BIOCs: Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - improved logic of a Medium Analytics BIOCs Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs Improved logic of 6 Low Analytics BIOCs: SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - improved logic of a Low Analytics BIOCs Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - improved logic of a Low Analytics BIOCs A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - improved logic of a Low Analytics BIOCs Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs Suspicious modification of the AdminSDHolder's ACL (e0db7194-3131-4f0c-9591-7f28ac59669a) - improved logic of a Low Analytics BIOCs Improved logic of 5 Low Analytics Alerts: Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - improved logic of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alerts Improved logic of an Informational BIOC: Out of band testing domain connection (ac36d4cc-d764-419c-8970-54916b05bda4) - improved logic of an Informational BIOC Added a new Informational Analytics BIOC: AWS SSM send command attempt (2cc1b5c3-e424-45a9-ab84-17ea9ceb55b7) - added a new Informational alert Improved logic of 20 Informational Analytics BIOCs: A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - improved logic of an Informational Analytics BIOCs Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - improved logic of an Informational Analytics BIOCs Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - improved logic of an Informational Analytics BIOCs User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - improved logic of an Informational Analytics BIOCs A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - improved logic of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - improved logic of an Informational Analytics BIOCs Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - improved logic of an Informational Analytics BIOCs User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOCs Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - improved logic of an Informational Analytics BIOCs Cloud Unusual Instance Metadata Service (IMDS) access (82db653d-869c-4540-91d8-1c15c9ff7765) - improved logic of an Informational Analytics BIOCs Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - improved logic of an Informational Analytics BIOCs Changed metadata of 2 Informational Analytics BIOCs: Suspicious container runtime connection from within a Kubernetes Pod (b233c447-3312-429a-ab01-3a607104bb3a) - changed metadata of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs Removed an old Informational Analytics BIOC: AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - removed an old Informational alert Decreased the severity to Informational for an Analytics Alert: Cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - decreased the severity to Informational, and improved detection logic Improved logic of 11 Informational Analytics Alerts: Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - improved logic of an Informational Analytics Alerts Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alerts Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - improved logic of an Informational Analytics Alerts A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - improved logic of an Informational Analytics Alerts Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts   January 17 2024 Release: Improved logic of a Medium Analytics BIOC: Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a Medium Analytics BIOC Improved logic of a Low Analytics BIOC: Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOC Decreased the severity to Informational for 2 Analytics BIOCs: A compute-attached identity executed API calls outside the instance's region (586f270d-8423-402f-98c1-b136cf45309c) - decreased the severity to Informational, and improved detection logic Kubernetes version disclosure (313b2109-4a11-49f6-b0be-0309eaabbddf) - decreased the severity to Informational Improved logic of 5 Informational Analytics BIOCs: First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs A container registry was created or deleted (5dd2d962-b742-11ed-9e0e-acde48001122) - improved logic of an Informational Analytics BIOCs Temporarily removed a Informational Analytics BIOC for improvement: An Azure Kubernetes network policy was modified (1952944c-b742-11ed-bd1c-acde48001122) - temporarily removed Informational alert for improvement Improved logic of an Informational Analytics Alert: Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - improved logic of an Informational Analytics Alert   January 10 2024 Release: Improved logic of 2 High Analytics BIOCs: Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - improved logic of a High Analytics BIOCs A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs Changed metadata of a High Analytics BIOC: Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOC Improved logic of 6 Medium Analytics BIOCs: RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs A mail forwarding rule was configured in Google Workspace (227ff69a-14aa-4c40-a328-a846c73b1d07) - improved logic of a Medium Analytics BIOCs Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - improved logic of a Medium Analytics BIOCs Changed metadata of 3 Medium Analytics BIOCs: Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Medium Analytics BIOCs Removed an old Medium Analytics BIOC: Possible Cloud Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - removed an old Medium alert Temporarily removed a Medium Analytics BIOCs for improvement: A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - temporarily removed Medium alert for improvement Kubernetes vulnerability scanner activity by API server logs (f4bc86e7-9189-4048-ac0d-702311d3d7e0) - temporarily removed Medium alert for improvement Improved logic of a Medium Analytics Alert: New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert Removed an old Low BIOC: Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - removed an old Low alert Decreased the severity to Low for an Analytics BIOC: Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - decreased the severity to Low, and improved detection logic Added 2 new Low Analytics BIOCs: Image file execution options (IFEO) registry key set (393619bb-6197-46f4-bd9f-0246bf014381) - added a new Low alert Possible DLL Search Order Hijacking (e6c4d87b-4904-4154-b6d9-03fbb0bcdb97) - added a new Low alert Improved logic of 37 Low Analytics BIOCs: Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - improved logic of a Low Analytics BIOCs Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - improved logic of a Low Analytics BIOCs Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - improved logic of a Low Analytics BIOCs Exchange DKIM signing configuration disabled (7b779bf4-d488-47d0-ae35-cf380881b7d7) - improved logic of a Low Analytics BIOCs Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - improved logic of a Low Analytics BIOCs Exchange malware filter policy removed (664b4bc9-aeba-43b7-b657-92a6ab3cd4c6) - improved logic of a Low Analytics BIOCs Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - improved logic of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - improved logic of a Low Analytics BIOCs Exchange anti-phish policy disabled or removed (253c6332-24f3-4ad4-a8d6-e6e94b4e0beb) - improved logic of a Low Analytics BIOCs Exchange Safe Link policy disabled or removed (02b65466-c898-4713-b473-01268db8dbb7) - improved logic of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs Azure account deletion by a non-standard account (b3cffc99-7a38-4e6f-a2ad-19a3325c38b3) - improved logic of a Low Analytics BIOCs Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs Exchange mailbox audit bypass (d75ef860-59d4-43bd-ad3e-663edd42b7d2) - improved logic of a Low Analytics BIOCs Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - improved logic of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - improved logic of a Low Analytics BIOCs Exchange Safe Attachment policy disabled or removed (fa5ffb2b-9259-4091-a36a-3960433051d5) - improved logic of a Low Analytics BIOCs Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - improved logic of a Low Analytics BIOCs Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - improved logic of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs Possible Kerberos relay attack (5d950b94-729a-4fd3-bcbe-a9fefa922d30) - improved logic of a Low Analytics BIOCs Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs Possible Pass-the-Hash (ee4dad7a-348c-11eb-b388-acde48001122) - improved logic of a Low Analytics BIOCs Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs Changed metadata of 14 Low Analytics BIOCs: Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Low Analytics BIOCs A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - changed metadata of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - changed metadata of a Low Analytics BIOCs Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - changed metadata of a Low Analytics BIOCs A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - changed metadata of a Low Analytics BIOCs Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOCs Removed an old Low Analytics BIOC: Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - removed an old Low alert Added a new Low Analytics Alert: Multiple discovery commands on a Windows host by the same process (b930e097-ae70-4372-94a7-c4ae4e1bd6c6) - added a new Low alert Improved logic of 21 Low Analytics Alerts: Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alerts New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - improved logic of a Low Analytics Alerts Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - improved logic of a Low Analytics Alerts Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - improved logic of a Low Analytics Alerts Added a new Informational BIOC: Out of band testing domain connection (ac36d4cc-d764-419c-8970-54916b05bda4) - added a new Informational alert Changed metadata of an Informational BIOC: Common Apple process name missing Apple digital signature (f75bf626-24c2-4891-b7e5-8b78dbb10b85) - changed metadata of an Informational BIOC Added 54 new Informational Analytics BIOCs: An AWS ElastiCache security group was created (d417b2b4-b091-11ed-9b28-acde48001122) - added a new Informational alert A user logged in from an abnormal country or ASN (b470fe41-351e-485f-a755-e0709b0e15ba) - added a new Informational alert An Azure DNS Zone was modified (964d4524-b743-11ed-9835-acde48001122) - added a new Informational alert A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment (0e24887e-b6c1-11ed-a5dc-acde48001122) - added a new Informational alert An Azure Point-to-Site VPN was modified (bf00d118-b743-11ed-bb97-acde48001122) - added a new Informational alert Azure device code authentication flow used (c4a24d4f-1c7b-4a3d-a775-1e2a363d917e) - added a new Informational alert Azure Kubernetes events were deleted (e31af74a-b741-11ed-b996-acde48001122) - added a new Informational alert An Azure firewall rule group was modified (bedc4338-b6c0-11ed-ba3b-acde48001122) - added a new Informational alert An identity accessed Azure Kubernetes Secrets (8965581e-b742-11ed-9c12-acde48001122) - added a new Informational alert An AWS S3 bucket configuration was modified (cb35ca90-b095-11ed-aa36-acde48001122) - added a new Informational alert An Azure Firewall Rule Collection was modified (2dd88838-b742-11ed-96a1-acde48001122) - added a new Informational alert An AWS Lambda function was modified (cb2184e8-b095-11ed-bda0-acde48001122) - added a new Informational alert An AWS ElastiCache security group was modified or deleted (cb631bb4-b095-11ed-ad10-acde48001122) - added a new Informational alert Removal of an Azure Owner from an Application or Service Principal (d7ee38c8-b741-11ed-a1f0-acde48001122) - added a new Informational alert An Azure VPN Connection was modified (b6309f90-b6c0-11ed-b3e4-acde48001122) - added a new Informational alert An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - added a new Informational alert An AWS Lambda Function was created (cada7046-b095-11ed-8064-acde48001122) - added a new Informational alert An Azure Firewall was modified (7f431eb8-b742-11ed-96f7-acde48001122) - added a new Informational alert An Email address was added to AWS SES (35757db4-c253-11ed-b745-acde48001122) - added a new Informational alert AWS SecurityHub findings were modified (cb4a260c-b095-11ed-bde9-acde48001122) - added a new Informational alert An Azure Kubernetes Role or Cluster-Role was modified (b3def2e8-b743-11ed-9cec-acde48001122) - added a new Informational alert An AWS SES Email sending settings were modified (cb5a1bf4-b095-11ed-bf05-acde48001122) - added a new Informational alert An Azure Kubernetes network policy was modified (1952944c-b742-11ed-bd1c-acde48001122) - added a new Informational alert An Azure Key Vault was modified (94e3d9cc-b742-11ed-94cd-acde48001122) - added a new Informational alert An identity was granted permissions to manage user access to Azure resources (79046206-b743-11ed-9133-acde48001122) - added a new Informational alert An Azure virtual network Device was modified (6d9c8858-b741-11ed-b0e7-acde48001122) - added a new Informational alert An AWS SES identity was deleted (caf89d0a-b095-11ed-8f65-acde48001122) - added a new Informational alert Modification or Deletion of an Azure Application Gateway Detected (c96e5e48-b743-11ed-be3a-acde48001122) - added a new Informational alert An Azure Key Vault key was modified (02a05bd2-b742-11ed-8c2c-acde48001122) - added a new Informational alert PIM privilege member removal (f26e97d2-b6c0-11ed-b9b6-acde48001122) - added a new Informational alert An AWS RDS instance was created from a snapshot (caeaf466-b095-11ed-afef-acde48001122) - added a new Informational alert An AWS EFS file-share was deleted (cb2df5b8-b095-11ed-9972-acde48001122) - added a new Informational alert An Azure Suppression Rule was created (74914062-b742-11ed-8108-acde48001122) - added a new Informational alert A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - added a new Informational alert An AWS EKS cluster was created or deleted (cb25ae8a-b095-11ed-b476-acde48001122) - added a new Informational alert An AWS RDS master password was changed (cb462fb6-b095-11ed-adfd-acde48001122) - added a new Informational alert An Azure Kubernetes Service Account was modified or deleted (edc0393a-b741-11ed-8947-acde48001122) - added a new Informational alert An identity disabled bucket logging (60b28a82-96ff-402b-a64d-f0dd043b5dd6) - added a new Informational alert A Service Principal was removed from Azure (a9038750-b743-11ed-b5e9-acde48001122) - added a new Informational alert Azure Key Vault Secrets were modified (d261af90-b744-11ed-b217-acde48001122) - added a new Informational alert Granting Access to an Account (249d8988-b744-11ed-a9e8-acde48001122) - added a new Informational alert An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted (f2c9e2b4-b743-11ed-bec8-acde48001122) - added a new Informational alert An Azure Container Registry was created or removed (5dd2d962-b742-11ed-9e0e-acde48001122) - added a new Informational alert An AWS EFS File-share mount was deleted (cae12134-b095-11ed-bee2-acde48001122) - added a new Informational alert An Azure Cloud Shell was Created (88376c0a-b741-11ed-ae05-acde48001122) - added a new Informational alert An AWS SAML provider was modified (cb561ad4-b095-11ed-86c9-acde48001122) - added a new Informational alert AWS STS temporary credentials were generated (cb2a08a4-b095-11ed-97cf-acde48001122) - added a new Informational alert An AWS Route 53 domain was transferred to another AWS account (caf53a02-b095-11ed-86c3-acde48001122) - added a new Informational alert An Azure virtual network was modified (b29d99a8-b744-11ed-ac5e-acde48001122) - added a new Informational alert An Azure Kubernetes Cluster was created or deleted (fb88f09c-b6c0-11ed-ae53-acde48001122) - added a new Informational alert A cloud identity invoked IAM related persistence operations (ae95a625-1740-4de3-abe1-3e884eef0dc3) - added a new Informational alert Globally uncommon IP address by a common process (sha256) (aff38296-6019-474c-9de0-c423eda168e1) - added a new Informational alert An Azure Network Security Group was modified (72e1c8fa-b744-11ed-8a9d-acde48001122) - added a new Informational alert An AWS GuardDuty IP set was created (cb03739c-b095-11ed-9211-acde48001122) - added a new Informational alert Improved logic of 84 Informational Analytics BIOCs: Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - improved logic of an Informational Analytics BIOCs A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - improved logic of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - improved logic of an Informational Analytics BIOCs Exchange email-hiding transport rule (fd633ec0-afaf-465d-95f8-0de0d1780151) - improved logic of an Informational Analytics BIOCs Successful unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs Gmail routing settings changed (393eae6b-0394-4a2f-bf46-ae4efbd0c94b) - improved logic of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - improved logic of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - improved logic of an Informational Analytics BIOCs Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - improved logic of an Informational Analytics BIOCs A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - improved logic of an Informational Analytics BIOCs Microsoft 365 DLP policy disabled or removed (7e53db42-aeb1-4087-9e32-fd9418591d68) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - improved logic of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs A Google Workspace identity performed an unusual admin console activity (1ef69c3e-56d5-41c5-843b-ebfe1160e661) - improved logic of an Informational Analytics BIOCs An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - improved logic of an Informational Analytics BIOCs Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - improved logic of an Informational Analytics BIOCs Google Workspace organizational unit was modified (0c085dd2-ea10-4537-bbea-44ceb57bf29a) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - improved logic of an Informational Analytics BIOCs A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - improved logic of an Informational Analytics BIOCs Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - improved logic of an Informational Analytics BIOCs A third-party application's access to the Google Workspace domain's resources was revoked (01bb79b4-b14c-11ed-b01a-acde48001122) - improved logic of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - improved logic of an Informational Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs Exchange email-hiding inbox rule (f339930e-ef11-4a4c-81dd-23503b05b0bf) - improved logic of an Informational Analytics BIOCs A Google Workspace identity used the security investigation tool (c1effd9b-2fde-4141-a894-f01b7fdaffd0) - improved logic of an Informational Analytics BIOCs Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - improved logic of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - improved logic of an Informational Analytics BIOCs A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs Exchange mailbox folder permission modification (1568735a-c4a6-4ed4-b7dc-bd70accca4ca) - improved logic of an Informational Analytics BIOCs Globally uncommon image load from a signed process (b5bf287d-a780-4258-a642-9e473aef709b) - improved logic of an Informational Analytics BIOCs Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - improved logic of an Informational Analytics BIOCs Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - improved logic of an Informational Analytics BIOCs Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - improved logic of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs Unusual access to the AD Sync credential files (f28618e6-2d55-4e8b-9f85-5107b2b544e5) - improved logic of an Informational Analytics BIOCs SharePoint Site Collection admin group addition (78de7350-5ea3-4c19-9a0f-f15dc7732226) - improved logic of an Informational Analytics BIOCs Kubernetes nsenter container escape (ded945bf-4c89-4051-8f47-d6126daef9df) - improved logic of an Informational Analytics BIOCs A Google Workspace Role privilege was deleted (118ca7c8-b14c-11ed-b3af-acde48001122) - improved logic of an Informational Analytics BIOCs Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs Cloud Unusual Instance Metadata Service (IMDS) access (82db653d-869c-4540-91d8-1c15c9ff7765) - improved logic of an Informational Analytics BIOCs Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - improved logic of an Informational Analytics BIOCs Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - improved logic of an Informational Analytics BIOCs Gmail delegation was turned on for the organization (ed3841f0-49f2-4994-94f8-77b7217983d8) - improved logic of an Informational Analytics BIOCs Penetration testing tool activity attempt (a3b75d38-fbc6-47ab-b59b-d6d2298c1e90) - improved logic of an Informational Analytics BIOCs A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs Admin privileges were granted to a Google Workspace user (f0a3f8ae-b14b-11ed-a775-acde48001122) - improved logic of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - improved logic of an Informational Analytics BIOCs Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - improved logic of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - improved logic of an Informational Analytics BIOCs Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs Globally uncommon IP address connection from a signed process (118dc3a3-e2b2-44d4-af74-b77cf095c6a9) - improved logic of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs A third-party application was authorized to access the Google Workspace APIs (05a883e6-b14c-11ed-b038-acde48001122) - improved logic of an Informational Analytics BIOCs Changed metadata of 15 Informational Analytics BIOCs: Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs Injection into rundll32.exe (d3d7a57f-de5f-76f5-2d39-9fa48b1d51ad) - changed metadata of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs Temporarily removed a Informational Analytics BIOCs for improvement: A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - temporarily removed Informational alert for improvement A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - temporarily removed Informational alert for improvement A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - temporarily removed Informational alert for improvement A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - temporarily removed Informational alert for improvement A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - temporarily removed Informational alert for improvement Decreased the severity to Informational for an Analytics Alert: Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - decreased the severity to Informational, and improved detection logic Added a new Informational Analytics Alert: Brute-force attempt on a local account (417dab31-55ab-4311-8ed7-29373fed752d) - added a new Informational alert Improved logic of 34 Informational Analytics Alerts: Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - improved logic of an Informational Analytics Alerts Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of an Informational Analytics Alerts Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - improved logic of an Informational Analytics Alerts Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - improved logic of an Informational Analytics Alerts SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - improved logic of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - improved logic of an Informational Analytics Alerts Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - improved logic of an Informational Analytics Alerts A user logged on to multiple workstations via Schannel (a56e4555-5fbc-485b-85ec-2c25026525d6) - improved logic of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - improved logic of an Informational Analytics Alerts Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - improved logic of an Informational Analytics Alerts A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - improved logic of an Informational Analytics Alerts A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts Temporarily removed a Informational Analytics Alerts for improvement: Kubernetes environment enumeration activity (13c1ff62-8bcb-452b-8cc8-b31402aab401) - temporarily removed Informational alert for improvement Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - temporarily removed Informational alert for improvement   December 27 2023 Release: Changed metadata of a High Analytics BIOC: Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOC Improved logic of 3 Medium Analytics BIOCs: RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs Changed metadata of 3 Medium Analytics BIOCs: Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Medium Analytics BIOCs Removed an old Medium Analytics BIOC: Possible Cloud Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - removed an old Medium alert Temporarily removed a Medium Analytics BIOCs for improvement: A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - temporarily removed Medium alert for improvement Kubernetes vulnerability scanner activity by API server logs (f4bc86e7-9189-4048-ac0d-702311d3d7e0) - temporarily removed Medium alert for improvement Improved logic of a Medium Analytics Alert: Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - improved logic of a Medium Analytics Alert Decreased the severity to Low for an Analytics BIOC: Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - decreased the severity to Low, and improved detection logic Added a new Low Analytics BIOC: Possible DLL Search Order Hijacking (e6c4d87b-4904-4154-b6d9-03fbb0bcdb97) - added a new Low alert Improved logic of 16 Low Analytics BIOCs: Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - improved logic of a Low Analytics BIOCs Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - improved logic of a Low Analytics BIOCs Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - improved logic of a Low Analytics BIOCs An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - improved logic of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - improved logic of a Low Analytics BIOCs Changed metadata of 17 Low Analytics BIOCs: Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - changed metadata of a Low Analytics BIOCs A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Low Analytics BIOCs A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - changed metadata of a Low Analytics BIOCs Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - changed metadata of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - changed metadata of a Low Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - changed metadata of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - changed metadata of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOCs A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs Added a new Low Analytics Alert: Multiple discovery commands on a Windows host by the same process (b930e097-ae70-4372-94a7-c4ae4e1bd6c6) - added a new Low alert Improved logic of 9 Low Analytics Alerts: Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - improved logic of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts Changed metadata of 2 Low Analytics Alerts: Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - changed metadata of a Low Analytics Alerts Added 53 new Informational Analytics BIOCs: An Azure DNS Zone was modified (964d4524-b743-11ed-9835-acde48001122) - added a new Informational alert An Azure VPN Connection was modified (b6309f90-b6c0-11ed-b3e4-acde48001122) - added a new Informational alert AWS STS temporary credentials were generated (cb2a08a4-b095-11ed-97cf-acde48001122) - added a new Informational alert An AWS S3 bucket configuration was modified (cb35ca90-b095-11ed-aa36-acde48001122) - added a new Informational alert An Azure Kubernetes Role or Cluster-Role was modified (b3def2e8-b743-11ed-9cec-acde48001122) - added a new Informational alert An identity disabled bucket logging (60b28a82-96ff-402b-a64d-f0dd043b5dd6) - added a new Informational alert An AWS Lambda Function was created (cada7046-b095-11ed-8064-acde48001122) - added a new Informational alert An Email address was added to AWS SES (35757db4-c253-11ed-b745-acde48001122) - added a new Informational alert An AWS RDS master password was changed (cb462fb6-b095-11ed-adfd-acde48001122) - added a new Informational alert An Azure firewall rule group was modified (bedc4338-b6c0-11ed-ba3b-acde48001122) - added a new Informational alert Removal of an Azure Owner from an Application or Service Principal (d7ee38c8-b741-11ed-a1f0-acde48001122) - added a new Informational alert A user logged in from an abnormal country or ASN (b470fe41-351e-485f-a755-e0709b0e15ba) - added a new Informational alert A Service Principal was removed from Azure (a9038750-b743-11ed-b5e9-acde48001122) - added a new Informational alert An AWS GuardDuty IP set was created (cb03739c-b095-11ed-9211-acde48001122) - added a new Informational alert Azure Kubernetes events were deleted (e31af74a-b741-11ed-b996-acde48001122) - added a new Informational alert An AWS EFS file-share was deleted (cb2df5b8-b095-11ed-9972-acde48001122) - added a new Informational alert An Azure virtual network Device was modified (6d9c8858-b741-11ed-b0e7-acde48001122) - added a new Informational alert An Azure Key Vault key was modified (02a05bd2-b742-11ed-8c2c-acde48001122) - added a new Informational alert An identity was granted permissions to manage user access to Azure resources (79046206-b743-11ed-9133-acde48001122) - added a new Informational alert An Azure Key Vault was modified (94e3d9cc-b742-11ed-94cd-acde48001122) - added a new Informational alert An AWS SES Email sending settings were modified (cb5a1bf4-b095-11ed-bf05-acde48001122) - added a new Informational alert PIM privilege member removal (f26e97d2-b6c0-11ed-b9b6-acde48001122) - added a new Informational alert An AWS EFS File-share mount was deleted (cae12134-b095-11ed-bee2-acde48001122) - added a new Informational alert An Azure Point-to-Site VPN was modified (bf00d118-b743-11ed-bb97-acde48001122) - added a new Informational alert Granting Access to an Account (249d8988-b744-11ed-a9e8-acde48001122) - added a new Informational alert An identity accessed Azure Kubernetes Secrets (8965581e-b742-11ed-9c12-acde48001122) - added a new Informational alert An AWS Route 53 domain was transferred to another AWS account (caf53a02-b095-11ed-86c3-acde48001122) - added a new Informational alert An AWS ElastiCache security group was modified or deleted (cb631bb4-b095-11ed-ad10-acde48001122) - added a new Informational alert Azure Key Vault Secrets were modified (d261af90-b744-11ed-b217-acde48001122) - added a new Informational alert An Azure Suppression Rule was created (74914062-b742-11ed-8108-acde48001122) - added a new Informational alert An Azure Kubernetes Cluster was created or deleted (fb88f09c-b6c0-11ed-ae53-acde48001122) - added a new Informational alert AWS SecurityHub findings were modified (cb4a260c-b095-11ed-bde9-acde48001122) - added a new Informational alert Modification or Deletion of an Azure Application Gateway Detected (c96e5e48-b743-11ed-be3a-acde48001122) - added a new Informational alert An AWS RDS instance was created from a snapshot (caeaf466-b095-11ed-afef-acde48001122) - added a new Informational alert An AWS ElastiCache security group was created (d417b2b4-b091-11ed-9b28-acde48001122) - added a new Informational alert An AWS SAML provider was modified (cb561ad4-b095-11ed-86c9-acde48001122) - added a new Informational alert An AWS Lambda function was modified (cb2184e8-b095-11ed-bda0-acde48001122) - added a new Informational alert An Azure Firewall was modified (7f431eb8-b742-11ed-96f7-acde48001122) - added a new Informational alert A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - added a new Informational alert An AWS SES identity was deleted (caf89d0a-b095-11ed-8f65-acde48001122) - added a new Informational alert Globally uncommon IP address by a common process (sha256) (aff38296-6019-474c-9de0-c423eda168e1) - added a new Informational alert An Azure Container Registry was created or removed (5dd2d962-b742-11ed-9e0e-acde48001122) - added a new Informational alert An Azure Network Security Group was modified (72e1c8fa-b744-11ed-8a9d-acde48001122) - added a new Informational alert An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - added a new Informational alert A cloud identity invoked IAM related persistence operations (ae95a625-1740-4de3-abe1-3e884eef0dc3) - added a new Informational alert An Azure virtual network was modified (b29d99a8-b744-11ed-ac5e-acde48001122) - added a new Informational alert An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted (f2c9e2b4-b743-11ed-bec8-acde48001122) - added a new Informational alert A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment (0e24887e-b6c1-11ed-a5dc-acde48001122) - added a new Informational alert An Azure Cloud Shell was Created (88376c0a-b741-11ed-ae05-acde48001122) - added a new Informational alert An Azure Kubernetes Service Account was modified or deleted (edc0393a-b741-11ed-8947-acde48001122) - added a new Informational alert An Azure Kubernetes network policy was modified (1952944c-b742-11ed-bd1c-acde48001122) - added a new Informational alert An AWS EKS cluster was created or deleted (cb25ae8a-b095-11ed-b476-acde48001122) - added a new Informational alert An Azure Firewall Rule Collection was modified (2dd88838-b742-11ed-96a1-acde48001122) - added a new Informational alert Improved logic of 35 Informational Analytics BIOCs: Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs Globally uncommon image load from a signed process (b5bf287d-a780-4258-a642-9e473aef709b) - improved logic of an Informational Analytics BIOCs A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - improved logic of an Informational Analytics BIOCs Google Workspace organizational unit was modified (0c085dd2-ea10-4537-bbea-44ceb57bf29a) - improved logic of an Informational Analytics BIOCs Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - improved logic of an Informational Analytics BIOCs Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - improved logic of an Informational Analytics BIOCs An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - improved logic of an Informational Analytics BIOCs Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - improved logic of an Informational Analytics BIOCs Gmail delegation was turned on for the organization (ed3841f0-49f2-4994-94f8-77b7217983d8) - improved logic of an Informational Analytics BIOCs Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - improved logic of an Informational Analytics BIOCs Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs Kubernetes nsenter container escape (ded945bf-4c89-4051-8f47-d6126daef9df) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - improved logic of an Informational Analytics BIOCs Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - improved logic of an Informational Analytics BIOCs Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs Globally uncommon IP address connection from a signed process (118dc3a3-e2b2-44d4-af74-b77cf095c6a9) - improved logic of an Informational Analytics BIOCs Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - improved logic of an Informational Analytics BIOCs A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - improved logic of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - improved logic of an Informational Analytics BIOCs Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - improved logic of an Informational Analytics BIOCs An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - improved logic of an Informational Analytics BIOCs A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - improved logic of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs Changed metadata of 18 Informational Analytics BIOCs: Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - changed metadata of an Informational Analytics BIOCs Injection into rundll32.exe (d3d7a57f-de5f-76f5-2d39-9fa48b1d51ad) - changed metadata of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - changed metadata of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - changed metadata of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs Temporarily removed a Informational Analytics BIOCs for improvement: A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - temporarily removed Informational alert for improvement A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - temporarily removed Informational alert for improvement A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - temporarily removed Informational alert for improvement A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - temporarily removed Informational alert for improvement A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - temporarily removed Informational alert for improvement Improved logic of 20 Informational Analytics Alerts: A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - improved logic of an Informational Analytics Alerts SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - improved logic of an Informational Analytics Alerts A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - improved logic of an Informational Analytics Alerts External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - improved logic of an Informational Analytics Alerts Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - improved logic of an Informational Analytics Alerts Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - improved logic of an Informational Analytics Alerts Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - improved logic of an Informational Analytics Alerts Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts Temporarily removed a Informational Analytics Alerts for improvement: Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - temporarily removed Informational alert for improvement Kubernetes environment enumeration activity (13c1ff62-8bcb-452b-8cc8-b31402aab401) - temporarily removed Informational alert for improvement   November 19 2023 Release: Improved logic of a High Analytics BIOC: A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOC Removed an old Medium BIOC: PHP script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b677) - removed an old Medium alert Improved logic of a Medium Analytics BIOC: PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOC Improved logic of 2 Low Analytics BIOCs: SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs Improved logic of 3 Low Analytics Alerts: Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts Removed an old Informational BIOC: Setgid on file (0826210d-ddd8-44e7-98fb-399083b15e97) - removed an old Informational alert Added 2 new Informational Analytics BIOCs: Globally uncommon high entropy module was loaded (29621cda-7dd0-4c92-9c1d-52124db38f62) - added a new Informational alert Globally uncommon high entropy process was executed (0871da76-eb4a-429c-8f3e-cfa9fa83a221) - added a new Informational alert Improved logic of 14 Informational Analytics BIOCs: First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs Improved logic of 6 Informational Analytics Alerts: Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts Changed metadata of an Informational Analytics Alert: Suspicious DNS traffic (2a77fad6-c6f9-4dd1-ab5a-43ce1d203fd4) - changed metadata of an Informational Analytics Alert Temporarily removed a Informational Analytics Alert for improvement: Port Sweep (01c1f692-2652-4cfe-8817-b48b1b0efb95) - temporarily removed Informational alert for improvement November 08 2023 Release: Removed an old High BIOC: Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - removed an old High alert Added a new High Analytics BIOC: Mimikatz command-line arguments (b869d46a-8723-4ae3-63a7-a5da6435d78e) - added a new High alert Improved logic of a High Analytics BIOC: A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOC Improved logic of a High Analytics Alert: Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert Improved logic of 4 Medium Analytics BIOCs: A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - improved logic of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - improved logic of a Medium Analytics BIOCs Changed metadata of 2 Medium Analytics Alerts: An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts Increased the severity to Low for an Analytics BIOC: Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - increased the severity to Low, and improved detection logic Decreased the severity to Low for an Analytics BIOC: Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - decreased the severity to Low Added 3 new Low Analytics BIOCs: Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - added a new Low alert RDP connections enabled remotely via Registry (547fb017-ead4-8c05-f32e-77902bdd0f7a) - added a new Low alert Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - added a new Low alert Improved logic of 9 Low Analytics BIOCs: Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Low Analytics BIOCs A compute-attached identity executed API calls outside the instance's region (586f270d-8423-402f-98c1-b136cf45309c) - improved logic of a Low Analytics BIOCs Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - improved logic of a Low Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs Changed metadata of 5 Low Analytics BIOCs: A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - changed metadata of a Low Analytics BIOCs Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - changed metadata of a Low Analytics BIOCs Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - changed metadata of a Low Analytics BIOCs Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of a Low Analytics BIOCs A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs Improved logic of 6 Low Analytics Alerts: Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Low Analytics Alerts An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - improved logic of a Low Analytics Alerts A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts Changed metadata of 2 Low Analytics Alerts: VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - changed metadata of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - changed metadata of a Low Analytics Alerts Removed an old Informational BIOC: Mimikatz command-line arguments (fa4867c0-bf95-4c44-b9e3-0460650b8e07) - removed an old Informational alert Decreased the severity to Informational for an Analytics BIOC: Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - decreased the severity to Informational, and improved detection logic Added 5 new Informational Analytics BIOCs: Cloud unusual access key creation (4aa215fb-e64d-4b00-9251-4d84774c27f3) - added a new Informational alert Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - added a new Informational alert Cloud Unusual Instance Metadata Service (IMDS) access (82db653d-869c-4540-91d8-1c15c9ff7765) - added a new Informational alert A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - added a new Informational alert Network sniffing detected in Cloud environment (932986f4-e765-40a5-9517-aa9ba5bf2e7a) - added a new Informational alert Improved logic of 32 Informational Analytics BIOCs: User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs Unusual resource modification by newly seen IAM user (37eb241a-d1b5-4bba-b65e-002863c99365) - improved logic of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs Cloud impersonation attempt by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - improved logic of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs Unusual use of a 'SysInternals' tool (ad9f86ad-eaea-4f25-ada7-8d42f3305d04) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - improved logic of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs Unusual resource modification/creation (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - improved logic of an Informational Analytics BIOCs A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs A user logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - improved logic of an Informational Analytics BIOCs Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs Changed metadata of 4 Informational Analytics BIOCs: Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs Cloud Organizational policy was created or modified (300b125d-c632-43f2-9a56-5abfd022a4de) - changed metadata of an Informational Analytics BIOCs Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - changed metadata of an Informational Analytics BIOCs A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - changed metadata of an Informational Analytics BIOCs Temporarily removed a Informational Analytics BIOCs for improvement: Unusual Kubernetes service account file read (a525eff8-3990-4b8e-b763-7e9c8f88737d) - temporarily removed Informational alert for improvement Remote code execution into Kubernetes Pod (8d013538-6e98-48ed-a018-fcf19866f367) - temporarily removed Informational alert for improvement Added 2 new Informational Analytics Alerts: A user logged on to multiple workstations via Schannel (a56e4555-5fbc-485b-85ec-2c25026525d6) - added a new Informational alert External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - added a new Informational alert Improved logic of 14 Informational Analytics Alerts: A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of an Informational Analytics Alerts Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - improved logic of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alerts Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts Changed metadata of 4 Informational Analytics Alerts: NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts Storage enumeration activity (107578a3-3e09-4db1-88e0-2f060fb24a29) - changed metadata of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - changed metadata of an Informational Analytics Alerts October 05 2023 Release: Improved logic of a Medium Analytics BIOC: A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - improved logic of a Medium Analytics BIOC Changed metadata of a Low Analytics BIOC: Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - changed metadata of a Low Analytics BIOC Removed 2 old Low Analytics BIOCs: Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - removed an old Low alert Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - removed an old Low alert Improved logic of 7 Informational Analytics BIOCs: A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - improved logic of an Informational Analytics BIOCs A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - improved logic of an Informational Analytics BIOCs A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - improved logic of an Informational Analytics BIOCs Successful unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - improved logic of an Informational Analytics BIOCs A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - improved logic of an Informational Analytics BIOCs Changed metadata of an Informational Analytics BIOC: Unpopular rsync process execution (86d4e55a-1d30-46de-a426-1876a973220f) - changed metadata of an Informational Analytics BIOC Added a new Informational Analytics Alert: Port Sweep (01c1f692-2652-4cfe-8817-b48b1b0efb95) - added a new Informational alert Improved logic of 2 Informational Analytics Alerts: Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alerts An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts September 27 2023 Release: Changed metadata of a Low Analytics BIOC: Masquerading as the Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOC Decreased the severity to Informational for 4 Analytics BIOCs: Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - decreased the severity to Informational Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - decreased the severity to Informational Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - decreased the severity to Informational Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - decreased the severity to Informational, and improved detection logic Improved logic of 5 Informational Analytics BIOCs: Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - improved logic of an Informational Analytics BIOCs User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs Temporarily removed a Informational Analytics BIOC for improvement: LOLBIN created a PSScriptPolicyTest PowerShell script file (4bf08e31-5da8-8c61-0f97-02c7f9bc9d57) - temporarily removed Informational alert for improvement Decreased the severity to Informational for 2 Analytics Alerts: Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - decreased the severity to Informational NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - decreased the severity to Informational Added a new Informational Analytics Alert: Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - added a new Informational alert Improved logic of 4 Informational Analytics Alerts: Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts Multiple cloud snapshots export (260551b5-3a19-44f6-b9c0-820da4c9fc9c) - improved logic of an Informational Analytics Alerts Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - improved logic of an Informational Analytics Alerts September 13 2023 Release: Increased the severity to Medium for 2 Analytics BIOCs: A Possible crypto miner was detected on a host (4ad3b056-d273-41b7-b3db-90f5d5950faa) - increased the severity to Medium Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - increased the severity to Medium, and improved detection logic Changed metadata of 9 Low Analytics BIOCs: Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - changed metadata of a Low Analytics BIOCs Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - changed metadata of a Low Analytics BIOCs Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs Masquerading as the Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOCs Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - changed metadata of a Low Analytics BIOCs Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - changed metadata of a Low Analytics BIOCs An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - changed metadata of a Low Analytics BIOCs Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - changed metadata of a Low Analytics BIOCs Added a new Low Analytics Alert: Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - added a new Low alert Changed metadata of a Low Analytics Alert: Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - changed metadata of a Low Analytics Alert Added a new Informational Analytics BIOC: Suspicious container runtime connection from within a Kubernetes Pod (b233c447-3312-429a-ab01-3a607104bb3a) - added a new Informational alert Changed metadata of 11 Informational Analytics BIOCs: Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - changed metadata of an Informational Analytics BIOCs Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - changed metadata of an Informational Analytics BIOCs A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - changed metadata of an Informational Analytics BIOCs Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - changed metadata of an Informational Analytics BIOCs File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - changed metadata of an Informational Analytics BIOCs Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - changed metadata of an Informational Analytics BIOCs Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - changed metadata of an Informational Analytics BIOCs A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - changed metadata of an Informational Analytics BIOCs Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - changed metadata of an Informational Analytics BIOCs Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - changed metadata of an Informational Analytics BIOCs Improved logic of 2 Informational Analytics Alerts: Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts September 06 2023 Release: Improved logic of a High Analytics BIOC: Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOC Changed metadata of a High Analytics BIOC: Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - changed metadata of a High Analytics BIOC Added a new Medium Analytics BIOC: A mail forwarding rule was configured in Google Workspace (227ff69a-14aa-4c40-a328-a846c73b1d07) - added a new Medium alert Improved logic of 2 Medium Analytics BIOCs: RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs Changed metadata of a Medium Analytics BIOC: Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOC Improved logic of a Medium Analytics Alert: Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert Increased the severity to Low for an Analytics BIOC: Scheduled Task hidden by registry modification (21dabd4a-1e37-4753-a8ed-be6a7e947f40) - increased the severity to Low Added 2 new Low Analytics BIOCs: Unusual cross projects activity (f0b7d81f-5518-4295-a081-e19b21c4b474) - added a new Low alert Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - added a new Low alert Improved logic of 12 Low Analytics BIOCs: Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Low Analytics BIOCs Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs Changed metadata of a Low Analytics BIOC: Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - changed metadata of a Low Analytics BIOC Improved logic of 2 Low Analytics Alerts: Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Decreased the severity to Informational for an Analytics BIOC: Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - decreased the severity to Informational, and improved detection logic Added a new Informational Analytics BIOC: An operation was performed by an identity from a domain that was not seen in the organization (16d5b9bf-3bb9-47d9-b2bd-3e2477b1a554) - added a new Informational alert Improved logic of 18 Informational Analytics BIOCs: Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - improved logic of an Informational Analytics BIOCs Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs LOLBIN created a PSScriptPolicyTest PowerShell script file (4bf08e31-5da8-8c61-0f97-02c7f9bc9d57) - improved logic of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - improved logic of an Informational Analytics BIOCs A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - improved logic of an Informational Analytics BIOCs Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - improved logic of an Informational Analytics BIOCs Changed metadata of 4 Informational Analytics BIOCs: File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - changed metadata of an Informational Analytics BIOCs Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - changed metadata of an Informational Analytics BIOCs Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - changed metadata of an Informational Analytics BIOCs Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs Removed an old Informational Analytics BIOC: Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - removed an old Informational alert Added a new Informational Analytics Alert: Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - added a new Informational alert Improved logic of 2 Informational Analytics Alerts: User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts August 28 2023 Release: Changed metadata of 21 High Analytics BIOCs: Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - changed metadata of a High Analytics BIOCs Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - changed metadata of a High Analytics BIOCs Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOCs Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - changed metadata of a High Analytics BIOCs Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - changed metadata of a High Analytics BIOCs PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - changed metadata of a High Analytics BIOCs Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs Possible Distributed File System Namespace Management (DFSNM) abuse (532490a8-f4fb-4eb7-a54d-8583bf54207d) - changed metadata of a High Analytics BIOCs Suspicious usage of File Server Remote VSS Protocol (FSRVP) (9f82d067-25e8-49da-bae3-62e7f9074943) - changed metadata of a High Analytics BIOCs A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - changed metadata of a High Analytics BIOCs Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - changed metadata of a High Analytics BIOCs A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - changed metadata of a High Analytics BIOCs Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOCs Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs Process execution with a suspicious command line indicative of the Spring4Shell exploit (0fc034a9-36ce-432f-bddb-1cfda20be004) - changed metadata of a High Analytics BIOCs Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - changed metadata of a High Analytics BIOCs Changed metadata of 2 High Analytics Alerts: Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alerts Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alerts Changed metadata of 84 Medium Analytics BIOCs: Uncommon Service Create/Config (4814ee91-468d-11ea-a78c-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - changed metadata of a Medium Analytics BIOCs Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - changed metadata of a Medium Analytics BIOCs A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - changed metadata of a Medium Analytics BIOCs MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - changed metadata of a Medium Analytics BIOCs Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - changed metadata of a Medium Analytics BIOCs Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - changed metadata of a Medium Analytics BIOCs Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - changed metadata of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - changed metadata of a Medium Analytics BIOCs Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - changed metadata of a Medium Analytics BIOCs LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - changed metadata of a Medium Analytics BIOCs Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOCs PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - changed metadata of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - changed metadata of a Medium Analytics BIOCs Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - changed metadata of a Medium Analytics BIOCs Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - changed metadata of a Medium Analytics BIOCs Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata of a Medium Analytics BIOCs Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - changed metadata of a Medium Analytics BIOCs Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - changed metadata of a Medium Analytics BIOCs Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - changed metadata of a Medium Analytics BIOCs Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - changed metadata of a Medium Analytics BIOCs Azure AD PIM alert disabled (8d5ce951-909b-44e7-aca6-1c8203f95c35) - changed metadata of a Medium Analytics BIOCs Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - changed metadata of a Medium Analytics BIOCs Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs A process was executed with a command line obfuscated by Unicode character substitution (2a0ea644-8181-470b-ad5d-d0c6c7c84946) - changed metadata of a Medium Analytics BIOCs Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - changed metadata of a Medium Analytics BIOCs Kubernetes vulnerability scanner activity (01e27219-483a-4ec2-ba4c-641ee54b3059) - changed metadata of a Medium Analytics BIOCs A contained executable was executed by an unusual process (d8c11b55-29b4-44b2-9e47-fd6c4cda4d7b) - changed metadata of a Medium Analytics BIOCs Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - changed metadata of a Medium Analytics BIOCs A suspicious executable with multiple file extensions was created (8a80d179-6ce0-4d38-8087-287b18ed5f27) - changed metadata of a Medium Analytics BIOCs Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - changed metadata of a Medium Analytics BIOCs Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - changed metadata of a Medium Analytics BIOCs Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - changed metadata of a Medium Analytics BIOCs Service ticket request with a spoofed sAMAccountName (633ca673-5d09-11ec-b013-faffc26aac4a) - changed metadata of a Medium Analytics BIOCs Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - changed metadata of a Medium Analytics BIOCs A TCP stream was created directly in a shell (8a7a460a-420a-a42c-d8af-af5250f280ff) - changed metadata of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - changed metadata of a Medium Analytics BIOCs Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - changed metadata of a Medium Analytics BIOCs Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Possible Cloud Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - changed metadata of a Medium Analytics BIOCs Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - changed metadata of a Medium Analytics BIOCs The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - changed metadata of a Medium Analytics BIOCs Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOCs Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - changed metadata of a Medium Analytics BIOCs Possible collection of screen captures with Windows Problem Steps Recorder (28f11a20-9611-4099-8c05-f6437a5ea9d5) - changed metadata of a Medium Analytics BIOCs Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - changed metadata of a Medium Analytics BIOCs Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - changed metadata of a Medium Analytics BIOCs Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - changed metadata of a Medium Analytics BIOCs Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - changed metadata of a Medium Analytics BIOCs Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Uncommon jsp file write by a Java process (acaa34fd-b2b8-4218-aab0-b8d717e9dcc5) - changed metadata of a Medium Analytics BIOCs Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - changed metadata of a Medium Analytics BIOCs PowerShell used to export mailbox contents (70b08c1e-ccfd-4ab9-bb92-66acaa83aa3a) - changed metadata of a Medium Analytics BIOCs TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - changed metadata of a Medium Analytics BIOCs Kubernetes vulnerability scanner activity by API server logs (f4bc86e7-9189-4048-ac0d-702311d3d7e0) - changed metadata of a Medium Analytics BIOCs Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - changed metadata of a Medium Analytics BIOCs Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - changed metadata of a Medium Analytics BIOCs Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Medium Analytics BIOCs Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - changed metadata of a Medium Analytics BIOCs Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - changed metadata of a Medium Analytics BIOCs A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - changed metadata of a Medium Analytics BIOCs Bitsadmin.exe persistence using command-line callback (96e5bf6b-3ed4-42f2-b824-6cdb16a31608) - changed metadata of a Medium Analytics BIOCs PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs Possible Search For Password Files (388d1fcc-4d9c-11ea-9daa-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Medium Analytics BIOCs Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - changed metadata of a Medium Analytics BIOCs A contained executable from a mounted share initiated a suspicious outbound network connection (423a9cc9-735f-48cd-8fb5-6e4aeecd5d6d) - changed metadata of a Medium Analytics BIOCs Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - changed metadata of a Medium Analytics BIOCs Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs Mailbox Client Access Setting (CAS) changed (d44c2188-9769-497d-a509-b980e9420f33) - changed metadata of a Medium Analytics BIOCs Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - changed metadata of a Medium Analytics BIOCs Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - changed metadata of a Medium Analytics BIOCs Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - changed metadata of a Medium Analytics BIOCs Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs Changed metadata of 10 Medium Analytics Alerts: New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Medium Analytics Alerts Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts A new machine attempted Kerberos delegation (0f9a92bd-916c-40ad-80a9-58c2adaaa946) - changed metadata of a Medium Analytics Alerts Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alerts Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alerts A contained process attempted to escape using the 'notify on release' feature (7205a3a5-6c0e-4caf-95f1-c4444ec75b26) - changed metadata of a Medium Analytics Alerts Increased the severity to Low for an Analytics BIOC: Unusual Azure AD sync module load (512ac45c-fd8c-4110-834b-1cfe578aaafb) - increased the severity to Low, and improved detection logic Improved logic of 3 Low Analytics BIOCs: Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - improved logic of a Low Analytics BIOCs Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs Changed metadata of 166 Low Analytics BIOCs: Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - changed metadata of a Low Analytics BIOCs A Possible crypto miner was detected on a host (4ad3b056-d273-41b7-b3db-90f5d5950faa) - changed metadata of a Low Analytics BIOCs Exchange malware filter policy removed (664b4bc9-aeba-43b7-b657-92a6ab3cd4c6) - changed metadata of a Low Analytics BIOCs Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - changed metadata of a Low Analytics BIOCs A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - changed metadata of a Low Analytics BIOCs Conditional Access policy removed (f667c079-ed9c-4ee1-a604-964440c92051) - changed metadata of a Low Analytics BIOCs SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Kubernetes version disclosure (313b2109-4a11-49f6-b0be-0309eaabbddf) - changed metadata of a Low Analytics BIOCs Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - changed metadata of a Low Analytics BIOCs Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - changed metadata of a Low Analytics BIOCs Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs Suspicious systemd timer activity (6aa321b8-0f2e-4182-b36b-aa3ba7944f25) - changed metadata of a Low Analytics BIOCs Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - changed metadata of a Low Analytics BIOCs MFA was disabled for an Azure identity (2f62698c-13e4-11ed-9d12-acde48001122) - changed metadata of a Low Analytics BIOCs Exchange mailbox audit bypass (d75ef860-59d4-43bd-ad3e-663edd42b7d2) - changed metadata of a Low Analytics BIOCs A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs Uncommon IP Configuration Listing via ipconfig.exe (02501f5c-e953-11e9-954d-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - changed metadata of a Low Analytics BIOCs Suspicious PowerShell Enumeration of Running Processes (9ed9d8ee-6dbb-11ea-a5d9-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - changed metadata of a Low Analytics BIOCs Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOCs VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - changed metadata of a Low Analytics BIOCs Possible Pass-the-Hash (ee4dad7a-348c-11eb-b388-acde48001122) - changed metadata of a Low Analytics BIOCs Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - changed metadata of a Low Analytics BIOCs SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - changed metadata of a Low Analytics BIOCs Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOCs Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - changed metadata of a Low Analytics BIOCs Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs Possible Kerberos relay attack (5d950b94-729a-4fd3-bcbe-a9fefa922d30) - changed metadata of a Low Analytics BIOCs Uncommon access to Microsoft Teams credential files (1bb7c565-fa59-4fd8-b779-7f32ad96caad) - changed metadata of a Low Analytics BIOCs LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs MpCmdRun.exe was used to download files into the system (bae10b1e-5850-452a-9623-d86e959d34d4) - changed metadata of a Low Analytics BIOCs System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - changed metadata of a Low Analytics BIOCs Suspicious PowerShell Command Line (d2aa3dde-4d73-11ea-923a-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Low Analytics BIOCs LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - changed metadata of a Low Analytics BIOCs SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - changed metadata of a Low Analytics BIOCs Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - changed metadata of a Low Analytics BIOCs Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - changed metadata of a Low Analytics BIOCs Contained process execution with a rare GitHub URL (eadd0b5c-94bb-4582-8115-765e48e19353) - changed metadata of a Low Analytics BIOCs Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - changed metadata of a Low Analytics BIOCs Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - changed metadata of a Low Analytics BIOCs Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - changed metadata of a Low Analytics BIOCs Suspicious modification of the AdminSDHolder's ACL (e0db7194-3131-4f0c-9591-7f28ac59669a) - changed metadata of a Low Analytics BIOCs Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - changed metadata of a Low Analytics BIOCs Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - changed metadata of a Low Analytics BIOCs Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs First Azure AD PowerShell operation for a user (04db68a0-bfda-47dc-b2ff-0f8d2d700eee) - changed metadata of a Low Analytics BIOCs Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - changed metadata of a Low Analytics BIOCs Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - changed metadata of a Low Analytics BIOCs Uncommon AT task-job creation by user (082e4d29-7037-47d0-b83f-a0226016139c) - changed metadata of a Low Analytics BIOCs Suspicious container orchestration job (f358cda9-491e-4be6-af2a-6a5361ae23f9) - changed metadata of a Low Analytics BIOCs SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - changed metadata of a Low Analytics BIOCs Exchange DKIM signing configuration disabled (7b779bf4-d488-47d0-ae35-cf380881b7d7) - changed metadata of a Low Analytics BIOCs An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - changed metadata of a Low Analytics BIOCs Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - changed metadata of a Low Analytics BIOCs An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Exchange Safe Link policy disabled or removed (02b65466-c898-4713-b473-01268db8dbb7) - changed metadata of a Low Analytics BIOCs Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - changed metadata of a Low Analytics BIOCs Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - changed metadata of a Low Analytics BIOCs A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - changed metadata of a Low Analytics BIOCs A compiled HTML help file wrote a script file to the disk (6f2817a6-f6b4-4ff5-b03e-ed488e60cd8a) - changed metadata of a Low Analytics BIOCs Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - changed metadata of a Low Analytics BIOCs Unusual Kubernetes API server communication from a pod (ffa2e838-57be-4d1d-ae93-aa17fb738c37) - changed metadata of a Low Analytics BIOCs Billing admin role was removed (2a6e6c44-40cf-47c1-8276-67dea08eb4c6) - changed metadata of a Low Analytics BIOCs Stored credentials exported using credwiz.exe (97f50040-5670-43b3-9afc-1d0e5b1a76bb) - changed metadata of a Low Analytics BIOCs Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - changed metadata of a Low Analytics BIOCs Uncommon remote service start via sc.exe (85cdb57d-e953-11e9-859b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Uncommon routing table listing via route.exe (758e8ed7-e953-11e9-b4ee-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - changed metadata of a Low Analytics BIOCs Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - changed metadata of a Low Analytics BIOCs Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - changed metadata of a Low Analytics BIOCs AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - changed metadata of a Low Analytics BIOCs Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - changed metadata of a Low Analytics BIOCs Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOCs Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - changed metadata of a Low Analytics BIOCs Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs Download a script using the python requests module (73619608-e776-4837-98dd-1ac6339ce4d5) - changed metadata of a Low Analytics BIOCs Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - changed metadata of a Low Analytics BIOCs GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOCs Windows Event Log was cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - changed metadata of a Low Analytics BIOCs Linux system firewall was disabled (d50eedfa-7888-47aa-b390-929ccab92d80) - changed metadata of a Low Analytics BIOCs Unusual Kubernetes dashboard communication from a pod (545d7ae0-f862-4f06-8ec0-ec043afd81a1) - changed metadata of a Low Analytics BIOCs AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - changed metadata of a Low Analytics BIOCs Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - changed metadata of a Low Analytics BIOCs Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - changed metadata of a Low Analytics BIOCs Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs New addition to Windows Defender exclusion list (97bd1ad3-df0f-459c-be72-88193ce7b667) - changed metadata of a Low Analytics BIOCs Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - changed metadata of a Low Analytics BIOCs Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs Compressing data using python (1a8bbf16-65ad-46de-86aa-0091f0e529a1) - changed metadata of a Low Analytics BIOCs Office process accessed an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - changed metadata of a Low Analytics BIOCs Uncommon msiexec execution of an arbitrary file from a remote location (8b919310-62f6-4035-b60b-ef61372947d9) - changed metadata of a Low Analytics BIOCs Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - changed metadata of a Low Analytics BIOCs Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - changed metadata of a Low Analytics BIOCs Suspicious data encryption (30df8779-1e1e-4c5a-a9de-40cb94d837e7) - changed metadata of a Low Analytics BIOCs Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - changed metadata of a Low Analytics BIOCs Linux system firewall was modified (fac86d1c-01ac-4620-bcee-8330df48ad25) - changed metadata of a Low Analytics BIOCs Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - changed metadata of a Low Analytics BIOCs Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - changed metadata of a Low Analytics BIOCs Suspicious Print System Remote Protocol usage by a process (f9d3b9e8-68f0-4510-bc01-895fd1e45256) - changed metadata of a Low Analytics BIOCs Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - changed metadata of a Low Analytics BIOCs An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - changed metadata of a Low Analytics BIOCs Azure domain federation settings modification attempt (0dff4bd1-0db3-44dc-a42d-aa473b96e841) - changed metadata of a Low Analytics BIOCs SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - changed metadata of a Low Analytics BIOCs Exchange Safe Attachment policy disabled or removed (fa5ffb2b-9259-4091-a36a-3960433051d5) - changed metadata of a Low Analytics BIOCs Azure account deletion by a non-standard account (b3cffc99-7a38-4e6f-a2ad-19a3325c38b3) - changed metadata of a Low Analytics BIOCs A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - changed metadata of a Low Analytics BIOCs Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - changed metadata of a Low Analytics BIOCs Exchange anti-phish policy disabled or removed (253c6332-24f3-4ad4-a8d6-e6e94b4e0beb) - changed metadata of a Low Analytics BIOCs Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - changed metadata of a Low Analytics BIOCs Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs A compute-attached identity executed API calls outside the instance's region (586f270d-8423-402f-98c1-b136cf45309c) - changed metadata of a Low Analytics BIOCs Azure Temporary Access Pass (TAP) registered to an account (91368e38-b8af-43a4-bc84-3f9f4ad5acff) - changed metadata of a Low Analytics BIOCs WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - changed metadata of a Low Analytics BIOCs Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - changed metadata of a Low Analytics BIOCs A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - changed metadata of a Low Analytics BIOCs Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - changed metadata of a Low Analytics BIOCs SecureBoot was disabled (e8a6caaf-89c1-4e19-8e27-1ced582293e0) - changed metadata of a Low Analytics BIOCs Suspicious DotNet log file created (064eebce-02fb-08e7-df1f-66ee933eefab) - changed metadata of a Low Analytics BIOCs Command running with COMSPEC in the command line argument (2feeb01f-0a81-476a-8ec0-d49fd2bf807b) - changed metadata of a Low Analytics BIOCs Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs Suspicious ICMP packet (f3389ebd-c09d-412d-b507-fb0d4f692130) - changed metadata of a Low Analytics BIOCs Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - changed metadata of a Low Analytics BIOCs Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - changed metadata of a Low Analytics BIOCs Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - changed metadata of a Low Analytics BIOCs Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - changed metadata of a Low Analytics BIOCs Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of a Low Analytics BIOCs Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - changed metadata of a Low Analytics BIOCs PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - changed metadata of a Low Analytics BIOCs Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - changed metadata of a Low Analytics BIOCs A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - changed metadata of a Low Analytics BIOCs Attempt to execute a command on a remote host using PsExec.exe (ddf3b8d9-53e0-8410-c76a-d2e6b5203438) - changed metadata of a Low Analytics BIOCs Uncommon ARP cache listing via arp.exe (85a9b5a1-e953-11e9-939b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - changed metadata of a Low Analytics BIOCs Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - changed metadata of a Low Analytics BIOCs Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - changed metadata of a Low Analytics BIOCs Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - changed metadata of a Low Analytics BIOCs Copy a user's GnuPG directory with rsync (759d73fc-246b-4d3a-bd34-027174dfb9fc) - changed metadata of a Low Analytics BIOCs Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - changed metadata of a Low Analytics BIOCs AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs Azure AD PIM role settings change (65c6e962-2fe1-41f8-bc7f-12452f2d4831) - changed metadata of a Low Analytics BIOCs Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - changed metadata of a Low Analytics BIOCs Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - changed metadata of a Low Analytics BIOCs Changed metadata of 41 Low Analytics Alerts: Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - changed metadata of a Low Analytics Alerts An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - changed metadata of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of a Low Analytics Alerts Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - changed metadata of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - changed metadata of a Low Analytics Alerts A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - changed metadata of a Low Analytics Alerts Multiple Azure AD admin role removals (fea22348-d47e-4b5f-9896-6ab8e34d00a1) - changed metadata of a Low Analytics Alerts Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - changed metadata of a Low Analytics Alerts A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - changed metadata of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - changed metadata of a Low Analytics Alerts Allocation of compute resources in multiple regions (30f4d71c-a3f7-43b0-82ca-f2951995e420) - changed metadata of a Low Analytics Alerts A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - changed metadata of a Low Analytics Alerts VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - changed metadata of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - changed metadata of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - changed metadata of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - changed metadata of a Low Analytics Alerts Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of a Low Analytics Alerts Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - changed metadata of a Low Analytics Alerts Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - changed metadata of a Low Analytics Alerts New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - changed metadata of a Low Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - changed metadata of a Low Analytics Alerts Rare LDAP enumeration (fcb12ef3-ac18-40c0-947c-c2891c6ecaf7) - changed metadata of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - changed metadata of a Low Analytics Alerts Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - changed metadata of a Low Analytics Alerts TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - changed metadata of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - changed metadata of a Low Analytics Alerts NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts Added a new Informational Analytics BIOC: Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - added a new Informational alert Improved logic of 10 Informational Analytics BIOCs: A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - improved logic of an Informational Analytics BIOCs A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - improved logic of an Informational Analytics BIOCs Globally uncommon IP address connection from a signed process (118dc3a3-e2b2-44d4-af74-b77cf095c6a9) - improved logic of an Informational Analytics BIOCs A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - improved logic of an Informational Analytics BIOCs A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - improved logic of an Informational Analytics BIOCs A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - improved logic of an Informational Analytics BIOCs Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs Globally uncommon image load from a signed process (b5bf287d-a780-4258-a642-9e473aef709b) - improved logic of an Informational Analytics BIOCs Unpopular rsync process execution (86d4e55a-1d30-46de-a426-1876a973220f) - improved logic of an Informational Analytics BIOCs Changed metadata of 269 Informational Analytics BIOCs: Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - changed metadata of an Informational Analytics BIOCs Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - changed metadata of an Informational Analytics BIOCs Creation or modification of the default command executed when opening an application (cd392d6e-e448-46d6-8af3-d2e8a6d79e71) - changed metadata of an Informational Analytics BIOCs Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs Exchange email-hiding inbox rule (f339930e-ef11-4a4c-81dd-23503b05b0bf) - changed metadata of an Informational Analytics BIOCs A Google Workspace identity performed an unusual admin console activity (1ef69c3e-56d5-41c5-843b-ebfe1160e661) - changed metadata of an Informational Analytics BIOCs AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs Cloud impersonation attempt by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - changed metadata of an Informational Analytics BIOCs A service was disabled (9d96de8e-036e-414d-baac-064aef4271bc) - changed metadata of an Informational Analytics BIOCs Unverified domain added to Azure AD (030963fb-eb31-4cf7-ab0a-4e9681dda8a8) - changed metadata of an Informational Analytics BIOCs A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs Penetration testing tool activity attempt (a3b75d38-fbc6-47ab-b59b-d6d2298c1e90) - changed metadata of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - changed metadata of an Informational Analytics BIOCs Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOCs A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - changed metadata of an Informational Analytics BIOCs Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - changed metadata of an Informational Analytics BIOCs Uncommon communication to an instant messaging server (af7411c9-596e-4400-8088-30ac46eddde0) - changed metadata of an Informational Analytics BIOCs Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - changed metadata of an Informational Analytics BIOCs SharePoint Site Collection admin group addition (78de7350-5ea3-4c19-9a0f-f15dc7732226) - changed metadata of an Informational Analytics BIOCs Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs Gmail routing settings changed (393eae6b-0394-4a2f-bf46-ae4efbd0c94b) - changed metadata of an Informational Analytics BIOCs Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - changed metadata of an Informational Analytics BIOCs Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - changed metadata of an Informational Analytics BIOCs Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - changed metadata of an Informational Analytics BIOCs User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - changed metadata of an Informational Analytics BIOCs Exchange mailbox folder permission modification (1568735a-c4a6-4ed4-b7dc-bd70accca4ca) - changed metadata of an Informational Analytics BIOCs Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs Suspicious process execution in a privileged container (b87fb2e8-4904-4d30-9125-d12d87fb3d17) - changed metadata of an Informational Analytics BIOCs Injection into rundll32.exe (d3d7a57f-de5f-76f5-2d39-9fa48b1d51ad) - changed metadata of an Informational Analytics BIOCs An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - changed metadata of an Informational Analytics BIOCs Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs A Google Workspace identity used the security investigation tool (c1effd9b-2fde-4141-a894-f01b7fdaffd0) - changed metadata of an Informational Analytics BIOCs Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - changed metadata of an Informational Analytics BIOCs File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - changed metadata of an Informational Analytics BIOCs Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - changed metadata of an Informational Analytics BIOCs A user logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - changed metadata of an Informational Analytics BIOCs A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - changed metadata of an Informational Analytics BIOCs Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - changed metadata of an Informational Analytics BIOCs Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - changed metadata of an Informational Analytics BIOCs Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - changed metadata of an Informational Analytics BIOCs Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - changed metadata of an Informational Analytics BIOCs Unusual access to the Windows Internal Database on an ADFS server (4e37d789-4249-4dc1-b390-57216ee663c8) - changed metadata of an Informational Analytics BIOCs Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - changed metadata of an Informational Analytics BIOCs Owner added to Azure application (ec5ede9b-e3b9-4963-8b04-711c0683a9e9) - changed metadata of an Informational Analytics BIOCs PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - changed metadata of an Informational Analytics BIOCs Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - changed metadata of an Informational Analytics BIOCs GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - changed metadata of an Informational Analytics BIOCs Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - changed metadata of an Informational Analytics BIOCs AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - changed metadata of an Informational Analytics BIOCs Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOCs Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - changed metadata of an Informational Analytics BIOCs An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs A user logged in at an unusual time via VPN (85baec39-fafd-4bc9-b360-e20fb417721c) - changed metadata of an Informational Analytics BIOCs Suspicious docker image download from an unusual repository (a4c3a156-5201-40e4-96fa-772ccbc3473d) - changed metadata of an Informational Analytics BIOCs A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - changed metadata of an Informational Analytics BIOCs Unusual resource modification by newly seen IAM user (37eb241a-d1b5-4bba-b65e-002863c99365) - changed metadata of an Informational Analytics BIOCs Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - changed metadata of an Informational Analytics BIOCs Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - changed metadata of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - changed metadata of an Informational Analytics BIOCs Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - changed metadata of an Informational Analytics BIOCs Iptables configuration command was executed (bbb7b421-2de6-438d-a270-e28ed2a95b35) - changed metadata of an Informational Analytics BIOCs An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - changed metadata of an Informational Analytics BIOCs Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - changed metadata of an Informational Analytics BIOCs Azure service principal assigned app role (c74b7c0c-6fc6-485a-973b-768701841f2f) - changed metadata of an Informational Analytics BIOCs Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - changed metadata of an Informational Analytics BIOCs Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - changed metadata of an Informational Analytics BIOCs Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - changed metadata of an Informational Analytics BIOCs A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - changed metadata of an Informational Analytics BIOCs Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - changed metadata of an Informational Analytics BIOCs Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - changed metadata of an Informational Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of an Informational Analytics BIOCs S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - changed metadata of an Informational Analytics BIOCs A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - changed metadata of an Informational Analytics BIOCs Azure AD PIM elevation request (c2d1d670-fe63-4676-8bdb-f147d6823d48) - changed metadata of an Informational Analytics BIOCs Device Registration Policy modification (9894abc5-7d4c-4ee5-9840-3614a05cd409) - changed metadata of an Informational Analytics BIOCs Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - changed metadata of an Informational Analytics BIOCs VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - changed metadata of an Informational Analytics BIOCs SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of an Informational Analytics BIOCs Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Remote code execution into Kubernetes Pod (8d013538-6e98-48ed-a018-fcf19866f367) - changed metadata of an Informational Analytics BIOCs Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of an Informational Analytics BIOCs Kubernetes nsenter container escape (ded945bf-4c89-4051-8f47-d6126daef9df) - changed metadata of an Informational Analytics BIOCs User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - changed metadata of an Informational Analytics BIOCs A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - changed metadata of an Informational Analytics BIOCs AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs VM Detection attempt on Linux (5280dff5-14cd-4cf6-a70f-91c33bb43ae9) - changed metadata of an Informational Analytics BIOCs Possible binary padding using dd (1a72139a-c453-4c91-839f-845561474775) - changed metadata of an Informational Analytics BIOCs Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - changed metadata of an Informational Analytics BIOCs Suspicious proxy environment variable setting (63e4b643-8da3-4552-b693-bc6515d6ea4f) - changed metadata of an Informational Analytics BIOCs Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - changed metadata of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - changed metadata of an Informational Analytics BIOCs GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs An identity attached an administrative policy to an IAM user (a0aa6d99-ab79-41f0-9c3b-e23ffee74e39) - changed metadata of an Informational Analytics BIOCs AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs Azure application consent (16fc6d88-d6c7-4c90-9c31-f6d0598330d3) - changed metadata of an Informational Analytics BIOCs New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - changed metadata of an Informational Analytics BIOCs AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs Kubernetes secret enumeration activity (d1d4f8ff-68d2-4c04-91ff-2a518ff60319) - changed metadata of an Informational Analytics BIOCs Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - changed metadata of an Informational Analytics BIOCs Unusual resource modification/creation (e4606659-2c15-4ac6-9282-8d9e1843eff0) - changed metadata of an Informational Analytics BIOCs A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - changed metadata of an Informational Analytics BIOCs A cloud storage configuration was modified (2443ff34-fbdb-4281-9502-f1b1a33ccb3c4) - changed metadata of an Informational Analytics BIOCs VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - changed metadata of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - changed metadata of an Informational Analytics BIOCs Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - changed metadata of an Informational Analytics BIOCs Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of an Informational Analytics BIOCs Msiexec execution of an executable from an uncommon remote location (5172f78b-0e6f-48d4-8be3-e8a9e470e267) - changed metadata of an Informational Analytics BIOCs Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs A third-party application was authorized to access the Google Workspace APIs (05a883e6-b14c-11ed-b038-acde48001122) - changed metadata of an Informational Analytics BIOCs Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs A third-party application's access to the Google Workspace domain's resources was revoked (01bb79b4-b14c-11ed-b01a-acde48001122) - changed metadata of an Informational Analytics BIOCs Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - changed metadata of an Informational Analytics BIOCs A user connected a USB storage device for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - changed metadata of an Informational Analytics BIOCs Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs Possible use of IPFS was detected (6089c9b0-1842-4641-adc4-64165886ae19) - changed metadata of an Informational Analytics BIOCs Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - changed metadata of an Informational Analytics BIOCs AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - changed metadata of an Informational Analytics BIOCs A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - changed metadata of an Informational Analytics BIOCs System shutdown or reboot (3edad9ba-d804-4fd8-b8e6-7f353598d69e) - changed metadata of an Informational Analytics BIOCs A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - changed metadata of an Informational Analytics BIOCs PsExec was executed with a suspicious command line (a3a029c0-dbb8-10d2-9109-8cc458cf1e6e) - changed metadata of an Informational Analytics BIOCs GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs Unusual access to the AD Sync credential files (f28618e6-2d55-4e8b-9f85-5107b2b544e5) - changed metadata of an Informational Analytics BIOCs Unusual Kubernetes service account file read (a525eff8-3990-4b8e-b763-7e9c8f88737d) - changed metadata of an Informational Analytics BIOCs Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs Gmail delegation was turned on for the organization (ed3841f0-49f2-4994-94f8-77b7217983d8) - changed metadata of an Informational Analytics BIOCs Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - changed metadata of an Informational Analytics BIOCs An identity created or updated password for an IAM user (a9bf8f7d-8d01-40b6-b1fc-a6126e9e7656) - changed metadata of an Informational Analytics BIOCs Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - changed metadata of an Informational Analytics BIOCs A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - changed metadata of an Informational Analytics BIOCs Google Workspace organizational unit was modified (0c085dd2-ea10-4537-bbea-44ceb57bf29a) - changed metadata of an Informational Analytics BIOCs Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - changed metadata of an Informational Analytics BIOCs GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - changed metadata of an Informational Analytics BIOCs GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs User discovery via WMI query execution (d60b2b53-4d04-4b9a-b51b-9f7ce490c931) - changed metadata of an Informational Analytics BIOCs AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - changed metadata of an Informational Analytics BIOCs Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - changed metadata of an Informational Analytics BIOCs Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - changed metadata of an Informational Analytics BIOCs A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - changed metadata of an Informational Analytics BIOCs A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - changed metadata of an Informational Analytics BIOCs Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - changed metadata of an Informational Analytics BIOCs Uncommon network tunnel creation (1be56e08-4817-4d49-852b-ec8affabf652) - changed metadata of an Informational Analytics BIOCs Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - changed metadata of an Informational Analytics BIOCs AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - changed metadata of an Informational Analytics BIOCs Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - changed metadata of an Informational Analytics BIOCs BitLocker key retrieval (c6c906ca-ebb0-4b79-8af7-7a054c37d5a0) - changed metadata of an Informational Analytics BIOCs A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - changed metadata of an Informational Analytics BIOCs Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - changed metadata of an Informational Analytics BIOCs GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - changed metadata of an Informational Analytics BIOCs Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - changed metadata of an Informational Analytics BIOCs Possible IPFS traffic was detected (7db8528e-829d-4b64-94ad-815e054da2f8) - changed metadata of an Informational Analytics BIOCs Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs DSC (Desired State Configuration) lateral movement using PowerShell (db8cf34e-eb16-445a-a4b0-cd36ba1366a0) - changed metadata of an Informational Analytics BIOCs A Torrent client was detected on a host (5fcceaca-8602-4b62-a2a7-d16fb61f0e41) - changed metadata of an Informational Analytics BIOCs Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - changed metadata of an Informational Analytics BIOCs Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - changed metadata of an Informational Analytics BIOCs Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - changed metadata of an Informational Analytics BIOCs Rare Unix process divided files by size (64384c5f-40dd-4d5f-aa31-06907b60176d) - changed metadata of an Informational Analytics BIOCs Unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - changed metadata of an Informational Analytics BIOCs Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs LOLBIN created a PSScriptPolicyTest PowerShell script file (4bf08e31-5da8-8c61-0f97-02c7f9bc9d57) - changed metadata of an Informational Analytics BIOCs User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - changed metadata of an Informational Analytics BIOCs A Google Workspace Role privilege was deleted (118ca7c8-b14c-11ed-b3af-acde48001122) - changed metadata of an Informational Analytics BIOCs Scheduled Task hide by registry modification (21dabd4a-1e37-4753-a8ed-be6a7e947f40) - changed metadata of an Informational Analytics BIOCs GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - changed metadata of an Informational Analytics BIOCs Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - changed metadata of an Informational Analytics BIOCs Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - changed metadata of an Informational Analytics BIOCs Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - changed metadata of an Informational Analytics BIOCs AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - changed metadata of an Informational Analytics BIOCs Cloud Organizational policy was created or modified (300b125d-c632-43f2-9a56-5abfd022a4de) - changed metadata of an Informational Analytics BIOCs A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - changed metadata of an Informational Analytics BIOCs A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - changed metadata of an Informational Analytics BIOCs Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - changed metadata of an Informational Analytics BIOCs Microsoft 365 DLP policy disabled or removed (7e53db42-aeb1-4087-9e32-fd9418591d68) - changed metadata of an Informational Analytics BIOCs GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - changed metadata of an Informational Analytics BIOCs Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - changed metadata of an Informational Analytics BIOCs A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - changed metadata of an Informational Analytics BIOCs Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - changed metadata of an Informational Analytics BIOCs Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - changed metadata of an Informational Analytics BIOCs First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - changed metadata of an Informational Analytics BIOCs Tampering with the Windows User Account Controls (UAC) configuration (f161037f-b953-0828-69ba-5df0aac3f359) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - changed metadata of an Informational Analytics BIOCs Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs Python HTTP server started (b43d77ba-696e-48e6-87d1-64e229201c36) - changed metadata of an Informational Analytics BIOCs External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - changed metadata of an Informational Analytics BIOCs Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - changed metadata of an Informational Analytics BIOCs Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs Admin privileges were granted to a Google Workspace user (f0a3f8ae-b14b-11ed-a775-acde48001122) - changed metadata of an Informational Analytics BIOCs Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - changed metadata of an Informational Analytics BIOCs MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - changed metadata of an Informational Analytics BIOCs A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of an Informational Analytics BIOCs VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - changed metadata of an Informational Analytics BIOCs AWS Root account activity (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - changed metadata of an Informational Analytics BIOCs Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs Exchange email-hiding transport rule (fd633ec0-afaf-465d-95f8-0de0d1780151) - changed metadata of an Informational Analytics BIOCs Unusual use of a 'SysInternals' tool (ad9f86ad-eaea-4f25-ada7-8d42f3305d04) - changed metadata of an Informational Analytics BIOCs Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs Temporarily removed a Informational Analytics BIOC for improvement: Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - temporarily removed Informational alert for improvement Improved logic of an Informational Analytics Alert: Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alert Changed metadata of 50 Informational Analytics Alerts: NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - changed metadata of an Informational Analytics Alerts A user authenticated with weak NTLM to multiple hosts (01a04516-a112-4fe6-bacb-6ac1733f8fc2) - changed metadata of an Informational Analytics Alerts SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - changed metadata of an Informational Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of an Informational Analytics Alerts Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - changed metadata of an Informational Analytics Alerts Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - changed metadata of an Informational Analytics Alerts Suspicious DNS traffic (2a77fad6-c6f9-4dd1-ab5a-43ce1d203fd4) - changed metadata of an Informational Analytics Alerts Storage enumeration activity (107578a3-3e09-4db1-88e0-2f060fb24a29) - changed metadata of an Informational Analytics Alerts Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - changed metadata of an Informational Analytics Alerts Possible brute force on sudo user (a5a4f979-da78-4195-a288-7cc55ae00a43) - changed metadata of an Informational Analytics Alerts Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - changed metadata of an Informational Analytics Alerts SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - changed metadata of an Informational Analytics Alerts NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - changed metadata of an Informational Analytics Alerts User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - changed metadata of an Informational Analytics Alerts Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - changed metadata of an Informational Analytics Alerts A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - changed metadata of an Informational Analytics Alerts Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - changed metadata of an Informational Analytics Alerts Upload pattern that resembles Peer to Peer traffic (56641a1d-2201-4113-998c-fe4b958bf34d) - changed metadata of an Informational Analytics Alerts Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - changed metadata of an Informational Analytics Alerts Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts Multiple discovery commands on Linux host (1499fa5b-ad53-4d60-ba2d-a3c790e20ca8) - changed metadata of an Informational Analytics Alerts Kubernetes environment enumeration activity (13c1ff62-8bcb-452b-8cc8-b31402aab401) - changed metadata of an Informational Analytics Alerts Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - changed metadata of an Informational Analytics Alerts A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - changed metadata of an Informational Analytics Alerts A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - changed metadata of an Informational Analytics Alerts Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - changed metadata of an Informational Analytics Alerts Suspicious container reconnaissance activity in a Kubernetes pod (ec0013e8-b43b-4e84-ad42-b80ebcf1c0a0) - changed metadata of an Informational Analytics Alerts Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - changed metadata of an Informational Analytics Alerts Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - changed metadata of an Informational Analytics Alerts Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - changed metadata of an Informational Analytics Alerts Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - changed metadata of an Informational Analytics Alerts Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of an Informational Analytics Alerts SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - changed metadata of an Informational Analytics Alerts IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of an Informational Analytics Alerts A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - changed metadata of an Informational Analytics Alerts Impossible travel by a cloud identity (1a4aae10-38f7-436e-aa77-ad3db460b4c3) - changed metadata of an Informational Analytics Alerts A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - changed metadata of an Informational Analytics Alerts Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - changed metadata of an Informational Analytics Alerts A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - changed metadata of an Informational Analytics Alerts An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - changed metadata of an Informational Analytics Alerts Multiple cloud snapshots export (260551b5-3a19-44f6-b9c0-820da4c9fc9c) - changed metadata of an Informational Analytics Alerts Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - changed metadata of an Informational Analytics Alerts Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - changed metadata of an Informational Analytics Alerts Short-lived Azure AD user account (0e060502-5e8b-4454-b275-4e510a7aa413) - changed metadata of an Informational Analytics Alerts User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - changed metadata of an Informational Analytics Alerts August 21 2023 Release: Added 2 new Low Analytics BIOCs: Billing admin role was removed (2a6e6c44-40cf-47c1-8276-67dea08eb4c6) - added a new Low alert A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - added a new Low alert Improved logic of 3 Low Analytics BIOCs: Office process accessed an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - improved logic of a Low Analytics BIOCs Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Low Analytics BIOCs Improved logic of a Low Analytics Alert: Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alert Temporarily removed a Low Analytics Alert for improvement: Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - temporarily removed Low alert for improvement Decreased the severity to Informational for an Analytics BIOC: Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - decreased the severity to Informational, and improved detection logic Added 2 new Informational Analytics BIOCs: A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - added a new Informational alert Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - added a new Informational alert Improved logic of 5 Informational Analytics BIOCs: Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - improved logic of an Informational Analytics BIOCs Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - improved logic of an Informational Analytics BIOCs Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - improved logic of an Informational Analytics BIOCs Improved logic of 4 Informational Analytics Alerts: Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alerts   August 14 2023 Release: Increased the severity to High for an Analytics BIOC: Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - increased the severity to High, and improved detection logic Improved logic of 4 High Analytics BIOCs: Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - improved logic of a High Analytics BIOCs Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - improved logic of a High Analytics BIOCs A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs Improved logic of 4 Medium Analytics BIOCs: Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - improved logic of a Medium Analytics BIOCs Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - improved logic of a Medium Analytics BIOCs A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOCs Removed an old Medium Analytics BIOC: Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - removed an old Medium alert Improved logic of a Medium Analytics Alert: Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - improved logic of a Medium Analytics Alert Changed metadata of a Medium Analytics Alert: NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alert Decreased the severity to Low for 2 Analytics BIOCs: Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - decreased the severity to Low Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - decreased the severity to Low, and improved detection logic Added 5 new Low Analytics BIOCs: Copy a user's GnuPG directory with rsync (759d73fc-246b-4d3a-bd34-027174dfb9fc) - added a new Low alert Download a script using the python requests module (73619608-e776-4837-98dd-1ac6339ce4d5) - added a new Low alert Suspicious Print System Remote Protocol usage by a process (f9d3b9e8-68f0-4510-bc01-895fd1e45256) - added a new Low alert Compressing data using python (1a8bbf16-65ad-46de-86aa-0091f0e529a1) - added a new Low alert A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - added a new Low alert Improved logic of 7 Low Analytics BIOCs: An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - improved logic of a Low Analytics BIOCs Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - improved logic of a Low Analytics BIOCs Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - improved logic of a Low Analytics BIOCs Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - improved logic of a Low Analytics BIOCs Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - improved logic of a Low Analytics BIOCs Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - improved logic of a Low Analytics BIOCs Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - improved logic of a Low Analytics BIOCs Changed metadata of 3 Low Analytics BIOCs: Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - changed metadata of a Low Analytics BIOCs Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs Added a new Low Analytics Alert: A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - added a new Low alert Improved logic of 8 Low Analytics Alerts: Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - improved logic of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - improved logic of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts Changed metadata of 6 Low Analytics Alerts: Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of a Low Analytics Alerts Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - changed metadata of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - changed metadata of a Low Analytics Alerts Decreased the severity to Informational for an Analytics BIOC: A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - decreased the severity to Informational Added 8 new Informational Analytics BIOCs: A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - added a new Informational alert A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - added a new Informational alert A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - added a new Informational alert Unusual access to the Windows Internal Database on an ADFS server (4e37d789-4249-4dc1-b390-57216ee663c8) - added a new Informational alert A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - added a new Informational alert Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - added a new Informational alert A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - added a new Informational alert Cloud Disk Snapshot Creation or Modification (a41624fc-22e0-11ed-acc2-00155d825142) - added a new Informational alert Improved logic of 12 Informational Analytics BIOCs: Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - improved logic of an Informational Analytics BIOCs File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - improved logic of an Informational Analytics BIOCs Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - improved logic of an Informational Analytics BIOCs A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - improved logic of an Informational Analytics BIOCs Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - improved logic of an Informational Analytics BIOCs Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - improved logic of an Informational Analytics BIOCs Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - improved logic of an Informational Analytics BIOCs A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - improved logic of an Informational Analytics BIOCs Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - improved logic of an Informational Analytics BIOCs SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs Changed metadata of 15 Informational Analytics BIOCs: First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of an Informational Analytics BIOCs Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - changed metadata of an Informational Analytics BIOCs First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - changed metadata of an Informational Analytics BIOCs First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of an Informational Analytics BIOCs First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - changed metadata of an Informational Analytics BIOCs First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - changed metadata of an Informational Analytics BIOCs Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - changed metadata of an Informational Analytics BIOCs Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - changed metadata of an Informational Analytics BIOCs Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of an Informational Analytics BIOCs A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - changed metadata of an Informational Analytics BIOCs First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs Removed an old Informational Analytics BIOC: A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - removed an old Informational alert Added a new Informational Analytics Alert: Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - added a new Informational alert Improved logic of 5 Informational Analytics Alerts: Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts Multiple cloud snapshots export (260551b5-3a19-44f6-b9c0-820da4c9fc9c) - improved logic of an Informational Analytics Alerts Changed metadata of 10 Informational Analytics Alerts: Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - changed metadata of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - changed metadata of an Informational Analytics Alerts A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - changed metadata of an Informational Analytics Alerts Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - changed metadata of an Informational Analytics Alerts Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - changed metadata of an Informational Analytics Alerts Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - changed metadata of an Informational Analytics Alerts A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - changed metadata of an Informational Analytics Alerts A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - changed metadata of an Informational Analytics Alerts Removed 3 old Informational Analytics Alerts: Download pattern that resembles Peer to Peer traffic (4c325fcd-7574-435d-a83d-46d6633749f8) - removed an old Informational alert Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - removed an old Informational alert Suspicious ICMP traffic (bd17a758-e4b8-43fc-a6a6-4510f71b5d07) - removed an old Informational alert   July 17 2023 Release: Improved logic of a High Analytics BIOC: A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOC Improved logic of 2 Medium Analytics BIOCs: Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs Removed an old Medium Analytics BIOC: Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - removed an old Medium alert Improved logic of 5 Medium Analytics Alerts: NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - improved logic of a Medium Analytics Alerts Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - improved logic of a Medium Analytics Alerts DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - improved logic of a Medium Analytics Alerts Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alerts Improved logic of 7 Low Analytics BIOCs: Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - improved logic of a Low Analytics BIOCs Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - improved logic of a Low Analytics BIOCs A Possible crypto miner was detected on a host (4ad3b056-d273-41b7-b3db-90f5d5950faa) - improved logic of a Low Analytics BIOCs Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - improved logic of a Low Analytics BIOCs A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - improved logic of a Low Analytics BIOCs Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - improved logic of a Low Analytics BIOCs Improved logic of 17 Low Analytics Alerts: Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - improved logic of a Low Analytics Alerts Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - improved logic of a Low Analytics Alerts Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of a Low Analytics Alerts NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - improved logic of a Low Analytics Alerts Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Low Analytics Alerts Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts Rare LDAP enumeration (fcb12ef3-ac18-40c0-947c-c2891c6ecaf7) - improved logic of a Low Analytics Alerts A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts Added a new Informational Analytics BIOC: User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - added a new Informational alert Improved logic of 6 Informational Analytics BIOCs: Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - improved logic of an Informational Analytics BIOCs Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - improved logic of an Informational Analytics BIOCs Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - improved logic of an Informational Analytics BIOCs Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - improved logic of an Informational Analytics BIOCs Changed metadata of 2 Informational Analytics BIOCs: Unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - changed metadata of an Informational Analytics BIOCs Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - changed metadata of an Informational Analytics BIOCs Improved logic of 15 Informational Analytics Alerts: A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts Upload pattern that resembles Peer to Peer traffic (56641a1d-2201-4113-998c-fe4b958bf34d) - improved logic of an Informational Analytics Alerts NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts Download pattern that resembles Peer to Peer traffic (4c325fcd-7574-435d-a83d-46d6633749f8) - improved logic of an Informational Analytics Alerts A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts Suspicious ICMP traffic (bd17a758-e4b8-43fc-a6a6-4510f71b5d07) - improved logic of an Informational Analytics Alerts Suspicious DNS traffic (2a77fad6-c6f9-4dd1-ab5a-43ce1d203fd4) - improved logic of an Informational Analytics Alerts SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - improved logic of an Informational Analytics Alerts Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts    

  March 2024 UPCOMING EVENTS Parsing and Correlation Rules Webinar Series  Register now for the last part of the webinar series: Parsing & Correlation Rules - Improving Application Security with Correlations. Register here: Part 3   Investigation and Threat Hunting Virtual Workshop  Calling all customers to join our 3-hour virtual workshop designed to sharpen your investigation and threat-hunting skills with hands-on experience.  >> Register here     CS Webinar Survey We value your input! Help shape our next webinars by sharing the topic you'd like to learn more about.  >> Fill out the form      Recent CS Webinar Watch Part 2 of the webinar series: The Core Of Detection   Watch All   New How-to Videos Check this video to learn about the latest features added: What's New in XDR 3.9  Calling all security teams! Watch the video and start using the Correlation Rules feature: Enhancing Utilization for Security Teams   Watch this video and learn how to get more out of Host Insights: Practical Applications of Host Insights  Watch All   PRODUCT ANNOUNCEMENTS & RELEASE NOTES XDR Agent 8.1 will reach its End-of-Life on April 9, 2024. We recommend reviewing the EOL page to stay informed on the next End-of-Life dates.   Click on the following links for the latest release notes: Cortex XDR Release Notes (Help Center) Cortex XDR Agent Release Notes (Help Center) Cortex XDR Analytics Release Notes (LIVEcommunity) Note: Content Update release notes for the Cortex XDR agent can be found in the Customer Support Portal under "Dynamic updates."  

  February 2024 UPCOMING EVENTS Parsing and Correlation Rules Webinar Series  Register now for Part 2 of the webinar series: Correlation Rules - the core of detection.  You may review the recording for Part 1 in the On-Demand section below  Register here: Part 2  |  Part 3   Investigation and Threat Hunting Virtual Workshop  Calling all customers to join our 3-hour virtual workshop designed to sharpen your investigation and threat-hunting skills with hands-on experience.  >> Register here     CS Webinar Survey We value your input! Help shape our next webinars by sharing the topic you'd like to learn more about.  >> Fill out the form      Recent CS Webinar Watch Part 1 of the webinar series: Getting Started with Parsing Rules  Did you register for Part 2? Click here to secure your spot Watch All   New How-to Videos Get started with Correlation Rules: Correlation Rules Configuration Learn how to use Threat Hunting using XDR collector: Threat Hunting Using XDR Collector on non-Managed Windows Endpoint Watch All   PRODUCT ANNOUNCEMENTS & RELEASE NOTES XDR Agent 8.1 will reach its End-of-Life on April 9, 2024. We recommend reviewing the EOL page to stay informed on the next End-of-Life dates. Click on the following links for the latest release notes: Cortex XDR Release Notes (Help Center) Cortex XDR Agent Release Notes (Help Center) Cortex XDR Analytics Release Notes (LIVEcommunity) Note: Content Update release notes for the Cortex XDR agent can be found in the Customer Support Portal under "Dynamic updates".  

  January 2024 UPCOMING EVENTS Parsing and Correlation Rules Webinar Series Register now for our upcoming webinar series: Parsing and Correlation Rules - from Fundamentals to Practical Applications, starting on Jan 31st.  Register below: Part 1 |  Part 2  |  Part 3   Investigation and Threat Hunting Virtual Workshop  Calling all customers to join our 3-hour virtual workshop designed to sharpen your investigation and threat-hunting skills with hands-on experience.  >> Register here     CS Webinar Survey We value your input! Help shape our next webinars by sharing the topic you'd like to learn more about.  >> Fill out the form      New How-to Videos Learn how to leverage the Automation Rule feature, available for XDR Pro licenses, in this video: Simple Automation Rules  Learn how to manage and control devices with XDR feature: Device Control Watch All   EOL ANNOUNCEMENTS & RELEASE NOTES  Don't forget to migrate to the new Broker VM image (released last July) no later than January 23, 2024.  Here are the instructions for the migration process.  If you have any questions, you may seek for assistance through the Customer Support Portal.      We recommend reviewing the EOL page to stay informed about the next End-of-Life dates.    XDR Agent 8.2.1 maintenance release is scheduled for General Availability on January 9th, 2024. We strongly recommend upgrading to the newest release of the agent line. The complete list of issues included in this maintenance release can be found here: Release Notes.    Click on the following links for the latest release notes: Cortex XDR Release Notes (Help Center) Cortex XDR Agent Release Notes (Help Center) Cortex XDR Analytics Release Notes (LIVEcommunity) Note: Content Update release notes for the Cortex XDR agent can be found in the Customer Support Portal under "Dynamic updates".  

Overview: Data Retention Enforcement    As part of the Cortex XDR V. 3.5 release (planned for December 2022), Palo Alto Networks will start enforcing data retention according to your license entitlement.   Your base license provides you with 30 days of hot retention for all ingested data, as well as 180 days of hot retention for alert and incident data.   Retention Extension Options   You can easily extend the retention period according to your needs by purchasing one of our period-based retention extension add-ons:   Retention Add-on Description Endpoint data hot retention An additional 30 days of hot storage for XDR ProEP/Cloud of the Endpoint-ingested data beyond the 30 days in the base license Other ingested data hot retention An additional 30 days of hot storage for XDR ProTB of the entire ingested data (excluding endpoints) beyond the 30 days in the base license Endpoint data cold retention An additional 30 days of cold storage for XDR ProEP/Cloud of the Endpoint-ingested data beyond the 30 days in the base license Other ingested data cold retention An additional 30 days of cold storage for XDR ProTB of the entire ingested data (excluding endpoints) beyond the 30 days in the base license By the end of September 2022, we will be introducing new retention add-ons enabling you to extend retention only for alerts and incidents data beyond the default 180 days   Retention Add-on Description Endpoint alerts and incidents hot retention An additional 30 days of storage for XDR ProEP/Cloud of Alerts & Incidents data beyond the 180 days in the base license Alerts and incidents (all other sources) hot retention An additional 30 days of storage for XDR ProTB of Alerts & Incidents data beyond the 180 days in the base license   FAQs   Q: When will Palo Alto Networks start to enforce retention? A: Retention enforcement is planned as part of the GA release of Cortex XDR V. 3.5 (December 2022).   Q: What is the default retention period included in the base license? A: Cortex XDR Pro per Endpoint, Cortex XDR Cloud per Host, Cortex XDR Pro per TB and XSIAM bundles include 30 days of hot retention for all ingested data (both EP and TB) as well as 180 days of hot retention for Alerts and Incidents data.   Q: What kind of data is covered by the alerts and incidents data retention add-on? A: All alerts and incidents that were created within the retention period will be retained. This will include alerts and incidents metadata as well as alert causality chains (including process data and analytics profiles).   Q: Can I choose what kind of data to retain? A: There is no per-dataset retention configuration at the moment, but customers can choose to extend retention for the entire ingested data or alerts and Incidents only (note that both can be combined for different retention periods). We plan to offer data retention per dataset in the future.   Q: Can extended retention be purchased in the middle of a contract or only upon renewal? A: Retention add-ons are co-termed with the base license, and can be purchased at any time.   Q: How is data truncated? E.g: LIFO or FIFO A: Data retention is period-based, and once the retention period elapses, data older than retention period is deleted (FIFO).   Q: Where can I find my retention entitlement?  A: Retention add-ons are listed under license details (Settings → Cortex XDR License). In addition, the retention period is also listed on the “Dataset” management screen (Settings → Configurations → Dataset Management).     You can find the latest updates regarding data retention in our FAQ here.

Check out the latest updates, upcoming events, and the newest educational videos! 

  November 2023   UPCOMING EVENTS Customer Success Webinar Monitoring with XQL Join us on Nov 29th for a CS webinar and expand your monitoring capabilities using XQL! >> Register here     Investigation and Threat Hunting Virtual Workshop  Calling all customers to join our 3-hour virtual workshop designed to sharpen your investigation and threat-hunting skills with hands-on experience.  >> Register here     CS Webinar Survey We value your input! Help shape our next webinars by sharing the topic you'd like to learn more about.  >> Fill out the form       Recent CS Webinars If you missed Forensics Part 1, catch it here: Uncover the Power of Forensics  Discover the world of Forensics investigation in this webinar series. Watch Forensics webinar Part 2:  Investigating with and without an agent  Want to learn more about Forensics and Threat Hunting capabilities of Unit 42?  Watch this webinar: Gaining the Edge with Unit 42 Watch All   New How-to Videos Learn about the Malicious Safe Mode feature available for Coretx XDR/XSIAM: Malicious Safe Mode Rebooting Protection Watch this video and learn how to get full visibility into encrypted Windows and Mac endpoints: Disk Encryption  Watch All   Latest Security Blogs & Articles Read the blog and discover the power of Threat Identity automation: Unleash the Power of Identity Threat Intelligence with Automation    Explore More EOL ANNOUNCEMENTS & RELEASE NOTES  A new Broker VM image was released back in July 2023. We strongly recommend migrating to it by no later than January 23, 2024. This one-time upgrade ensures that going forward, you can upgrade to the latest supported Broker VM version and continue to benefit from new features. Instructions for the migration process are explained here.  If you have any questions, contact us through the Customer Support Portal.      We would like to remind you XDR Agent 7.9 has reached its end of life. We recommend periodically reviewing the EOL page to stay informed.  Click on the following links for the latest release notes: Cortex XDR Release Notes (Help Center) Cortex XDR Agent Release Notes (Help Center) Cortex XDR Analytics Release Notes (LIVEcommunity) Note: Content Update release notes for the Cortex XDR agent can be found in the Customer Support Portal under "Dynamic updates".    

October 2023   UPCOMING EVENTS Customer Success Webinar Series: Discover the World of Forensics! Join us on Oct 25th for part 2 of this webinar series and learn how to master forensics investigations. Scroll to 'Recent CS webinar' to watch Part 1 Register for Part 2    CS Webinar Survey We value your input! Help shape our next webinars by sharing the topic you'd like to learn more about.  >> Fill out the form    Recent CS Webinar  Discover the world of Forensics investigation in this webinar series. Watch Forensics webinar Part 1: Uncover the Power of Forensics   Watch All   New How-to Videos Learn how to properly enable Endpoint Data Collection by watching the short Cortex XDR Training video bites: EDR Enablement Review Cortex XDR Training video bites for pro tips and best practices: Agent Installation  Start leveraging the XDR Agent Analytics Engine to boost your security coverage. Watch this short video series to learn more. Cortex XDR Training: XDR Agent Analytics Engine   Watch All   Latest Security Blogs & Articles Read the blog and learn how Only Cortex Delivers 100% Protection and Detection in Mitre Engenuity Learn how to leverage Yara Rules in Cortex portfolio: Execute Yara Rules Using Cortex  Dive into the latest insights on emerging cyber threats and vulnerabilities gathered from extensive exposure and threat data collected over 12 months with Cortex Xpanse: Attack Surface Threat Report   Palo Alto Networks was named as a LEADER in the Forrester Wave™: Zero Trust Platform Providers, Q3 2023 report. Read the report: Zero Trust Platform Explore More   PRODUCT ANNOUNCEMENTS & RELEASE NOTES XDR Agent 8.0 will reach EOL on Dec 19, 2023.  We recommend periodically reviewing the EOL page to stay informed.    Click on the following links for the latest release notes: Cortex XDR Release Notes (Help Center) Cortex XDR Agent Release Notes (Help Center) Cortex XDR Analytics Release Notes (LIVEcommunity) Note: Content Update release notes for the Cortex XDR agent can be found in the Customer Support Portal under "Dynamic updates".           

September 2023   UPCOMING EVENTS Customer Success Webinar Series: Discover the World of Forensics! Join us on Sep 27th and Oct 25th to to uncover the power of Forensics and master forensics investigations. Make sure to register for the entire series below: Register for Part 1  |  Register for Part 2    Investigation and Threat Hunting Virtual Workshop  Calling all customers to join our 3-hour virtual workshop designed to sharpen your investigation and threat-hunting skills with hands-on experience.  >> Register here     CS Webinar Survey We value your input! Help shape our next webinars by sharing the topic you'd like to learn more about.  >> Fill out the form       Recent CS Webinar Watch this on-demand webinar and learn about Exceptions Configuration. Make sure to review the additional resources added at the bottom of the article. Watch All   New How-to Videos Watch these short video-bites and learn about the configuration and setup of the on-prem Cloud Identity Agent. Get familiarized with the Broker VM Deployment and Configuration process. Learn how to incorporate a new NGFW to Collection Integration with your Cortex XDR.     Watch All   Latest Security Blogs & Articles This article sheds some light on the unreported phishing campaign targeting Facebook business accounts and provides an analysis of the malware. Read to learn how Cortex XDR & XSIAM helps protect against the threats of NodeStealer 2.0.    Recently, Unit 42 researchers have observed an uptick in Mallox Ransomware activities, click to read the full threat assessment.  Explore More Technical Courses Check out the latest digital learning technical courses: Cortex XDR 3.7: What's New XDR Main Components   View All     EOL ANNOUNCEMENTS & RELEASE NOTES    We would like to remind you XDR Agent 7.9 has reached its end of life. We recommend periodically reviewing the EOL page to stay informed.  Click on the following links for the latest release notes: Cortex XDR Release Notes (Help Center) Cortex XDR Agent Release Notes (Help Center) Cortex XDR Analytics Release Notes (LIVEcommunity) Note: Content Update release notes for the Cortex XDR agent can be found in the Customer Support Portal under "Dynamic updates".

In this blog post, we will provide some key tips and best practices for utilizing XQL more effectively, optimizing query performance, and leveraging its powerful features to streamline your data analysis workflows.  

Palo Alto Networks, a leading cybersecurity company, has recently partnered with Chrome Enterprise, Google's business-focused solution for Chrome devices. This integration aims to enhance IT infrastructure management, improve application security, and streamline user access. By combining the capabilities of Palo Alto Networks' solutions with Chrome Enterprise's robust features, organizations can achieve a safer workforce and a more efficient enterprise environment.   The integration between Palo Alto Networks and Chrome Enterprise represents a significant advancement in IT infrastructure management and security. By enabling centralized device management, enhancing security visibility, and providing a seamless user experience, this partnership empowers enterprises to protect their workforce and data more effectively. With the Connectors Framework and Reporting Connectors, security investigations become more efficient, enabling proactive threat detection and automated incident response. As organizations embrace the Chrome Enterprise Connection program, they can leverage the power of Palo Alto Networks' solutions to strengthen their security posture and streamline operations in an ever-evolving threat landscape.   Centralized IT Infrastructure Management   Through this partnership, customers gain the ability to centrally manage their IT infrastructure endpoints. Managed devices, including MacOS, Linux, Windows, iOS, and Android, can be seamlessly integrated with Palo Alto Networks' XDR agent installation. Additionally, unmanaged devices can leverage this integration by ingesting Google Chrome into the XDR management console for enhanced security management. This centralization simplifies device management and ensures consistent security measures across the organization.   Enhanced Security for Workforce and World   The partnership between Palo Alto Networks and Chrome Enterprise significantly contributes to creating a safer workforce and world. With central management capabilities for enterprise devices, organizations gain full control and visibility over managed devices. Furthermore, unmanaged devices benefit from increased security visibility, which encompasses various aspects such as Chrome Browser extension installations, malware downloads, malicious website visits, and data leakage. By proactively addressing these security threats, businesses can better protect their employees and sensitive information.   Improved Employee Experience for Chrome Enterprise Customers   For enterprises enrolled in the Chrome Enterprise Recommended program, the partnership delivers an enhanced employee experience. The integration enables seamless utilization of Google Chrome Enterprise security features, providing end-users with transparent protection against potential threats. Simultaneously, the integration allows for centralized management through a single console, simplifying security measures and ensuring consistent adherence to security protocols.   Connectors Framework and Reporting Connectors   The announcement of the Connectors Framework and Reporting Connectors was driven by an increase in security investigations. These two features play a crucial role in today's security landscape by consolidating all alerts into a unified view, granting Security Operations Center (SOC) teams complete visibility across all devices, irrespective of whether agents are installed. Leveraging the integration of Palo Alto Networks' XSOAR and XSIAM, security teams can automate playbooks to remediate security events promptly. For instance, upon detecting multiple suspicious actions from a user, such as visiting malicious websites or attempting unauthorized data uploads, the system can automatically sign out the user, reset their password, and prompt re-validation.   How to Set up Chrome Enterprise Connectors in Cortex:   Log into your Palo Alto Networks Cortex instance at https://cortex-gateway.paloaltonetworks.com.  Under Settings > Configurations > Custom Collectors, click the Add Instance button (or click on an instance of a HTTP log collector) to create a new repository or select an existing one that you want to send Chrome browser security events to.  When you create a new repository, you need to give it a name, select JSON as Log Format, set the Compression as uncompressed, and enter the Vendor and Product names.   Note: If you don’t enter a Vendor or Product, Cortex XDR will label the dataset as “unknown_unknown_raw”.    4. Click Save & Generate Token and copy the token that is generated. You will need to enter this into the admin console in the following section.   For more information, you can refer to the Cortex Help Center: Set up an HTTP Log Collector to Receive Logs:   Log in to the Google Admin console at admin.google.com and select the organizational unit that contains the enrolled browsers from which you want to send security events to Palo Alto Networks. Navigate to Devices>Chrome>Users and Browsers. Add a filter for “event reporting”. Under Browser reporting>Event reporting, select Enable event reporting.    Under the additional settings, you can specify which events you want to send to Palo Alto Networks Cortex XDR.   Now that the events are turned on, click on the blue hyperlink called “Reporting connector provider configurations” to take you to the connector provider configurations, or it can be found under Devices>Chrome>Connectors. Click the New Provider Configuration button and select Palo Alto Networks as the provider. Enter the configuration name that you want this connector to display as in the Google Admin console. Enter the hostname of your Palo Alto Networks instance and the ingest token value from step 4 of the last section You can find your instance URL under Settings>Configurations>Data Collection>Custom Collectors and select the collector that you just created Click the three dots and select Copy API URL Remove the ‘https://’ and anything after the ‘.com’ to use as the hostname in the admin console e.g.  https://chrome.xdr.us.paloaltonetworks.com/logs/v1/event   Press the Add Configuration to save.   Select the Organizational Unit that has reporting events enabled and select the Chrome Palo Alto Networks connector that was created in the previous step and hit Save.   After the integration, you can get logs/alerts from the Chrome Browser in the XDR/XSIAM console.  Generate incidents based on Correlation Rules     Dashboard for Chrome-related security alerts.     Automate and remediate incidents/alerts with playbooks if you using XSIAM or Cortex XSOAR.    

This article will walk through how to access critical data needed to effectively troubleshoot XDR agents that are in a degraded operational state using XQL queries.  

Let's walkthrough a PoC of using Cortex XDR to block software installations —.msi and .exe file extensions — in a test environment.

Cortex XDR Global Analytics & Supply Chain Attacks Read this instructive article about Cortex XDR Global Analytics and how it protects against Supply chain attacks.  We invite you to watch our customer success webinar: XDR Global Analytics     Cortex XDR   

Automating XDR Investigation and Response Learn how SOC teams can utilize the best of both XDR’s extended endpoint threat detection and response with XSOAR’s workflow automation, orchestration, and threat intelligence capabilities to become more effective using the Palo Alto Networks Cortex XDR — Investigation and Response content pack. Read the lasted playbook of the week blog and learn more about case management using Cortex XDR and Cortex XSOAR. Cortex XDR    Have a question about it? Post it on the Cortex XDR discussion page