cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this article

L3 Networker
92% helpful (56/61)

Cortex XDR Content Release Notes

 

*Deprecation alert*

This page has been deprecated and all newer release notes can be found here

 

February 28 2024 Release:

  • Improved logic of a Low Analytics BIOC:
    • Unusual cross projects activity (f0b7d81f-5518-4295-a081-e19b21c4b474) - improved logic of a Low Analytics BIOC
  • Improved logic of 2 Low Analytics Alerts:
    • Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - improved logic of a Low Analytics Alerts
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts
  • Improved logic of 15 Informational Analytics BIOCs:
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs
    • Cloud compute serial console access (4fa4a3ce-ce13-4dca-bbf5-629476822259) - improved logic of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
    • Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A cloud identity invoked IAM related persistence operations (ae95a625-1740-4de3-abe1-3e884eef0dc3) - improved logic of an Informational Analytics BIOCs
    • A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - improved logic of an Informational Analytics BIOCs
    • A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual resource modification/creation (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
    • Network sniffing detected in Cloud environment (932986f4-e765-40a5-9517-aa9ba5bf2e7a) - improved logic of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual resource modification by newly seen IAM user (37eb241a-d1b5-4bba-b65e-002863c99365) - improved logic of an Informational Analytics BIOCs
    • A container registry was created or deleted (5dd2d962-b742-11ed-9e0e-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Improved logic of 8 Informational Analytics Alerts:
    • An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts
    • Impossible travel by a cloud identity (1a4aae10-38f7-436e-aa77-ad3db460b4c3) - improved logic of an Informational Analytics Alerts
    • Storage enumeration activity (107578a3-3e09-4db1-88e0-2f060fb24a29) - improved logic of an Informational Analytics Alerts
    • Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - improved logic of an Informational Analytics Alerts
    • Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - improved logic of an Informational Analytics Alerts
    • Cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of an Informational Analytics Alerts
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of an Informational Analytics Alerts
  • Increased the severity to Low for a BIOC:
    • Out of band testing domain connection (ac36d4cc-d764-419c-8970-54916b05bda4) - increased the severity to Low

 

February 21 2024 Release:

  • Improved logic of 2 High Analytics BIOCs:
    • A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - improved logic of a High Analytics BIOCs
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
  • Improved logic of 6 Medium Analytics BIOCs:
    • Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Azure AD PIM alert disabled (8d5ce951-909b-44e7-aca6-1c8203f95c35) - improved logic of a Medium Analytics BIOCs
    • Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - improved logic of a Medium Analytics BIOCs
    • A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs
  • Improved logic of 13 Low Analytics BIOCs:
    • First Azure AD PowerShell operation for a user (04db68a0-bfda-47dc-b2ff-0f8d2d700eee) - improved logic of a Low Analytics BIOCs
    • MFA was disabled for an Azure identity (2f62698c-13e4-11ed-9d12-acde48001122) - improved logic of a Low Analytics BIOCs
    • Azure Temporary Access Pass (TAP) registered to an account (91368e38-b8af-43a4-bc84-3f9f4ad5acff) - improved logic of a Low Analytics BIOCs
    • Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - improved logic of a Low Analytics BIOCs
    • Azure account deletion by a non-standard account (b3cffc99-7a38-4e6f-a2ad-19a3325c38b3) - improved logic of a Low Analytics BIOCs
    • SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - improved logic of a Low Analytics BIOCs
    • Suspicious modification of the AdminSDHolder's ACL (e0db7194-3131-4f0c-9591-7f28ac59669a) - improved logic of a Low Analytics BIOCs
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - improved logic of a Low Analytics BIOCs
    • Azure domain federation settings modification attempt (0dff4bd1-0db3-44dc-a42d-aa473b96e841) - improved logic of a Low Analytics BIOCs
    • Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs
    • Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs
    • A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs
    • Azure AD PIM role settings change (65c6e962-2fe1-41f8-bc7f-12452f2d4831) - improved logic of a Low Analytics BIOCs
  • Added a new Low Analytics Alert:
    • Multiple discovery commands (921ffd42-455f-4182-9209-8fe9893c85e0) - added a new Low alert
  • Improved logic of 7 Low Analytics Alerts:
    • Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts
    • Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts
    • Multiple Azure AD admin role removals (fea22348-d47e-4b5f-9896-6ab8e34d00a1) - improved logic of a Low Analytics Alerts
  • Added 2 new Informational Analytics BIOCs:
    • Cloud compute serial console access (4fa4a3ce-ce13-4dca-bbf5-629476822259) - added a new Informational alert
    • An identity started an AWS SSM session (e08bf777-125c-422b-985c-cb98939cad79) - added a new Informational alert
  • Improved logic of 44 Informational Analytics BIOCs:
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs
    • Azure application consent (16fc6d88-d6c7-4c90-9c31-f6d0598330d3) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • A user logged in from an abnormal country or ASN (b470fe41-351e-485f-a755-e0709b0e15ba) - improved logic of an Informational Analytics BIOCs
    • Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
    • Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - improved logic of an Informational Analytics BIOCs
    • A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • Device Registration Policy modification (9894abc5-7d4c-4ee5-9840-3614a05cd409) - improved logic of an Informational Analytics BIOCs
    • Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs
    • Owner added to Azure application (ec5ede9b-e3b9-4963-8b04-711c0683a9e9) - improved logic of an Informational Analytics BIOCs
    • First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs
    • BitLocker key retrieval (c6c906ca-ebb0-4b79-8af7-7a054c37d5a0) - improved logic of an Informational Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs
    • A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - improved logic of an Informational Analytics BIOCs
    • A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - improved logic of an Informational Analytics BIOCs
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs
    • Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs
    • An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - improved logic of an Informational Analytics BIOCs
    • A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - improved logic of an Informational Analytics BIOCs
    • A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs
    • Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Azure device code authentication flow used (c4a24d4f-1c7b-4a3d-a775-1e2a363d917e) - improved logic of an Informational Analytics BIOCs
    • Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - improved logic of an Informational Analytics BIOCs
    • Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • AWS SSM send command attempt (2cc1b5c3-e424-45a9-ab84-17ea9ceb55b7) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs
    • First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - improved logic of an Informational Analytics BIOCs
    • First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs
    • Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs
    • Successful unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
    • User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs
    • VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs
    • Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Azure service principal assigned app role (c74b7c0c-6fc6-485a-973b-768701841f2f) - improved logic of an Informational Analytics BIOCs
  • Decreased the severity to Informational for 2 Analytics Alerts:
    • Multiple discovery-like commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - decreased the severity to Informational
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - decreased the severity to Informational, and improved detection logic
  • Improved logic of 5 Informational Analytics Alerts:
    • User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alerts
    • Short-lived Azure AD user account (0e060502-5e8b-4454-b275-4e510a7aa413) - improved logic of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts
    • Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user logged on to multiple workstations via Schannel (a56e4555-5fbc-485b-85ec-2c25026525d6) - improved logic of an Informational Analytics Alerts
  • Changed metadata of an Informational Analytics Alert:
    • External Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of an Informational Analytics Alert

 

February 14 2024 Release:

  • Improved logic of a Medium Analytics BIOC:
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOC
  • Changed metadata of a Medium Analytics BIOC:
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOC
  • Added 3 new Low Analytics BIOCs:
    • Rare DCOM RPC activity (9c37ef68-75ae-4f33-87c7-6381bd5f3470) - added a new Low alert
    • Rare Scheduled Task RPC activity (fc8b21f4-5cc9-4b9b-b4b2-e33ac1b0d744) - added a new Low alert
    • An uncommon executable was remotely written over SMB to an uncommon destination (a859158d-fc75-4d4d-9a2c-56365fe35d63) - added a new Low alert
  • Improved logic of 9 Low Analytics BIOCs:
    • An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs
    • Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - improved logic of a Low Analytics BIOCs
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Low Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Low Analytics BIOCs
    • A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - improved logic of a Low Analytics BIOCs
    • Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
    • A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs
    • Unusual cross projects activity (f0b7d81f-5518-4295-a081-e19b21c4b474) - improved logic of a Low Analytics BIOCs
    • Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - improved logic of a Low Analytics BIOCs
  • Changed metadata of a Low Analytics BIOC:
    • MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - changed metadata of a Low Analytics BIOC
  • Improved logic of 5 Low Analytics Alerts:
    • New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands on a Windows host by the same process (b930e097-ae70-4372-94a7-c4ae4e1bd6c6) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
  • Improved logic of 12 Informational Analytics BIOCs:
    • A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs
    • A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs
    • Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - improved logic of an Informational Analytics BIOCs
    • Uncommon communication to an instant messaging server (af7411c9-596e-4400-8088-30ac46eddde0) - improved logic of an Informational Analytics BIOCs
    • A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • An operation was performed by an identity from a domain that was not seen in the organization (16d5b9bf-3bb9-47d9-b2bd-3e2477b1a554) - improved logic of an Informational Analytics BIOCs
    • AWS SSM send command attempt (2cc1b5c3-e424-45a9-ab84-17ea9ceb55b7) - improved logic of an Informational Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs
    • Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - improved logic of an Informational Analytics BIOCs
    • Suspicious docker image download from an unusual repository (a4c3a156-5201-40e4-96fa-772ccbc3473d) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 2 Informational Analytics BIOCs:
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - changed metadata of an Informational Analytics BIOCs
  • Improved logic of 4 Informational Analytics Alerts:
    • A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - improved logic of an Informational Analytics Alerts
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts
    • A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - improved logic of an Informational Analytics Alerts
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts

 

January 31 2024 Release:

  • Improved logic of a Medium Analytics BIOC:
    • Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - improved logic of a Medium Analytics BIOC
  • Changed metadata of 2 Low Analytics BIOCs:
    • Possible DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs
    • Possible DLL Search Order Hijacking (e6c4d87b-4904-4154-b6d9-03fbb0bcdb97) - changed metadata of a Low Analytics BIOCs
  • Added a new Informational Analytics BIOC:
    • Globally uncommon root-domain port combination by a common process (sha256) (bab5b000-ad72-4901-9527-9c7c15aceed2) - added a new Informational alert
  • Improved logic of an Informational Analytics BIOC:
    • User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOC
  • Changed metadata of 2 Informational Analytics BIOCs:
    • A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - changed metadata of an Informational Analytics BIOCs
    • Possible DLL Side-Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - changed metadata of an Informational Analytics BIOCs

 

January 24 2024 Release:

  • Improved logic of a High Analytics BIOC:
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOC
  • Improved logic of 3 Medium Analytics BIOCs:
    • Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - improved logic of a Medium Analytics BIOCs
    • Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs
    • A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs
  • Improved logic of 6 Low Analytics BIOCs:
    • SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - improved logic of a Low Analytics BIOCs
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - improved logic of a Low Analytics BIOCs
    • A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs
    • Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - improved logic of a Low Analytics BIOCs
    • Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs
    • Suspicious modification of the AdminSDHolder's ACL (e0db7194-3131-4f0c-9591-7f28ac59669a) - improved logic of a Low Analytics BIOCs
  • Improved logic of 5 Low Analytics Alerts:
    • Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - improved logic of a Low Analytics Alerts
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts
    • Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alerts
  • Improved logic of an Informational BIOC:
    • Out of band testing domain connection (ac36d4cc-d764-419c-8970-54916b05bda4) - improved logic of an Informational BIOC
  • Added a new Informational Analytics BIOC:
    • AWS SSM send command attempt (2cc1b5c3-e424-45a9-ab84-17ea9ceb55b7) - added a new Informational alert
  • Improved logic of 20 Informational Analytics BIOCs:
    • A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs
    • A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - improved logic of an Informational Analytics BIOCs
    • Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - improved logic of an Informational Analytics BIOCs
    • Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs
    • An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - improved logic of an Informational Analytics BIOCs
    • User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs
    • A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - improved logic of an Informational Analytics BIOCs
    • A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - improved logic of an Informational Analytics BIOCs
    • Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - improved logic of an Informational Analytics BIOCs
    • Cloud Unusual Instance Metadata Service (IMDS) access (82db653d-869c-4540-91d8-1c15c9ff7765) - improved logic of an Informational Analytics BIOCs
    • Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 2 Informational Analytics BIOCs:
    • Suspicious container runtime connection from within a Kubernetes Pod (b233c447-3312-429a-ab01-3a607104bb3a) - changed metadata of an Informational Analytics BIOCs
    • Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs
  • Removed an old Informational Analytics BIOC:
    • AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - removed an old Informational alert
  • Decreased the severity to Informational for an Analytics Alert:
    • Cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - decreased the severity to Informational, and improved detection logic
  • Improved logic of 11 Informational Analytics Alerts:
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts
    • External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - improved logic of an Informational Analytics Alerts
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
    • User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alerts
    • Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts
    • Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - improved logic of an Informational Analytics Alerts
    • Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts
    • Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts

 

January 17 2024 Release:

  • Improved logic of a Medium Analytics BIOC:
    • Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a Medium Analytics BIOC
  • Improved logic of a Low Analytics BIOC:
    • Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOC
  • Decreased the severity to Informational for 2 Analytics BIOCs:
    • A compute-attached identity executed API calls outside the instance's region (586f270d-8423-402f-98c1-b136cf45309c) - decreased the severity to Informational, and improved detection logic
    • Kubernetes version disclosure (313b2109-4a11-49f6-b0be-0309eaabbddf) - decreased the severity to Informational
  • Improved logic of 5 Informational Analytics BIOCs:
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • A container registry was created or deleted (5dd2d962-b742-11ed-9e0e-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOC for improvement:
    • An Azure Kubernetes network policy was modified (1952944c-b742-11ed-bd1c-acde48001122) - temporarily removed Informational alert for improvement
  • Improved logic of an Informational Analytics Alert:
    • Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - improved logic of an Informational Analytics Alert

 

January 10 2024 Release:

  • Improved logic of 2 High Analytics BIOCs:
    • Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - improved logic of a High Analytics BIOCs
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs
  • Changed metadata of a High Analytics BIOC:
    • Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOC
  • Improved logic of 6 Medium Analytics BIOCs:
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
    • A mail forwarding rule was configured in Google Workspace (227ff69a-14aa-4c40-a328-a846c73b1d07) - improved logic of a Medium Analytics BIOCs
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of 3 Medium Analytics BIOCs:
    • Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs
    • Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs
    • Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Medium Analytics BIOCs
  • Removed an old Medium Analytics BIOC:
    • Possible Cloud Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - removed an old Medium alert
  • Temporarily removed a Medium Analytics BIOCs for improvement:
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - temporarily removed Medium alert for improvement
    • Kubernetes vulnerability scanner activity by API server logs (f4bc86e7-9189-4048-ac0d-702311d3d7e0) - temporarily removed Medium alert for improvement
  • Improved logic of a Medium Analytics Alert:
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert
  • Removed an old Low BIOC:
    • Image File Execution Options Registry key injection by scripting engine (f8ea70da-4bbd-44a7-9b32-0abc809dd2be) - removed an old Low alert
  • Decreased the severity to Low for an Analytics BIOC:
    • Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - decreased the severity to Low, and improved detection logic
  • Added 2 new Low Analytics BIOCs:
    • Image file execution options (IFEO) registry key set (393619bb-6197-46f4-bd9f-0246bf014381) - added a new Low alert
    • Possible DLL Search Order Hijacking (e6c4d87b-4904-4154-b6d9-03fbb0bcdb97) - added a new Low alert
  • Improved logic of 37 Low Analytics BIOCs:
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - improved logic of a Low Analytics BIOCs
    • Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - improved logic of a Low Analytics BIOCs
    • Exchange DKIM signing configuration disabled (7b779bf4-d488-47d0-ae35-cf380881b7d7) - improved logic of a Low Analytics BIOCs
    • Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - improved logic of a Low Analytics BIOCs
    • Exchange malware filter policy removed (664b4bc9-aeba-43b7-b657-92a6ab3cd4c6) - improved logic of a Low Analytics BIOCs
    • Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - improved logic of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
    • Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs
    • MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - improved logic of a Low Analytics BIOCs
    • Exchange anti-phish policy disabled or removed (253c6332-24f3-4ad4-a8d6-e6e94b4e0beb) - improved logic of a Low Analytics BIOCs
    • Exchange Safe Link policy disabled or removed (02b65466-c898-4713-b473-01268db8dbb7) - improved logic of a Low Analytics BIOCs
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs
    • Azure account deletion by a non-standard account (b3cffc99-7a38-4e6f-a2ad-19a3325c38b3) - improved logic of a Low Analytics BIOCs
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
    • Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs
    • Exchange mailbox audit bypass (d75ef860-59d4-43bd-ad3e-663edd42b7d2) - improved logic of a Low Analytics BIOCs
    • Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - improved logic of a Low Analytics BIOCs
    • Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs
    • A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - improved logic of a Low Analytics BIOCs
    • Exchange Safe Attachment policy disabled or removed (fa5ffb2b-9259-4091-a36a-3960433051d5) - improved logic of a Low Analytics BIOCs
    • Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - improved logic of a Low Analytics BIOCs
    • Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs
    • Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of a Low Analytics BIOCs
    • LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
    • An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs
    • Possible Kerberos relay attack (5d950b94-729a-4fd3-bcbe-a9fefa922d30) - improved logic of a Low Analytics BIOCs
    • Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs
    • Possible Pass-the-Hash (ee4dad7a-348c-11eb-b388-acde48001122) - improved logic of a Low Analytics BIOCs
    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 14 Low Analytics BIOCs:
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs
    • A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Low Analytics BIOCs
    • A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - changed metadata of a Low Analytics BIOCs
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - changed metadata of a Low Analytics BIOCs
    • Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - changed metadata of a Low Analytics BIOCs
    • A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs
    • Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs
    • Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs
    • Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs
    • Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOCs
  • Removed an old Low Analytics BIOC:
    • Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - removed an old Low alert
  • Added a new Low Analytics Alert:
    • Multiple discovery commands on a Windows host by the same process (b930e097-ae70-4372-94a7-c4ae4e1bd6c6) - added a new Low alert
  • Improved logic of 21 Low Analytics Alerts:
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alerts
    • New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts
    • Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
    • NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts
    • A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - improved logic of a Low Analytics Alerts
    • Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
    • TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - improved logic of a Low Analytics Alerts
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
    • Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - improved logic of a Low Analytics Alerts
  • Added a new Informational BIOC:
    • Out of band testing domain connection (ac36d4cc-d764-419c-8970-54916b05bda4) - added a new Informational alert
  • Changed metadata of an Informational BIOC:
    • Common Apple process name missing Apple digital signature (f75bf626-24c2-4891-b7e5-8b78dbb10b85) - changed metadata of an Informational BIOC
  • Added 54 new Informational Analytics BIOCs:
    • An AWS ElastiCache security group was created (d417b2b4-b091-11ed-9b28-acde48001122) - added a new Informational alert
    • A user logged in from an abnormal country or ASN (b470fe41-351e-485f-a755-e0709b0e15ba) - added a new Informational alert
    • An Azure DNS Zone was modified (964d4524-b743-11ed-9835-acde48001122) - added a new Informational alert
    • A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment (0e24887e-b6c1-11ed-a5dc-acde48001122) - added a new Informational alert
    • An Azure Point-to-Site VPN was modified (bf00d118-b743-11ed-bb97-acde48001122) - added a new Informational alert
    • Azure device code authentication flow used (c4a24d4f-1c7b-4a3d-a775-1e2a363d917e) - added a new Informational alert
    • Azure Kubernetes events were deleted (e31af74a-b741-11ed-b996-acde48001122) - added a new Informational alert
    • An Azure firewall rule group was modified (bedc4338-b6c0-11ed-ba3b-acde48001122) - added a new Informational alert
    • An identity accessed Azure Kubernetes Secrets (8965581e-b742-11ed-9c12-acde48001122) - added a new Informational alert
    • An AWS S3 bucket configuration was modified (cb35ca90-b095-11ed-aa36-acde48001122) - added a new Informational alert
    • An Azure Firewall Rule Collection was modified (2dd88838-b742-11ed-96a1-acde48001122) - added a new Informational alert
    • An AWS Lambda function was modified (cb2184e8-b095-11ed-bda0-acde48001122) - added a new Informational alert
    • An AWS ElastiCache security group was modified or deleted (cb631bb4-b095-11ed-ad10-acde48001122) - added a new Informational alert
    • Removal of an Azure Owner from an Application or Service Principal (d7ee38c8-b741-11ed-a1f0-acde48001122) - added a new Informational alert
    • An Azure VPN Connection was modified (b6309f90-b6c0-11ed-b3e4-acde48001122) - added a new Informational alert
    • An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - added a new Informational alert
    • An AWS Lambda Function was created (cada7046-b095-11ed-8064-acde48001122) - added a new Informational alert
    • An Azure Firewall was modified (7f431eb8-b742-11ed-96f7-acde48001122) - added a new Informational alert
    • An Email address was added to AWS SES (35757db4-c253-11ed-b745-acde48001122) - added a new Informational alert
    • AWS SecurityHub findings were modified (cb4a260c-b095-11ed-bde9-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Role or Cluster-Role was modified (b3def2e8-b743-11ed-9cec-acde48001122) - added a new Informational alert
    • An AWS SES Email sending settings were modified (cb5a1bf4-b095-11ed-bf05-acde48001122) - added a new Informational alert
    • An Azure Kubernetes network policy was modified (1952944c-b742-11ed-bd1c-acde48001122) - added a new Informational alert
    • An Azure Key Vault was modified (94e3d9cc-b742-11ed-94cd-acde48001122) - added a new Informational alert
    • An identity was granted permissions to manage user access to Azure resources (79046206-b743-11ed-9133-acde48001122) - added a new Informational alert
    • An Azure virtual network Device was modified (6d9c8858-b741-11ed-b0e7-acde48001122) - added a new Informational alert
    • An AWS SES identity was deleted (caf89d0a-b095-11ed-8f65-acde48001122) - added a new Informational alert
    • Modification or Deletion of an Azure Application Gateway Detected (c96e5e48-b743-11ed-be3a-acde48001122) - added a new Informational alert
    • An Azure Key Vault key was modified (02a05bd2-b742-11ed-8c2c-acde48001122) - added a new Informational alert
    • PIM privilege member removal (f26e97d2-b6c0-11ed-b9b6-acde48001122) - added a new Informational alert
    • An AWS RDS instance was created from a snapshot (caeaf466-b095-11ed-afef-acde48001122) - added a new Informational alert
    • An AWS EFS file-share was deleted (cb2df5b8-b095-11ed-9972-acde48001122) - added a new Informational alert
    • An Azure Suppression Rule was created (74914062-b742-11ed-8108-acde48001122) - added a new Informational alert
    • A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - added a new Informational alert
    • An AWS EKS cluster was created or deleted (cb25ae8a-b095-11ed-b476-acde48001122) - added a new Informational alert
    • An AWS RDS master password was changed (cb462fb6-b095-11ed-adfd-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Service Account was modified or deleted (edc0393a-b741-11ed-8947-acde48001122) - added a new Informational alert
    • An identity disabled bucket logging (60b28a82-96ff-402b-a64d-f0dd043b5dd6) - added a new Informational alert
    • A Service Principal was removed from Azure (a9038750-b743-11ed-b5e9-acde48001122) - added a new Informational alert
    • Azure Key Vault Secrets were modified (d261af90-b744-11ed-b217-acde48001122) - added a new Informational alert
    • Granting Access to an Account (249d8988-b744-11ed-a9e8-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted (f2c9e2b4-b743-11ed-bec8-acde48001122) - added a new Informational alert
    • An Azure Container Registry was created or removed (5dd2d962-b742-11ed-9e0e-acde48001122) - added a new Informational alert
    • An AWS EFS File-share mount was deleted (cae12134-b095-11ed-bee2-acde48001122) - added a new Informational alert
    • An Azure Cloud Shell was Created (88376c0a-b741-11ed-ae05-acde48001122) - added a new Informational alert
    • An AWS SAML provider was modified (cb561ad4-b095-11ed-86c9-acde48001122) - added a new Informational alert
    • AWS STS temporary credentials were generated (cb2a08a4-b095-11ed-97cf-acde48001122) - added a new Informational alert
    • An AWS Route 53 domain was transferred to another AWS account (caf53a02-b095-11ed-86c3-acde48001122) - added a new Informational alert
    • An Azure virtual network was modified (b29d99a8-b744-11ed-ac5e-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Cluster was created or deleted (fb88f09c-b6c0-11ed-ae53-acde48001122) - added a new Informational alert
    • A cloud identity invoked IAM related persistence operations (ae95a625-1740-4de3-abe1-3e884eef0dc3) - added a new Informational alert
    • Globally uncommon IP address by a common process (sha256) (aff38296-6019-474c-9de0-c423eda168e1) - added a new Informational alert
    • An Azure Network Security Group was modified (72e1c8fa-b744-11ed-8a9d-acde48001122) - added a new Informational alert
    • An AWS GuardDuty IP set was created (cb03739c-b095-11ed-9211-acde48001122) - added a new Informational alert
  • Improved logic of 84 Informational Analytics BIOCs:
    • Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
    • An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - improved logic of an Informational Analytics BIOCs
    • A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding transport rule (fd633ec0-afaf-465d-95f8-0de0d1780151) - improved logic of an Informational Analytics BIOCs
    • Successful unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs
    • Gmail routing settings changed (393eae6b-0394-4a2f-bf46-ae4efbd0c94b) - improved logic of an Informational Analytics BIOCs
    • Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
    • A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
    • Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - improved logic of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
    • Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
    • A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - improved logic of an Informational Analytics BIOCs
    • Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs
    • A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - improved logic of an Informational Analytics BIOCs
    • Microsoft 365 DLP policy disabled or removed (7e53db42-aeb1-4087-9e32-fd9418591d68) - improved logic of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
    • An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - improved logic of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity performed an unusual admin console activity (1ef69c3e-56d5-41c5-843b-ebfe1160e661) - improved logic of an Informational Analytics BIOCs
    • An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - improved logic of an Informational Analytics BIOCs
    • Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - improved logic of an Informational Analytics BIOCs
    • Google Workspace organizational unit was modified (0c085dd2-ea10-4537-bbea-44ceb57bf29a) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - improved logic of an Informational Analytics BIOCs
    • A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs
    • An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs
    • Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - improved logic of an Informational Analytics BIOCs
    • Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - improved logic of an Informational Analytics BIOCs
    • A third-party application's access to the Google Workspace domain's resources was revoked (01bb79b4-b14c-11ed-b01a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • Exchange email-hiding inbox rule (f339930e-ef11-4a4c-81dd-23503b05b0bf) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity used the security investigation tool (c1effd9b-2fde-4141-a894-f01b7fdaffd0) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - improved logic of an Informational Analytics BIOCs
    • LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
    • Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - improved logic of an Informational Analytics BIOCs
    • A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs
    • Exchange mailbox folder permission modification (1568735a-c4a6-4ed4-b7dc-bd70accca4ca) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon image load from a signed process (b5bf287d-a780-4258-a642-9e473aef709b) - improved logic of an Informational Analytics BIOCs
    • Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - improved logic of an Informational Analytics BIOCs
    • Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - improved logic of an Informational Analytics BIOCs
    • Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
    • Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - improved logic of an Informational Analytics BIOCs
    • A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
    • Unusual access to the AD Sync credential files (f28618e6-2d55-4e8b-9f85-5107b2b544e5) - improved logic of an Informational Analytics BIOCs
    • SharePoint Site Collection admin group addition (78de7350-5ea3-4c19-9a0f-f15dc7732226) - improved logic of an Informational Analytics BIOCs
    • Kubernetes nsenter container escape (ded945bf-4c89-4051-8f47-d6126daef9df) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace Role privilege was deleted (118ca7c8-b14c-11ed-b3af-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs
    • Cloud Unusual Instance Metadata Service (IMDS) access (82db653d-869c-4540-91d8-1c15c9ff7765) - improved logic of an Informational Analytics BIOCs
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - improved logic of an Informational Analytics BIOCs
    • Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - improved logic of an Informational Analytics BIOCs
    • Gmail delegation was turned on for the organization (ed3841f0-49f2-4994-94f8-77b7217983d8) - improved logic of an Informational Analytics BIOCs
    • Penetration testing tool activity attempt (a3b75d38-fbc6-47ab-b59b-d6d2298c1e90) - improved logic of an Informational Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs
    • Admin privileges were granted to a Google Workspace user (f0a3f8ae-b14b-11ed-a775-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - improved logic of an Informational Analytics BIOCs
    • Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - improved logic of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon IP address connection from a signed process (118dc3a3-e2b2-44d4-af74-b77cf095c6a9) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
    • A third-party application was authorized to access the Google Workspace APIs (05a883e6-b14c-11ed-b038-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 15 Informational Analytics BIOCs:
    • Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs
    • Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs
    • AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs
    • Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs
    • Injection into rundll32.exe (d3d7a57f-de5f-76f5-2d39-9fa48b1d51ad) - changed metadata of an Informational Analytics BIOCs
    • AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs
    • Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs
    • Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs
    • AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs
    • Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOCs for improvement:
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - temporarily removed Informational alert for improvement
    • A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - temporarily removed Informational alert for improvement
    • A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - temporarily removed Informational alert for improvement
    • A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - temporarily removed Informational alert for improvement
    • A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - temporarily removed Informational alert for improvement
  • Decreased the severity to Informational for an Analytics Alert:
    • Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - decreased the severity to Informational, and improved detection logic
  • Added a new Informational Analytics Alert:
    • Brute-force attempt on a local account (417dab31-55ab-4311-8ed7-29373fed752d) - added a new Informational alert
  • Improved logic of 34 Informational Analytics Alerts:
    • Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - improved logic of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of an Informational Analytics Alerts
    • Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts
    • Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - improved logic of an Informational Analytics Alerts
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts
    • External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - improved logic of an Informational Analytics Alerts
    • Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - improved logic of an Informational Analytics Alerts
    • Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - improved logic of an Informational Analytics Alerts
    • A user logged on to multiple workstations via Schannel (a56e4555-5fbc-485b-85ec-2c25026525d6) - improved logic of an Informational Analytics Alerts
    • Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts
    • NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - improved logic of an Informational Analytics Alerts
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts
    • Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - improved logic of an Informational Analytics Alerts
    • Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts
    • A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts
    • Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - improved logic of an Informational Analytics Alerts
    • A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts
    • Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts
  • Temporarily removed a Informational Analytics Alerts for improvement:
    • Kubernetes environment enumeration activity (13c1ff62-8bcb-452b-8cc8-b31402aab401) - temporarily removed Informational alert for improvement
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - temporarily removed Informational alert for improvement

 

December 27 2023 Release:

  • Changed metadata of a High Analytics BIOC:
    • Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOC
  • Improved logic of 3 Medium Analytics BIOCs:
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of 3 Medium Analytics BIOCs:
    • Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs
    • Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs
    • Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Medium Analytics BIOCs
  • Removed an old Medium Analytics BIOC:
    • Possible Cloud Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - removed an old Medium alert
  • Temporarily removed a Medium Analytics BIOCs for improvement:
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - temporarily removed Medium alert for improvement
    • Kubernetes vulnerability scanner activity by API server logs (f4bc86e7-9189-4048-ac0d-702311d3d7e0) - temporarily removed Medium alert for improvement
  • Improved logic of a Medium Analytics Alert:
    • Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - improved logic of a Medium Analytics Alert
  • Decreased the severity to Low for an Analytics BIOC:
    • Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - decreased the severity to Low, and improved detection logic
  • Added a new Low Analytics BIOC:
    • Possible DLL Search Order Hijacking (e6c4d87b-4904-4154-b6d9-03fbb0bcdb97) - added a new Low alert
  • Improved logic of 16 Low Analytics BIOCs:
    • Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - improved logic of a Low Analytics BIOCs
    • Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
    • Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
    • Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs
    • A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - improved logic of a Low Analytics BIOCs
    • An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs
    • Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs
    • MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - improved logic of a Low Analytics BIOCs
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs
    • Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 17 Low Analytics BIOCs:
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs
    • Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - changed metadata of a Low Analytics BIOCs
    • A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Low Analytics BIOCs
    • A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - changed metadata of a Low Analytics BIOCs
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs
    • Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - changed metadata of a Low Analytics BIOCs
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - changed metadata of a Low Analytics BIOCs
    • Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - changed metadata of a Low Analytics BIOCs
    • Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs
    • Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOCs
    • A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs
    • Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs
  • Added a new Low Analytics Alert:
    • Multiple discovery commands on a Windows host by the same process (b930e097-ae70-4372-94a7-c4ae4e1bd6c6) - added a new Low alert
  • Improved logic of 9 Low Analytics Alerts:
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
    • Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - improved logic of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts
  • Changed metadata of 2 Low Analytics Alerts:
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - changed metadata of a Low Analytics Alerts
  • Added 53 new Informational Analytics BIOCs:
    • An Azure DNS Zone was modified (964d4524-b743-11ed-9835-acde48001122) - added a new Informational alert
    • An Azure VPN Connection was modified (b6309f90-b6c0-11ed-b3e4-acde48001122) - added a new Informational alert
    • AWS STS temporary credentials were generated (cb2a08a4-b095-11ed-97cf-acde48001122) - added a new Informational alert
    • An AWS S3 bucket configuration was modified (cb35ca90-b095-11ed-aa36-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Role or Cluster-Role was modified (b3def2e8-b743-11ed-9cec-acde48001122) - added a new Informational alert
    • An identity disabled bucket logging (60b28a82-96ff-402b-a64d-f0dd043b5dd6) - added a new Informational alert
    • An AWS Lambda Function was created (cada7046-b095-11ed-8064-acde48001122) - added a new Informational alert
    • An Email address was added to AWS SES (35757db4-c253-11ed-b745-acde48001122) - added a new Informational alert
    • An AWS RDS master password was changed (cb462fb6-b095-11ed-adfd-acde48001122) - added a new Informational alert
    • An Azure firewall rule group was modified (bedc4338-b6c0-11ed-ba3b-acde48001122) - added a new Informational alert
    • Removal of an Azure Owner from an Application or Service Principal (d7ee38c8-b741-11ed-a1f0-acde48001122) - added a new Informational alert
    • A user logged in from an abnormal country or ASN (b470fe41-351e-485f-a755-e0709b0e15ba) - added a new Informational alert
    • A Service Principal was removed from Azure (a9038750-b743-11ed-b5e9-acde48001122) - added a new Informational alert
    • An AWS GuardDuty IP set was created (cb03739c-b095-11ed-9211-acde48001122) - added a new Informational alert
    • Azure Kubernetes events were deleted (e31af74a-b741-11ed-b996-acde48001122) - added a new Informational alert
    • An AWS EFS file-share was deleted (cb2df5b8-b095-11ed-9972-acde48001122) - added a new Informational alert
    • An Azure virtual network Device was modified (6d9c8858-b741-11ed-b0e7-acde48001122) - added a new Informational alert
    • An Azure Key Vault key was modified (02a05bd2-b742-11ed-8c2c-acde48001122) - added a new Informational alert
    • An identity was granted permissions to manage user access to Azure resources (79046206-b743-11ed-9133-acde48001122) - added a new Informational alert
    • An Azure Key Vault was modified (94e3d9cc-b742-11ed-94cd-acde48001122) - added a new Informational alert
    • An AWS SES Email sending settings were modified (cb5a1bf4-b095-11ed-bf05-acde48001122) - added a new Informational alert
    • PIM privilege member removal (f26e97d2-b6c0-11ed-b9b6-acde48001122) - added a new Informational alert
    • An AWS EFS File-share mount was deleted (cae12134-b095-11ed-bee2-acde48001122) - added a new Informational alert
    • An Azure Point-to-Site VPN was modified (bf00d118-b743-11ed-bb97-acde48001122) - added a new Informational alert
    • Granting Access to an Account (249d8988-b744-11ed-a9e8-acde48001122) - added a new Informational alert
    • An identity accessed Azure Kubernetes Secrets (8965581e-b742-11ed-9c12-acde48001122) - added a new Informational alert
    • An AWS Route 53 domain was transferred to another AWS account (caf53a02-b095-11ed-86c3-acde48001122) - added a new Informational alert
    • An AWS ElastiCache security group was modified or deleted (cb631bb4-b095-11ed-ad10-acde48001122) - added a new Informational alert
    • Azure Key Vault Secrets were modified (d261af90-b744-11ed-b217-acde48001122) - added a new Informational alert
    • An Azure Suppression Rule was created (74914062-b742-11ed-8108-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Cluster was created or deleted (fb88f09c-b6c0-11ed-ae53-acde48001122) - added a new Informational alert
    • AWS SecurityHub findings were modified (cb4a260c-b095-11ed-bde9-acde48001122) - added a new Informational alert
    • Modification or Deletion of an Azure Application Gateway Detected (c96e5e48-b743-11ed-be3a-acde48001122) - added a new Informational alert
    • An AWS RDS instance was created from a snapshot (caeaf466-b095-11ed-afef-acde48001122) - added a new Informational alert
    • An AWS ElastiCache security group was created (d417b2b4-b091-11ed-9b28-acde48001122) - added a new Informational alert
    • An AWS SAML provider was modified (cb561ad4-b095-11ed-86c9-acde48001122) - added a new Informational alert
    • An AWS Lambda function was modified (cb2184e8-b095-11ed-bda0-acde48001122) - added a new Informational alert
    • An Azure Firewall was modified (7f431eb8-b742-11ed-96f7-acde48001122) - added a new Informational alert
    • A cloud identity created or modified a security group (21f3ef1f-fa37-41a3-9791-817e81b8c413) - added a new Informational alert
    • An AWS SES identity was deleted (caf89d0a-b095-11ed-8f65-acde48001122) - added a new Informational alert
    • Globally uncommon IP address by a common process (sha256) (aff38296-6019-474c-9de0-c423eda168e1) - added a new Informational alert
    • An Azure Container Registry was created or removed (5dd2d962-b742-11ed-9e0e-acde48001122) - added a new Informational alert
    • An Azure Network Security Group was modified (72e1c8fa-b744-11ed-8a9d-acde48001122) - added a new Informational alert
    • An uncommon file added to startup-related Registry keys (cfb4e6ce-8f82-4d76-b5ed-79ab8e68c571) - added a new Informational alert
    • A cloud identity invoked IAM related persistence operations (ae95a625-1740-4de3-abe1-3e884eef0dc3) - added a new Informational alert
    • An Azure virtual network was modified (b29d99a8-b744-11ed-ac5e-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Role-Binding or Cluster-Role-Binding was modified or deleted (f2c9e2b4-b743-11ed-bec8-acde48001122) - added a new Informational alert
    • A New Server was Added to an Azure Active Directory Hybrid Health ADFS Environment (0e24887e-b6c1-11ed-a5dc-acde48001122) - added a new Informational alert
    • An Azure Cloud Shell was Created (88376c0a-b741-11ed-ae05-acde48001122) - added a new Informational alert
    • An Azure Kubernetes Service Account was modified or deleted (edc0393a-b741-11ed-8947-acde48001122) - added a new Informational alert
    • An Azure Kubernetes network policy was modified (1952944c-b742-11ed-bd1c-acde48001122) - added a new Informational alert
    • An AWS EKS cluster was created or deleted (cb25ae8a-b095-11ed-b476-acde48001122) - added a new Informational alert
    • An Azure Firewall Rule Collection was modified (2dd88838-b742-11ed-96a1-acde48001122) - added a new Informational alert
  • Improved logic of 35 Informational Analytics BIOCs:
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon image load from a signed process (b5bf287d-a780-4258-a642-9e473aef709b) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - improved logic of an Informational Analytics BIOCs
    • Google Workspace organizational unit was modified (0c085dd2-ea10-4537-bbea-44ceb57bf29a) - improved logic of an Informational Analytics BIOCs
    • Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - improved logic of an Informational Analytics BIOCs
    • Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - improved logic of an Informational Analytics BIOCs
    • An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - improved logic of an Informational Analytics BIOCs
    • Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - improved logic of an Informational Analytics BIOCs
    • Gmail delegation was turned on for the organization (ed3841f0-49f2-4994-94f8-77b7217983d8) - improved logic of an Informational Analytics BIOCs
    • Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
    • A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs
    • Kubernetes nsenter container escape (ded945bf-4c89-4051-8f47-d6126daef9df) - improved logic of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
    • An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - improved logic of an Informational Analytics BIOCs
    • Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - improved logic of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - improved logic of an Informational Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon IP address connection from a signed process (118dc3a3-e2b2-44d4-af74-b77cf095c6a9) - improved logic of an Informational Analytics BIOCs
    • Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - improved logic of an Informational Analytics BIOCs
    • A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - improved logic of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs
    • External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - improved logic of an Informational Analytics BIOCs
    • An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - improved logic of an Informational Analytics BIOCs
    • A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - improved logic of an Informational Analytics BIOCs
    • Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
    • Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 18 Informational Analytics BIOCs:
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs
    • Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - changed metadata of an Informational Analytics BIOCs
    • Injection into rundll32.exe (d3d7a57f-de5f-76f5-2d39-9fa48b1d51ad) - changed metadata of an Informational Analytics BIOCs
    • AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs
    • Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs
    • LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - changed metadata of an Informational Analytics BIOCs
    • AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs
    • Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs
    • Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs
    • Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs
    • Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs
    • AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOCs for improvement:
    • A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - temporarily removed Informational alert for improvement
    • A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - temporarily removed Informational alert for improvement
    • A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - temporarily removed Informational alert for improvement
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - temporarily removed Informational alert for improvement
    • A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - temporarily removed Informational alert for improvement
  • Improved logic of 20 Informational Analytics Alerts:
    • A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts
    • A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - improved logic of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
    • Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - improved logic of an Informational Analytics Alerts
    • A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - improved logic of an Informational Analytics Alerts
    • External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - improved logic of an Informational Analytics Alerts
    • Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - improved logic of an Informational Analytics Alerts
    • Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - improved logic of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts
    • A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - improved logic of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
    • Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts
    • Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
  • Temporarily removed a Informational Analytics Alerts for improvement:
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - temporarily removed Informational alert for improvement
    • Kubernetes environment enumeration activity (13c1ff62-8bcb-452b-8cc8-b31402aab401) - temporarily removed Informational alert for improvement

 

November 19 2023 Release:

  • Improved logic of a High Analytics BIOC:
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOC
  • Removed an old Medium BIOC:
    • PHP script connecting to network (cb05480f-17d8-4138-9902-f0f9fb50b677) - removed an old Medium alert
  • Improved logic of a Medium Analytics BIOC:
    • PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOC
  • Improved logic of 2 Low Analytics BIOCs:
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
  • Improved logic of 3 Low Analytics Alerts:
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
  • Removed an old Informational BIOC:
    • Setgid on file (0826210d-ddd8-44e7-98fb-399083b15e97) - removed an old Informational alert
  • Added 2 new Informational Analytics BIOCs:
    • Globally uncommon high entropy module was loaded (29621cda-7dd0-4c92-9c1d-52124db38f62) - added a new Informational alert
    • Globally uncommon high entropy process was executed (0871da76-eb4a-429c-8f3e-cfa9fa83a221) - added a new Informational alert
  • Improved logic of 14 Informational Analytics BIOCs:
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs
  • Improved logic of 6 Informational Analytics Alerts:
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts
    • Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
  • Changed metadata of an Informational Analytics Alert:
    • Suspicious DNS traffic (2a77fad6-c6f9-4dd1-ab5a-43ce1d203fd4) - changed metadata of an Informational Analytics Alert
  • Temporarily removed a Informational Analytics Alert for improvement:
    • Port Sweep (01c1f692-2652-4cfe-8817-b48b1b0efb95) - temporarily removed Informational alert for improvement

November 08 2023 Release:

  • Removed an old High BIOC:
    • Mimikatz command-line arguments (94fed992-c1da-4b69-9caa-292221b8c070) - removed an old High alert
  • Added a new High Analytics BIOC:
    • Mimikatz command-line arguments (b869d46a-8723-4ae3-63a7-a5da6435d78e) - added a new High alert
  • Improved logic of a High Analytics BIOC:
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOC
  • Improved logic of a High Analytics Alert:
    • Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert
  • Improved logic of 4 Medium Analytics BIOCs:
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - improved logic of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
    • A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs
    • Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of 2 Medium Analytics Alerts:
    • An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alerts
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts
  • Increased the severity to Low for an Analytics BIOC:
    • Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - increased the severity to Low, and improved detection logic
  • Decreased the severity to Low for an Analytics BIOC:
    • Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - decreased the severity to Low
  • Added 3 new Low Analytics BIOCs:
    • Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - added a new Low alert
    • RDP connections enabled remotely via Registry (547fb017-ead4-8c05-f32e-77902bdd0f7a) - added a new Low alert
    • Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - added a new Low alert
  • Improved logic of 9 Low Analytics BIOCs:
    • Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Low Analytics BIOCs
    • A compute-attached identity executed API calls outside the instance's region (586f270d-8423-402f-98c1-b136cf45309c) - improved logic of a Low Analytics BIOCs
    • Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs
    • A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs
    • A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs
    • Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - improved logic of a Low Analytics BIOCs
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 5 Low Analytics BIOCs:
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - changed metadata of a Low Analytics BIOCs
    • Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - changed metadata of a Low Analytics BIOCs
    • Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - changed metadata of a Low Analytics BIOCs
    • Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of a Low Analytics BIOCs
    • A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs
  • Improved logic of 6 Low Analytics Alerts:
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
    • Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Low Analytics Alerts
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
    • A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - improved logic of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts
  • Changed metadata of 2 Low Analytics Alerts:
    • VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - changed metadata of a Low Analytics Alerts
    • Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - changed metadata of a Low Analytics Alerts
  • Removed an old Informational BIOC:
    • Mimikatz command-line arguments (fa4867c0-bf95-4c44-b9e3-0460650b8e07) - removed an old Informational alert
  • Decreased the severity to Informational for an Analytics BIOC:
    • Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - decreased the severity to Informational, and improved detection logic
  • Added 5 new Informational Analytics BIOCs:
    • Cloud unusual access key creation (4aa215fb-e64d-4b00-9251-4d84774c27f3) - added a new Informational alert
    • Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - added a new Informational alert
    • Cloud Unusual Instance Metadata Service (IMDS) access (82db653d-869c-4540-91d8-1c15c9ff7765) - added a new Informational alert
    • A user certificate was issued with a mismatch (4fa6566d-3d1f-446a-a877-6ee2d0d31645) - added a new Informational alert
    • Network sniffing detected in Cloud environment (932986f4-e765-40a5-9517-aa9ba5bf2e7a) - added a new Informational alert
  • Improved logic of 32 Informational Analytics BIOCs:
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
    • Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - improved logic of an Informational Analytics BIOCs
    • Unusual resource modification by newly seen IAM user (37eb241a-d1b5-4bba-b65e-002863c99365) - improved logic of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
    • Cloud impersonation attempt by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
    • Unusual use of a 'SysInternals' tool (ad9f86ad-eaea-4f25-ada7-8d42f3305d04) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
    • Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - improved logic of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
    • Unusual resource modification/creation (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs
    • Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - improved logic of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - improved logic of an Informational Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - improved logic of an Informational Analytics BIOCs
    • A user logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - improved logic of an Informational Analytics BIOCs
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs
    • Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs
    • Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs
    • Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 4 Informational Analytics BIOCs:
    • Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Cloud Organizational policy was created or modified (300b125d-c632-43f2-9a56-5abfd022a4de) - changed metadata of an Informational Analytics BIOCs
    • Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - changed metadata of an Informational Analytics BIOCs
    • A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - changed metadata of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOCs for improvement:
    • Unusual Kubernetes service account file read (a525eff8-3990-4b8e-b763-7e9c8f88737d) - temporarily removed Informational alert for improvement
    • Remote code execution into Kubernetes Pod (8d013538-6e98-48ed-a018-fcf19866f367) - temporarily removed Informational alert for improvement
  • Added 2 new Informational Analytics Alerts:
    • A user logged on to multiple workstations via Schannel (a56e4555-5fbc-485b-85ec-2c25026525d6) - added a new Informational alert
    • External SaaS file-sharing activity (6de9aaee-6d74-4416-bc3c-891a6b290045) - added a new Informational alert
  • Improved logic of 14 Informational Analytics Alerts:
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts
    • Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - improved logic of an Informational Analytics Alerts
    • Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts
    • Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts
  • Changed metadata of 4 Informational Analytics Alerts:
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts
    • Storage enumeration activity (107578a3-3e09-4db1-88e0-2f060fb24a29) - changed metadata of an Informational Analytics Alerts
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts
    • NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - changed metadata of an Informational Analytics Alerts

October 05 2023 Release:

  • Improved logic of a Medium Analytics BIOC:
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - improved logic of a Medium Analytics BIOC
  • Changed metadata of a Low Analytics BIOC:
    • Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - changed metadata of a Low Analytics BIOC
  • Removed 2 old Low Analytics BIOCs:
    • Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - removed an old Low alert
    • Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - removed an old Low alert
  • Improved logic of 7 Informational Analytics BIOCs:
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - improved logic of an Informational Analytics BIOCs
    • Successful unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - improved logic of an Informational Analytics BIOCs
    • Suspicious cloud compute instance ssh keys modification attempt (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of an Informational Analytics BIOC:
    • Unpopular rsync process execution (86d4e55a-1d30-46de-a426-1876a973220f) - changed metadata of an Informational Analytics BIOC
  • Added a new Informational Analytics Alert:
    • Port Sweep (01c1f692-2652-4cfe-8817-b48b1b0efb95) - added a new Informational alert
  • Improved logic of 2 Informational Analytics Alerts:
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alerts
    • An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts

September 27 2023 Release:

  • Changed metadata of a Low Analytics BIOC:
    • Masquerading as the Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOC
  • Decreased the severity to Informational for 4 Analytics BIOCs:
    • Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - decreased the severity to Informational
    • Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - decreased the severity to Informational
    • Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - decreased the severity to Informational
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - decreased the severity to Informational, and improved detection logic
  • Improved logic of 5 Informational Analytics BIOCs:
    • Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - improved logic of an Informational Analytics BIOCs
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs
    • A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs
    • GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - improved logic of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOC for improvement:
    • LOLBIN created a PSScriptPolicyTest PowerShell script file (4bf08e31-5da8-8c61-0f97-02c7f9bc9d57) - temporarily removed Informational alert for improvement
  • Decreased the severity to Informational for 2 Analytics Alerts:
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - decreased the severity to Informational
    • NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - decreased the severity to Informational
  • Added a new Informational Analytics Alert:
    • Massive upload to SaaS service (c2c9f59f-cce1-4ac1-8a35-bfd338a74f12) - added a new Informational alert
  • Improved logic of 4 Informational Analytics Alerts:
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - improved logic of an Informational Analytics Alerts
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts
    • Multiple cloud snapshots export (260551b5-3a19-44f6-b9c0-820da4c9fc9c) - improved logic of an Informational Analytics Alerts
    • Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - improved logic of an Informational Analytics Alerts

September 13 2023 Release:

  • Increased the severity to Medium for 2 Analytics BIOCs:
    • A Possible crypto miner was detected on a host (4ad3b056-d273-41b7-b3db-90f5d5950faa) - increased the severity to Medium
    • Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - increased the severity to Medium, and improved detection logic
  • Changed metadata of 9 Low Analytics BIOCs:
    • Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - changed metadata of a Low Analytics BIOCs
    • Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - changed metadata of a Low Analytics BIOCs
    • Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs
    • Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs
    • Masquerading as the Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOCs
    • Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - changed metadata of a Low Analytics BIOCs
    • Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - changed metadata of a Low Analytics BIOCs
    • An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - changed metadata of a Low Analytics BIOCs
    • Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - changed metadata of a Low Analytics BIOCs
  • Added a new Low Analytics Alert:
    • Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - added a new Low alert
  • Changed metadata of a Low Analytics Alert:
    • Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - changed metadata of a Low Analytics Alert
  • Added a new Informational Analytics BIOC:
    • Suspicious container runtime connection from within a Kubernetes Pod (b233c447-3312-429a-ab01-3a607104bb3a) - added a new Informational alert
  • Changed metadata of 11 Informational Analytics BIOCs:
    • Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - changed metadata of an Informational Analytics BIOCs
    • Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - changed metadata of an Informational Analytics BIOCs
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - changed metadata of an Informational Analytics BIOCs
    • Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - changed metadata of an Informational Analytics BIOCs
    • File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - changed metadata of an Informational Analytics BIOCs
    • Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - changed metadata of an Informational Analytics BIOCs
    • Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - changed metadata of an Informational Analytics BIOCs
    • A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - changed metadata of an Informational Analytics BIOCs
    • Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs
    • Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - changed metadata of an Informational Analytics BIOCs
  • Improved logic of 2 Informational Analytics Alerts:
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - improved logic of an Informational Analytics Alerts
    • An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - improved logic of an Informational Analytics Alerts

September 06 2023 Release:

  • Improved logic of a High Analytics BIOC:
    • Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOC
  • Changed metadata of a High Analytics BIOC:
    • Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - changed metadata of a High Analytics BIOC
  • Added a new Medium Analytics BIOC:
    • A mail forwarding rule was configured in Google Workspace (227ff69a-14aa-4c40-a328-a846c73b1d07) - added a new Medium alert
  • Improved logic of 2 Medium Analytics BIOCs:
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
  • Changed metadata of a Medium Analytics BIOC:
    • Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOC
  • Improved logic of a Medium Analytics Alert:
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alert
  • Increased the severity to Low for an Analytics BIOC:
    • Scheduled Task hidden by registry modification (21dabd4a-1e37-4753-a8ed-be6a7e947f40) - increased the severity to Low
  • Added 2 new Low Analytics BIOCs:
    • Unusual cross projects activity (f0b7d81f-5518-4295-a081-e19b21c4b474) - added a new Low alert
    • Suspicious module load using direct syscall (ba102d14-9115-405a-aca6-5bda549f5247) - added a new Low alert
  • Improved logic of 12 Low Analytics BIOCs:
    • Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs
    • LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs
    • An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - improved logic of a Low Analytics BIOCs
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Low Analytics BIOCs
    • Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Low Analytics BIOCs
    • Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs
    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of a Low Analytics BIOCs
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
    • Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs
  • Changed metadata of a Low Analytics BIOC:
    • Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - changed metadata of a Low Analytics BIOC
  • Improved logic of 2 Low Analytics Alerts:
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
  • Decreased the severity to Informational for an Analytics BIOC:
    • Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - decreased the severity to Informational, and improved detection logic
  • Added a new Informational Analytics BIOC:
    • An operation was performed by an identity from a domain that was not seen in the organization (16d5b9bf-3bb9-47d9-b2bd-3e2477b1a554) - added a new Informational alert
  • Improved logic of 18 Informational Analytics BIOCs:
    • Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - improved logic of an Informational Analytics BIOCs
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - improved logic of an Informational Analytics BIOCs
    • Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs
    • Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs
    • Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
    • LOLBIN created a PSScriptPolicyTest PowerShell script file (4bf08e31-5da8-8c61-0f97-02c7f9bc9d57) - improved logic of an Informational Analytics BIOCs
    • Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs
    • LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs
    • Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
    • A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - improved logic of an Informational Analytics BIOCs
    • LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs
    • A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs
    • An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - improved logic of an Informational Analytics BIOCs
    • A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - improved logic of an Informational Analytics BIOCs
    • Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 4 Informational Analytics BIOCs:
    • File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - changed metadata of an Informational Analytics BIOCs
    • Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - changed metadata of an Informational Analytics BIOCs
    • Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - changed metadata of an Informational Analytics BIOCs
    • Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs
  • Removed an old Informational Analytics BIOC:
    • Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - removed an old Informational alert
  • Added a new Informational Analytics Alert:
    • Massive file downloads from SaaS service (a8769aef-2be1-4869-bec0-39bbb65ca8b6) - added a new Informational alert
  • Improved logic of 2 Informational Analytics Alerts:
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts

August 28 2023 Release:

  • Changed metadata of 21 High Analytics BIOCs:
    • Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - changed metadata of a High Analytics BIOCs
    • Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - changed metadata of a High Analytics BIOCs
    • Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - changed metadata of a High Analytics BIOCs
    • Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - changed metadata of a High Analytics BIOCs
    • Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - changed metadata of a High Analytics BIOCs
    • Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - changed metadata of a High Analytics BIOCs
    • PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - changed metadata of a High Analytics BIOCs
    • Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs
    • Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - changed metadata of a High Analytics BIOCs
    • Possible Distributed File System Namespace Management (DFSNM) abuse (532490a8-f4fb-4eb7-a54d-8583bf54207d) - changed metadata of a High Analytics BIOCs
    • Suspicious usage of File Server Remote VSS Protocol (FSRVP) (9f82d067-25e8-49da-bae3-62e7f9074943) - changed metadata of a High Analytics BIOCs
    • A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - changed metadata of a High Analytics BIOCs
    • Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - changed metadata of a High Analytics BIOCs
    • Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - changed metadata of a High Analytics BIOCs
    • A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - changed metadata of a High Analytics BIOCs
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - changed metadata of a High Analytics BIOCs
    • Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - changed metadata of a High Analytics BIOCs
    • Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOCs
    • Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - changed metadata of a High Analytics BIOCs
    • Process execution with a suspicious command line indicative of the Spring4Shell exploit (0fc034a9-36ce-432f-bddb-1cfda20be004) - changed metadata of a High Analytics BIOCs
    • Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - changed metadata of a High Analytics BIOCs
  • Changed metadata of 2 High Analytics Alerts:
    • Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - changed metadata of a High Analytics Alerts
    • Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alerts
  • Changed metadata of 84 Medium Analytics BIOCs:
    • Uncommon Service Create/Config (4814ee91-468d-11ea-a78c-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - changed metadata of a Medium Analytics BIOCs
    • Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - changed metadata of a Medium Analytics BIOCs
    • A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - changed metadata of a Medium Analytics BIOCs
    • MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - changed metadata of a Medium Analytics BIOCs
    • Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - changed metadata of a Medium Analytics BIOCs
    • Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs
    • Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - changed metadata of a Medium Analytics BIOCs
    • Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - changed metadata of a Medium Analytics BIOCs
    • RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
    • Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - changed metadata of a Medium Analytics BIOCs
    • TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - changed metadata of a Medium Analytics BIOCs
    • Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - changed metadata of a Medium Analytics BIOCs
    • LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - changed metadata of a Medium Analytics BIOCs
    • Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs
    • Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - changed metadata of a Medium Analytics BIOCs
    • PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - changed metadata of a Medium Analytics BIOCs
    • Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - changed metadata of a Medium Analytics BIOCs
    • Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - changed metadata of a Medium Analytics BIOCs
    • Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - changed metadata of a Medium Analytics BIOCs
    • Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs
    • Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata of a Medium Analytics BIOCs
    • Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - changed metadata of a Medium Analytics BIOCs
    • Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - changed metadata of a Medium Analytics BIOCs
    • Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - changed metadata of a Medium Analytics BIOCs
    • Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - changed metadata of a Medium Analytics BIOCs
    • Azure AD PIM alert disabled (8d5ce951-909b-44e7-aca6-1c8203f95c35) - changed metadata of a Medium Analytics BIOCs
    • Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs
    • Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - changed metadata of a Medium Analytics BIOCs
    • Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - changed metadata of a Medium Analytics BIOCs
    • A process was executed with a command line obfuscated by Unicode character substitution (2a0ea644-8181-470b-ad5d-d0c6c7c84946) - changed metadata of a Medium Analytics BIOCs
    • Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - changed metadata of a Medium Analytics BIOCs
    • Kubernetes vulnerability scanner activity (01e27219-483a-4ec2-ba4c-641ee54b3059) - changed metadata of a Medium Analytics BIOCs
    • A contained executable was executed by an unusual process (d8c11b55-29b4-44b2-9e47-fd6c4cda4d7b) - changed metadata of a Medium Analytics BIOCs
    • Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - changed metadata of a Medium Analytics BIOCs
    • A suspicious executable with multiple file extensions was created (8a80d179-6ce0-4d38-8087-287b18ed5f27) - changed metadata of a Medium Analytics BIOCs
    • Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - changed metadata of a Medium Analytics BIOCs
    • Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - changed metadata of a Medium Analytics BIOCs
    • Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - changed metadata of a Medium Analytics BIOCs
    • Service ticket request with a spoofed sAMAccountName (633ca673-5d09-11ec-b013-faffc26aac4a) - changed metadata of a Medium Analytics BIOCs
    • Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - changed metadata of a Medium Analytics BIOCs
    • A TCP stream was created directly in a shell (8a7a460a-420a-a42c-d8af-af5250f280ff) - changed metadata of a Medium Analytics BIOCs
    • Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - changed metadata of a Medium Analytics BIOCs
    • Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - changed metadata of a Medium Analytics BIOCs
    • Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Possible Cloud Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - changed metadata of a Medium Analytics BIOCs
    • Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - changed metadata of a Medium Analytics BIOCs
    • Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - changed metadata of a Medium Analytics BIOCs
    • The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - changed metadata of a Medium Analytics BIOCs
    • Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOCs
    • Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - changed metadata of a Medium Analytics BIOCs
    • Possible collection of screen captures with Windows Problem Steps Recorder (28f11a20-9611-4099-8c05-f6437a5ea9d5) - changed metadata of a Medium Analytics BIOCs
    • Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - changed metadata of a Medium Analytics BIOCs
    • Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - changed metadata of a Medium Analytics BIOCs
    • Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - changed metadata of a Medium Analytics BIOCs
    • Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - changed metadata of a Medium Analytics BIOCs
    • Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - changed metadata of a Medium Analytics BIOCs
    • Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - changed metadata of a Medium Analytics BIOCs
    • Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs
    • Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Uncommon jsp file write by a Java process (acaa34fd-b2b8-4218-aab0-b8d717e9dcc5) - changed metadata of a Medium Analytics BIOCs
    • Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - changed metadata of a Medium Analytics BIOCs
    • PowerShell used to export mailbox contents (70b08c1e-ccfd-4ab9-bb92-66acaa83aa3a) - changed metadata of a Medium Analytics BIOCs
    • TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - changed metadata of a Medium Analytics BIOCs
    • Kubernetes vulnerability scanner activity by API server logs (f4bc86e7-9189-4048-ac0d-702311d3d7e0) - changed metadata of a Medium Analytics BIOCs
    • Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - changed metadata of a Medium Analytics BIOCs
    • Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - changed metadata of a Medium Analytics BIOCs
    • Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - changed metadata of a Medium Analytics BIOCs
    • Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - changed metadata of a Medium Analytics BIOCs
    • Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - changed metadata of a Medium Analytics BIOCs
    • A Kubernetes API operation was successfully invoked by an anonymous user (06b8178f-a6a3-4c23-999c-5539a728abf5) - changed metadata of a Medium Analytics BIOCs
    • Bitsadmin.exe persistence using command-line callback (96e5bf6b-3ed4-42f2-b824-6cdb16a31608) - changed metadata of a Medium Analytics BIOCs
    • PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • Possible Search For Password Files (388d1fcc-4d9c-11ea-9daa-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
    • A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Medium Analytics BIOCs
    • Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - changed metadata of a Medium Analytics BIOCs
    • A contained executable from a mounted share initiated a suspicious outbound network connection (423a9cc9-735f-48cd-8fb5-6e4aeecd5d6d) - changed metadata of a Medium Analytics BIOCs
    • Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - changed metadata of a Medium Analytics BIOCs
    • Windows LOLBIN executable connected to a rare external host (86889630-e953-11e9-b74e-8c8590c9ccd1) - changed metadata of a Medium Analytics BIOCs
    • Mailbox Client Access Setting (CAS) changed (d44c2188-9769-497d-a509-b980e9420f33) - changed metadata of a Medium Analytics BIOCs
    • Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - changed metadata of a Medium Analytics BIOCs
    • Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - changed metadata of a Medium Analytics BIOCs
    • Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - changed metadata of a Medium Analytics BIOCs
    • Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs
  • Changed metadata of 10 Medium Analytics Alerts:
    • New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Medium Analytics Alerts
    • Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - changed metadata of a Medium Analytics Alerts
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts
    • NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alerts
    • Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - changed metadata of a Medium Analytics Alerts
    • A new machine attempted Kerberos delegation (0f9a92bd-916c-40ad-80a9-58c2adaaa946) - changed metadata of a Medium Analytics Alerts
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alerts
    • Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - changed metadata of a Medium Analytics Alerts
    • An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alerts
    • A contained process attempted to escape using the 'notify on release' feature (7205a3a5-6c0e-4caf-95f1-c4444ec75b26) - changed metadata of a Medium Analytics Alerts
  • Increased the severity to Low for an Analytics BIOC:
    • Unusual Azure AD sync module load (512ac45c-fd8c-4110-834b-1cfe578aaafb) - increased the severity to Low, and improved detection logic
  • Improved logic of 3 Low Analytics BIOCs:
    • Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
    • Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 166 Low Analytics BIOCs:
    • Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - changed metadata of a Low Analytics BIOCs
    • A Possible crypto miner was detected on a host (4ad3b056-d273-41b7-b3db-90f5d5950faa) - changed metadata of a Low Analytics BIOCs
    • Exchange malware filter policy removed (664b4bc9-aeba-43b7-b657-92a6ab3cd4c6) - changed metadata of a Low Analytics BIOCs
    • Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - changed metadata of a Low Analytics BIOCs
    • A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - changed metadata of a Low Analytics BIOCs
    • Conditional Access policy removed (f667c079-ed9c-4ee1-a604-964440c92051) - changed metadata of a Low Analytics BIOCs
    • SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Kubernetes version disclosure (313b2109-4a11-49f6-b0be-0309eaabbddf) - changed metadata of a Low Analytics BIOCs
    • Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - changed metadata of a Low Analytics BIOCs
    • Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - changed metadata of a Low Analytics BIOCs
    • Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs
    • Suspicious systemd timer activity (6aa321b8-0f2e-4182-b36b-aa3ba7944f25) - changed metadata of a Low Analytics BIOCs
    • Remote usage of an Azure Managed Identity token (53b6fbfd-b344-4e76-95e1-b97f41a0a7fc) - changed metadata of a Low Analytics BIOCs
    • MFA was disabled for an Azure identity (2f62698c-13e4-11ed-9d12-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Exchange mailbox audit bypass (d75ef860-59d4-43bd-ad3e-663edd42b7d2) - changed metadata of a Low Analytics BIOCs
    • A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - changed metadata of a Low Analytics BIOCs
    • Uncommon IP Configuration Listing via ipconfig.exe (02501f5c-e953-11e9-954d-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - changed metadata of a Low Analytics BIOCs
    • Suspicious PowerShell Enumeration of Running Processes (9ed9d8ee-6dbb-11ea-a5d9-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - changed metadata of a Low Analytics BIOCs
    • Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOCs
    • VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - changed metadata of a Low Analytics BIOCs
    • Possible Pass-the-Hash (ee4dad7a-348c-11eb-b388-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - changed metadata of a Low Analytics BIOCs
    • SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - changed metadata of a Low Analytics BIOCs
    • Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs
    • Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - changed metadata of a Low Analytics BIOCs
    • Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - changed metadata of a Low Analytics BIOCs
    • Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - changed metadata of a Low Analytics BIOCs
    • Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - changed metadata of a Low Analytics BIOCs
    • Possible Kerberos relay attack (5d950b94-729a-4fd3-bcbe-a9fefa922d30) - changed metadata of a Low Analytics BIOCs
    • Uncommon access to Microsoft Teams credential files (1bb7c565-fa59-4fd8-b779-7f32ad96caad) - changed metadata of a Low Analytics BIOCs
    • LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - changed metadata of a Low Analytics BIOCs
    • MpCmdRun.exe was used to download files into the system (bae10b1e-5850-452a-9623-d86e959d34d4) - changed metadata of a Low Analytics BIOCs
    • System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - changed metadata of a Low Analytics BIOCs
    • Suspicious PowerShell Command Line (d2aa3dde-4d73-11ea-923a-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Low Analytics BIOCs
    • LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - changed metadata of a Low Analytics BIOCs
    • SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - changed metadata of a Low Analytics BIOCs
    • Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - changed metadata of a Low Analytics BIOCs
    • Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - changed metadata of a Low Analytics BIOCs
    • Contained process execution with a rare GitHub URL (eadd0b5c-94bb-4582-8115-765e48e19353) - changed metadata of a Low Analytics BIOCs
    • Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - changed metadata of a Low Analytics BIOCs
    • Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - changed metadata of a Low Analytics BIOCs
    • Suspicious modification of the AdminSDHolder's ACL (e0db7194-3131-4f0c-9591-7f28ac59669a) - changed metadata of a Low Analytics BIOCs
    • Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - changed metadata of a Low Analytics BIOCs
    • Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - changed metadata of a Low Analytics BIOCs
    • Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs
    • AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs
    • First Azure AD PowerShell operation for a user (04db68a0-bfda-47dc-b2ff-0f8d2d700eee) - changed metadata of a Low Analytics BIOCs
    • Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - changed metadata of a Low Analytics BIOCs
    • Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - changed metadata of a Low Analytics BIOCs
    • Uncommon AT task-job creation by user (082e4d29-7037-47d0-b83f-a0226016139c) - changed metadata of a Low Analytics BIOCs
    • Suspicious container orchestration job (f358cda9-491e-4be6-af2a-6a5361ae23f9) - changed metadata of a Low Analytics BIOCs
    • SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Exchange DKIM signing configuration disabled (7b779bf4-d488-47d0-ae35-cf380881b7d7) - changed metadata of a Low Analytics BIOCs
    • An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - changed metadata of a Low Analytics BIOCs
    • Suspicious authentication with Azure Password Hash Sync user (6476d55b-8e1f-4ffb-80da-4ccc6cf42514) - changed metadata of a Low Analytics BIOCs
    • An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs
    • Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Exchange Safe Link policy disabled or removed (02b65466-c898-4713-b473-01268db8dbb7) - changed metadata of a Low Analytics BIOCs
    • Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - changed metadata of a Low Analytics BIOCs
    • Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs
    • Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - changed metadata of a Low Analytics BIOCs
    • A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - changed metadata of a Low Analytics BIOCs
    • A compiled HTML help file wrote a script file to the disk (6f2817a6-f6b4-4ff5-b03e-ed488e60cd8a) - changed metadata of a Low Analytics BIOCs
    • Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - changed metadata of a Low Analytics BIOCs
    • Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - changed metadata of a Low Analytics BIOCs
    • Unusual Kubernetes API server communication from a pod (ffa2e838-57be-4d1d-ae93-aa17fb738c37) - changed metadata of a Low Analytics BIOCs
    • Billing admin role was removed (2a6e6c44-40cf-47c1-8276-67dea08eb4c6) - changed metadata of a Low Analytics BIOCs
    • Stored credentials exported using credwiz.exe (97f50040-5670-43b3-9afc-1d0e5b1a76bb) - changed metadata of a Low Analytics BIOCs
    • Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - changed metadata of a Low Analytics BIOCs
    • Uncommon remote service start via sc.exe (85cdb57d-e953-11e9-859b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Uncommon routing table listing via route.exe (758e8ed7-e953-11e9-b4ee-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Remote usage of an Azure Service Principal token (36416ab4-ed7a-4dbd-9d52-43e561807913) - changed metadata of a Low Analytics BIOCs
    • Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - changed metadata of a Low Analytics BIOCs
    • Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - changed metadata of a Low Analytics BIOCs
    • Suspicious local user account creation (bd6c9838-7c40-11ec-81ea-acde48001122) - changed metadata of a Low Analytics BIOCs
    • AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs
    • Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - changed metadata of a Low Analytics BIOCs
    • Suspicious Azure AD interactive sign-in using PowerShell (a032b382-1446-4b98-98be-647998824e3a) - changed metadata of a Low Analytics BIOCs
    • Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - changed metadata of a Low Analytics BIOCs
    • Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - changed metadata of a Low Analytics BIOCs
    • Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs
    • Download a script using the python requests module (73619608-e776-4837-98dd-1ac6339ce4d5) - changed metadata of a Low Analytics BIOCs
    • Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - changed metadata of a Low Analytics BIOCs
    • GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs
    • Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Windows Event Log was cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - changed metadata of a Low Analytics BIOCs
    • Linux system firewall was disabled (d50eedfa-7888-47aa-b390-929ccab92d80) - changed metadata of a Low Analytics BIOCs
    • Unusual Kubernetes dashboard communication from a pod (545d7ae0-f862-4f06-8ec0-ec043afd81a1) - changed metadata of a Low Analytics BIOCs
    • AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs
    • Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - changed metadata of a Low Analytics BIOCs
    • Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - changed metadata of a Low Analytics BIOCs
    • Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - changed metadata of a Low Analytics BIOCs
    • Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Possible Microsoft DLL Hijack into a Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - changed metadata of a Low Analytics BIOCs
    • New addition to Windows Defender exclusion list (97bd1ad3-df0f-459c-be72-88193ce7b667) - changed metadata of a Low Analytics BIOCs
    • Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - changed metadata of a Low Analytics BIOCs
    • Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs
    • Compressing data using python (1a8bbf16-65ad-46de-86aa-0091f0e529a1) - changed metadata of a Low Analytics BIOCs
    • Office process accessed an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - changed metadata of a Low Analytics BIOCs
    • Uncommon msiexec execution of an arbitrary file from a remote location (8b919310-62f6-4035-b60b-ef61372947d9) - changed metadata of a Low Analytics BIOCs
    • Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - changed metadata of a Low Analytics BIOCs
    • Exchange audit log disabled (f442cd78-9303-4745-b5af-63677e9a1cbb) - changed metadata of a Low Analytics BIOCs
    • Suspicious data encryption (30df8779-1e1e-4c5a-a9de-40cb94d837e7) - changed metadata of a Low Analytics BIOCs
    • Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - changed metadata of a Low Analytics BIOCs
    • Linux system firewall was modified (fac86d1c-01ac-4620-bcee-8330df48ad25) - changed metadata of a Low Analytics BIOCs
    • Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs
    • Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - changed metadata of a Low Analytics BIOCs
    • Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - changed metadata of a Low Analytics BIOCs
    • Suspicious Print System Remote Protocol usage by a process (f9d3b9e8-68f0-4510-bc01-895fd1e45256) - changed metadata of a Low Analytics BIOCs
    • Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - changed metadata of a Low Analytics BIOCs
    • An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - changed metadata of a Low Analytics BIOCs
    • Azure domain federation settings modification attempt (0dff4bd1-0db3-44dc-a42d-aa473b96e841) - changed metadata of a Low Analytics BIOCs
    • SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - changed metadata of a Low Analytics BIOCs
    • Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - changed metadata of a Low Analytics BIOCs
    • Exchange Safe Attachment policy disabled or removed (fa5ffb2b-9259-4091-a36a-3960433051d5) - changed metadata of a Low Analytics BIOCs
    • Azure account deletion by a non-standard account (b3cffc99-7a38-4e6f-a2ad-19a3325c38b3) - changed metadata of a Low Analytics BIOCs
    • A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - changed metadata of a Low Analytics BIOCs
    • Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - changed metadata of a Low Analytics BIOCs
    • Exchange anti-phish policy disabled or removed (253c6332-24f3-4ad4-a8d6-e6e94b4e0beb) - changed metadata of a Low Analytics BIOCs
    • Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - changed metadata of a Low Analytics BIOCs
    • Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs
    • A compute-attached identity executed API calls outside the instance's region (586f270d-8423-402f-98c1-b136cf45309c) - changed metadata of a Low Analytics BIOCs
    • Azure Temporary Access Pass (TAP) registered to an account (91368e38-b8af-43a4-bc84-3f9f4ad5acff) - changed metadata of a Low Analytics BIOCs
    • WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - changed metadata of a Low Analytics BIOCs
    • Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - changed metadata of a Low Analytics BIOCs
    • A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - changed metadata of a Low Analytics BIOCs
    • Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - changed metadata of a Low Analytics BIOCs
    • Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - changed metadata of a Low Analytics BIOCs
    • SecureBoot was disabled (e8a6caaf-89c1-4e19-8e27-1ced582293e0) - changed metadata of a Low Analytics BIOCs
    • Suspicious DotNet log file created (064eebce-02fb-08e7-df1f-66ee933eefab) - changed metadata of a Low Analytics BIOCs
    • Command running with COMSPEC in the command line argument (2feeb01f-0a81-476a-8ec0-d49fd2bf807b) - changed metadata of a Low Analytics BIOCs
    • Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
    • Suspicious ICMP packet (f3389ebd-c09d-412d-b507-fb0d4f692130) - changed metadata of a Low Analytics BIOCs
    • Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - changed metadata of a Low Analytics BIOCs
    • Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - changed metadata of a Low Analytics BIOCs
    • Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - changed metadata of a Low Analytics BIOCs
    • MFA Disabled for Google Workspace (19da4854-b14c-11ed-89c4-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - changed metadata of a Low Analytics BIOCs
    • Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - changed metadata of a Low Analytics BIOCs
    • PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - changed metadata of a Low Analytics BIOCs
    • Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - changed metadata of a Low Analytics BIOCs
    • A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - changed metadata of a Low Analytics BIOCs
    • Attempt to execute a command on a remote host using PsExec.exe (ddf3b8d9-53e0-8410-c76a-d2e6b5203438) - changed metadata of a Low Analytics BIOCs
    • Uncommon ARP cache listing via arp.exe (85a9b5a1-e953-11e9-939b-8c8590c9ccd1) - changed metadata of a Low Analytics BIOCs
    • Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - changed metadata of a Low Analytics BIOCs
    • Azure account creation by a non-standard account (086811a7-0ea3-408b-901e-bead11677458) - changed metadata of a Low Analytics BIOCs
    • Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - changed metadata of a Low Analytics BIOCs
    • Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - changed metadata of a Low Analytics BIOCs
    • Copy a user's GnuPG directory with rsync (759d73fc-246b-4d3a-bd34-027174dfb9fc) - changed metadata of a Low Analytics BIOCs
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - changed metadata of a Low Analytics BIOCs
    • AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs
    • Azure AD PIM role settings change (65c6e962-2fe1-41f8-bc7f-12452f2d4831) - changed metadata of a Low Analytics BIOCs
    • Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - changed metadata of a Low Analytics BIOCs
    • Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - changed metadata of a Low Analytics BIOCs
  • Changed metadata of 41 Low Analytics Alerts:
    • Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - changed metadata of a Low Analytics Alerts
    • An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - changed metadata of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts
    • Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - changed metadata of a Low Analytics Alerts
    • A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - changed metadata of a Low Analytics Alerts
    • Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of a Low Analytics Alerts
    • Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - changed metadata of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts
    • Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - changed metadata of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - changed metadata of a Low Analytics Alerts
    • Multiple Azure AD admin role removals (fea22348-d47e-4b5f-9896-6ab8e34d00a1) - changed metadata of a Low Analytics Alerts
    • Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - changed metadata of a Low Analytics Alerts
    • A user sent multiple TGT requests to irregular service (db06b54f-a4ba-411c-802a-6d60b65b2c28) - changed metadata of a Low Analytics Alerts
    • Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - changed metadata of a Low Analytics Alerts
    • Allocation of compute resources in multiple regions (30f4d71c-a3f7-43b0-82ca-f2951995e420) - changed metadata of a Low Analytics Alerts
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - changed metadata of a Low Analytics Alerts
    • VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - changed metadata of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - changed metadata of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts
    • Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
    • Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - changed metadata of a Low Analytics Alerts
    • Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of a Low Analytics Alerts
    • Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - changed metadata of a Low Analytics Alerts
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - changed metadata of a Low Analytics Alerts
    • New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - changed metadata of a Low Analytics Alerts
    • User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - changed metadata of a Low Analytics Alerts
    • Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
    • Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - changed metadata of a Low Analytics Alerts
    • Rare LDAP enumeration (fcb12ef3-ac18-40c0-947c-c2891c6ecaf7) - changed metadata of a Low Analytics Alerts
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alerts
    • Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
    • Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - changed metadata of a Low Analytics Alerts
    • TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - changed metadata of a Low Analytics Alerts
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - changed metadata of a Low Analytics Alerts
    • A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - changed metadata of a Low Analytics Alerts
    • NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - changed metadata of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - changed metadata of a Low Analytics Alerts
  • Added a new Informational Analytics BIOC:
    • Globally uncommon process execution from a signed process (ecdeba47-5d0e-4cf8-8fde-7773f2c8c778) - added a new Informational alert
  • Improved logic of 10 Informational Analytics BIOCs:
    • A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon IP address connection from a signed process (118dc3a3-e2b2-44d4-af74-b77cf095c6a9) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - improved logic of an Informational Analytics BIOCs
    • A cloud snapshot was created or modified (a41624fc-22e0-11ed-acc2-00155d825142) - improved logic of an Informational Analytics BIOCs
    • A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs
    • Globally uncommon image load from a signed process (b5bf287d-a780-4258-a642-9e473aef709b) - improved logic of an Informational Analytics BIOCs
    • Unpopular rsync process execution (86d4e55a-1d30-46de-a426-1876a973220f) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 269 Informational Analytics BIOCs:
    • Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - changed metadata of an Informational Analytics BIOCs
    • Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - changed metadata of an Informational Analytics BIOCs
    • GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs
    • Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs
    • A user logged in at an unusual time via SSO (b5c0c3d7-a702-4cd5-9d75-31dbe4b00ee9) - changed metadata of an Informational Analytics BIOCs
    • Creation or modification of the default command executed when opening an application (cd392d6e-e448-46d6-8af3-d2e8a6d79e71) - changed metadata of an Informational Analytics BIOCs
    • Unusual cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs
    • Exchange email-hiding inbox rule (f339930e-ef11-4a4c-81dd-23503b05b0bf) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace identity performed an unusual admin console activity (1ef69c3e-56d5-41c5-843b-ebfe1160e661) - changed metadata of an Informational Analytics BIOCs
    • AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs
    • Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - changed metadata of an Informational Analytics BIOCs
    • Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs
    • Cloud impersonation attempt by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - changed metadata of an Informational Analytics BIOCs
    • A service was disabled (9d96de8e-036e-414d-baac-064aef4271bc) - changed metadata of an Informational Analytics BIOCs
    • Unverified domain added to Azure AD (030963fb-eb31-4cf7-ab0a-4e9681dda8a8) - changed metadata of an Informational Analytics BIOCs
    • A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs
    • GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs
    • Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs
    • Penetration testing tool activity attempt (a3b75d38-fbc6-47ab-b59b-d6d2298c1e90) - changed metadata of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - changed metadata of an Informational Analytics BIOCs
    • LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - changed metadata of an Informational Analytics BIOCs
    • Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - changed metadata of an Informational Analytics BIOCs
    • A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - changed metadata of an Informational Analytics BIOCs
    • Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - changed metadata of an Informational Analytics BIOCs
    • Uncommon communication to an instant messaging server (af7411c9-596e-4400-8088-30ac46eddde0) - changed metadata of an Informational Analytics BIOCs
    • Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
    • System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - changed metadata of an Informational Analytics BIOCs
    • SharePoint Site Collection admin group addition (78de7350-5ea3-4c19-9a0f-f15dc7732226) - changed metadata of an Informational Analytics BIOCs
    • Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs
    • Gmail routing settings changed (393eae6b-0394-4a2f-bf46-ae4efbd0c94b) - changed metadata of an Informational Analytics BIOCs
    • Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - changed metadata of an Informational Analytics BIOCs
    • GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs
    • Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - changed metadata of an Informational Analytics BIOCs
    • Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
    • Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - changed metadata of an Informational Analytics BIOCs
    • Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - changed metadata of an Informational Analytics BIOCs
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - changed metadata of an Informational Analytics BIOCs
    • Exchange mailbox folder permission modification (1568735a-c4a6-4ed4-b7dc-bd70accca4ca) - changed metadata of an Informational Analytics BIOCs
    • Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process execution in a privileged container (b87fb2e8-4904-4d30-9125-d12d87fb3d17) - changed metadata of an Informational Analytics BIOCs
    • Injection into rundll32.exe (d3d7a57f-de5f-76f5-2d39-9fa48b1d51ad) - changed metadata of an Informational Analytics BIOCs
    • An app was added to the Google Workspace trusted OAuth apps list (08c9e433-70c6-4fd4-b15f-d6df8c296df9) - changed metadata of an Informational Analytics BIOCs
    • Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace identity used the security investigation tool (c1effd9b-2fde-4141-a894-f01b7fdaffd0) - changed metadata of an Informational Analytics BIOCs
    • Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - changed metadata of an Informational Analytics BIOCs
    • File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - changed metadata of an Informational Analytics BIOCs
    • Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - changed metadata of an Informational Analytics BIOCs
    • A user logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - changed metadata of an Informational Analytics BIOCs
    • A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - changed metadata of an Informational Analytics BIOCs
    • Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - changed metadata of an Informational Analytics BIOCs
    • Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - changed metadata of an Informational Analytics BIOCs
    • Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - changed metadata of an Informational Analytics BIOCs
    • Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs
    • Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - changed metadata of an Informational Analytics BIOCs
    • Unusual access to the Windows Internal Database on an ADFS server (4e37d789-4249-4dc1-b390-57216ee663c8) - changed metadata of an Informational Analytics BIOCs
    • Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - changed metadata of an Informational Analytics BIOCs
    • Owner added to Azure application (ec5ede9b-e3b9-4963-8b04-711c0683a9e9) - changed metadata of an Informational Analytics BIOCs
    • PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - changed metadata of an Informational Analytics BIOCs
    • Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs
    • Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - changed metadata of an Informational Analytics BIOCs
    • Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs
    • An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - changed metadata of an Informational Analytics BIOCs
    • Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - changed metadata of an Informational Analytics BIOCs
    • An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs
    • Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • A user logged in at an unusual time via VPN (85baec39-fafd-4bc9-b360-e20fb417721c) - changed metadata of an Informational Analytics BIOCs
    • Suspicious docker image download from an unusual repository (a4c3a156-5201-40e4-96fa-772ccbc3473d) - changed metadata of an Informational Analytics BIOCs
    • A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - changed metadata of an Informational Analytics BIOCs
    • Unusual resource modification by newly seen IAM user (37eb241a-d1b5-4bba-b65e-002863c99365) - changed metadata of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - changed metadata of an Informational Analytics BIOCs
    • Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - changed metadata of an Informational Analytics BIOCs
    • Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Iptables configuration command was executed (bbb7b421-2de6-438d-a270-e28ed2a95b35) - changed metadata of an Informational Analytics BIOCs
    • An app was removed from a blocked list in Google Workspace (a9c4d138-9e87-4c64-adce-f6d7d5d8d2ca) - changed metadata of an Informational Analytics BIOCs
    • Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - changed metadata of an Informational Analytics BIOCs
    • Azure service principal assigned app role (c74b7c0c-6fc6-485a-973b-768701841f2f) - changed metadata of an Informational Analytics BIOCs
    • Data Sharing between GCP and Google Workspace was disabled (c7d34ca5-e63f-4179-ba6a-2a1076cad540) - changed metadata of an Informational Analytics BIOCs
    • Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace user was removed from a group (f823ba17-7104-477d-8cb0-4e4bb591b916) - changed metadata of an Informational Analytics BIOCs
    • Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - changed metadata of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of an Informational Analytics BIOCs
    • S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs
    • Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - changed metadata of an Informational Analytics BIOCs
    • A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - changed metadata of an Informational Analytics BIOCs
    • Azure AD PIM elevation request (c2d1d670-fe63-4676-8bdb-f147d6823d48) - changed metadata of an Informational Analytics BIOCs
    • Device Registration Policy modification (9894abc5-7d4c-4ee5-9840-3614a05cd409) - changed metadata of an Informational Analytics BIOCs
    • Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs
    • Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - changed metadata of an Informational Analytics BIOCs
    • VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - changed metadata of an Informational Analytics BIOCs
    • SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - changed metadata of an Informational Analytics BIOCs
    • Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • Remote code execution into Kubernetes Pod (8d013538-6e98-48ed-a018-fcf19866f367) - changed metadata of an Informational Analytics BIOCs
    • Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs
    • Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of an Informational Analytics BIOCs
    • Kubernetes nsenter container escape (ded945bf-4c89-4051-8f47-d6126daef9df) - changed metadata of an Informational Analytics BIOCs
    • User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
    • Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs
    • LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - changed metadata of an Informational Analytics BIOCs
    • A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs
    • Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - changed metadata of an Informational Analytics BIOCs
    • AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs
    • VM Detection attempt on Linux (5280dff5-14cd-4cf6-a70f-91c33bb43ae9) - changed metadata of an Informational Analytics BIOCs
    • Possible binary padding using dd (1a72139a-c453-4c91-839f-845561474775) - changed metadata of an Informational Analytics BIOCs
    • Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - changed metadata of an Informational Analytics BIOCs
    • Suspicious proxy environment variable setting (63e4b643-8da3-4552-b693-bc6515d6ea4f) - changed metadata of an Informational Analytics BIOCs
    • Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - changed metadata of an Informational Analytics BIOCs
    • First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - changed metadata of an Informational Analytics BIOCs
    • GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs
    • Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs
    • AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs
    • An identity attached an administrative policy to an IAM user (a0aa6d99-ab79-41f0-9c3b-e23ffee74e39) - changed metadata of an Informational Analytics BIOCs
    • AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs
    • Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - changed metadata of an Informational Analytics BIOCs
    • Azure application consent (16fc6d88-d6c7-4c90-9c31-f6d0598330d3) - changed metadata of an Informational Analytics BIOCs
    • New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - changed metadata of an Informational Analytics BIOCs
    • AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Kubernetes secret enumeration activity (d1d4f8ff-68d2-4c04-91ff-2a518ff60319) - changed metadata of an Informational Analytics BIOCs
    • Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs
    • SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - changed metadata of an Informational Analytics BIOCs
    • A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Unusual resource modification/creation (e4606659-2c15-4ac6-9282-8d9e1843eff0) - changed metadata of an Informational Analytics BIOCs
    • A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - changed metadata of an Informational Analytics BIOCs
    • A cloud storage configuration was modified (2443ff34-fbdb-4281-9502-f1b1a33ccb3c4) - changed metadata of an Informational Analytics BIOCs
    • VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - changed metadata of an Informational Analytics BIOCs
    • A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - changed metadata of an Informational Analytics BIOCs
    • Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs
    • IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs
    • GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs
    • A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - changed metadata of an Informational Analytics BIOCs
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of an Informational Analytics BIOCs
    • Msiexec execution of an executable from an uncommon remote location (5172f78b-0e6f-48d4-8be3-e8a9e470e267) - changed metadata of an Informational Analytics BIOCs
    • Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs
    • A third-party application was authorized to access the Google Workspace APIs (05a883e6-b14c-11ed-b038-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • A third-party application's access to the Google Workspace domain's resources was revoked (01bb79b4-b14c-11ed-b01a-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - changed metadata of an Informational Analytics BIOCs
    • GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs
    • Azure application URI modification (d87daf12-2d28-4b26-a971-1e928ac77132) - changed metadata of an Informational Analytics BIOCs
    • A user connected a USB storage device for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - changed metadata of an Informational Analytics BIOCs
    • Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs
    • Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs
    • Possible use of IPFS was detected (6089c9b0-1842-4641-adc4-64165886ae19) - changed metadata of an Informational Analytics BIOCs
    • Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs
    • An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - changed metadata of an Informational Analytics BIOCs
    • AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs
    • Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - changed metadata of an Informational Analytics BIOCs
    • A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - changed metadata of an Informational Analytics BIOCs
    • System shutdown or reboot (3edad9ba-d804-4fd8-b8e6-7f353598d69e) - changed metadata of an Informational Analytics BIOCs
    • A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - changed metadata of an Informational Analytics BIOCs
    • PsExec was executed with a suspicious command line (a3a029c0-dbb8-10d2-9109-8cc458cf1e6e) - changed metadata of an Informational Analytics BIOCs
    • GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs
    • Unusual access to the AD Sync credential files (f28618e6-2d55-4e8b-9f85-5107b2b544e5) - changed metadata of an Informational Analytics BIOCs
    • Unusual Kubernetes service account file read (a525eff8-3990-4b8e-b763-7e9c8f88737d) - changed metadata of an Informational Analytics BIOCs
    • Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
    • Gmail delegation was turned on for the organization (ed3841f0-49f2-4994-94f8-77b7217983d8) - changed metadata of an Informational Analytics BIOCs
    • Azure application credentials added (01fb5f62-401e-4745-9bed-a5ec5a1e230b) - changed metadata of an Informational Analytics BIOCs
    • An identity created or updated password for an IAM user (a9bf8f7d-8d01-40b6-b1fc-a6126e9e7656) - changed metadata of an Informational Analytics BIOCs
    • Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs
    • Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - changed metadata of an Informational Analytics BIOCs
    • A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Google Workspace organizational unit was modified (0c085dd2-ea10-4537-bbea-44ceb57bf29a) - changed metadata of an Informational Analytics BIOCs
    • Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - changed metadata of an Informational Analytics BIOCs
    • GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs
    • An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - changed metadata of an Informational Analytics BIOCs
    • GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs
    • User discovery via WMI query execution (d60b2b53-4d04-4b9a-b51b-9f7ce490c931) - changed metadata of an Informational Analytics BIOCs
    • AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs
    • EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs
    • Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - changed metadata of an Informational Analytics BIOCs
    • Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - changed metadata of an Informational Analytics BIOCs
    • A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - changed metadata of an Informational Analytics BIOCs
    • A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - changed metadata of an Informational Analytics BIOCs
    • Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - changed metadata of an Informational Analytics BIOCs
    • Uncommon network tunnel creation (1be56e08-4817-4d49-852b-ec8affabf652) - changed metadata of an Informational Analytics BIOCs
    • Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - changed metadata of an Informational Analytics BIOCs
    • AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs
    • Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - changed metadata of an Informational Analytics BIOCs
    • Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - changed metadata of an Informational Analytics BIOCs
    • BitLocker key retrieval (c6c906ca-ebb0-4b79-8af7-7a054c37d5a0) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - changed metadata of an Informational Analytics BIOCs
    • Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs
    • Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs
    • A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs
    • AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs
    • VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - changed metadata of an Informational Analytics BIOCs
    • Possible IPFS traffic was detected (7db8528e-829d-4b64-94ad-815e054da2f8) - changed metadata of an Informational Analytics BIOCs
    • Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - changed metadata of an Informational Analytics BIOCs
    • DSC (Desired State Configuration) lateral movement using PowerShell (db8cf34e-eb16-445a-a4b0-cd36ba1366a0) - changed metadata of an Informational Analytics BIOCs
    • A Torrent client was detected on a host (5fcceaca-8602-4b62-a2a7-d16fb61f0e41) - changed metadata of an Informational Analytics BIOCs
    • Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs
    • First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - changed metadata of an Informational Analytics BIOCs
    • Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - changed metadata of an Informational Analytics BIOCs
    • Rare Unix process divided files by size (64384c5f-40dd-4d5f-aa31-06907b60176d) - changed metadata of an Informational Analytics BIOCs
    • Unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - changed metadata of an Informational Analytics BIOCs
    • Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs
    • Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs
    • LOLBIN created a PSScriptPolicyTest PowerShell script file (4bf08e31-5da8-8c61-0f97-02c7f9bc9d57) - changed metadata of an Informational Analytics BIOCs
    • User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace Role privilege was deleted (118ca7c8-b14c-11ed-b3af-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Scheduled Task hide by registry modification (21dabd4a-1e37-4753-a8ed-be6a7e947f40) - changed metadata of an Informational Analytics BIOCs
    • GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs
    • Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - changed metadata of an Informational Analytics BIOCs
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - changed metadata of an Informational Analytics BIOCs
    • Network traffic to a crypto miner related domain detected (b843081b-fa48-4b12-959c-5b994d3de01c) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - changed metadata of an Informational Analytics BIOCs
    • AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs
    • Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs
    • Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Cloud Organizational policy was created or modified (300b125d-c632-43f2-9a56-5abfd022a4de) - changed metadata of an Informational Analytics BIOCs
    • A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - changed metadata of an Informational Analytics BIOCs
    • Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - changed metadata of an Informational Analytics BIOCs
    • Microsoft 365 DLP policy disabled or removed (7e53db42-aeb1-4087-9e32-fd9418591d68) - changed metadata of an Informational Analytics BIOCs
    • GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs
    • A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - changed metadata of an Informational Analytics BIOCs
    • Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace user was added to a group (8ba3b36c-c6c1-44d3-80a9-308540b82836) - changed metadata of an Informational Analytics BIOCs
    • Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - changed metadata of an Informational Analytics BIOCs
    • First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - changed metadata of an Informational Analytics BIOCs
    • Tampering with the Windows User Account Controls (UAC) configuration (f161037f-b953-0828-69ba-5df0aac3f359) - changed metadata of an Informational Analytics BIOCs
    • GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs
    • Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs
    • Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Python HTTP server started (b43d77ba-696e-48e6-87d1-64e229201c36) - changed metadata of an Informational Analytics BIOCs
    • External Sharing was turned on for Google Drive (b22a241a-fd7d-4764-908b-d9d75ec4b50f) - changed metadata of an Informational Analytics BIOCs
    • Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs
    • Admin privileges were granted to a Google Workspace user (f0a3f8ae-b14b-11ed-a775-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - changed metadata of an Informational Analytics BIOCs
    • MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs
    • A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - changed metadata of an Informational Analytics BIOCs
    • A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - changed metadata of an Informational Analytics BIOCs
    • VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - changed metadata of an Informational Analytics BIOCs
    • AWS Root account activity (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs
    • Exchange email-hiding transport rule (fd633ec0-afaf-465d-95f8-0de0d1780151) - changed metadata of an Informational Analytics BIOCs
    • Unusual use of a 'SysInternals' tool (ad9f86ad-eaea-4f25-ada7-8d42f3305d04) - changed metadata of an Informational Analytics BIOCs
    • Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs
    • GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs
  • Temporarily removed a Informational Analytics BIOC for improvement:
    • Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - temporarily removed Informational alert for improvement
  • Improved logic of an Informational Analytics Alert:
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alert
  • Changed metadata of 50 Informational Analytics Alerts:
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts
    • Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - changed metadata of an Informational Analytics Alerts
    • A user authenticated with weak NTLM to multiple hosts (01a04516-a112-4fe6-bacb-6ac1733f8fc2) - changed metadata of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - changed metadata of an Informational Analytics Alerts
    • Deletion of multiple cloud resources (8cc70aa9-1132-4a9a-bf67-6b7c486a25f2) - changed metadata of an Informational Analytics Alerts
    • Suspicious DNS traffic (2a77fad6-c6f9-4dd1-ab5a-43ce1d203fd4) - changed metadata of an Informational Analytics Alerts
    • Storage enumeration activity (107578a3-3e09-4db1-88e0-2f060fb24a29) - changed metadata of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - changed metadata of an Informational Analytics Alerts
    • Possible brute force on sudo user (a5a4f979-da78-4195-a288-7cc55ae00a43) - changed metadata of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - changed metadata of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - changed metadata of an Informational Analytics Alerts
    • NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - changed metadata of an Informational Analytics Alerts
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - changed metadata of an Informational Analytics Alerts
    • Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - changed metadata of an Informational Analytics Alerts
    • A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - changed metadata of an Informational Analytics Alerts
    • Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - changed metadata of an Informational Analytics Alerts
    • A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - changed metadata of an Informational Analytics Alerts
    • Upload pattern that resembles Peer to Peer traffic (56641a1d-2201-4113-998c-fe4b958bf34d) - changed metadata of an Informational Analytics Alerts
    • Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - changed metadata of an Informational Analytics Alerts
    • Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - changed metadata of an Informational Analytics Alerts
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts
    • Multiple discovery commands on Linux host (1499fa5b-ad53-4d60-ba2d-a3c790e20ca8) - changed metadata of an Informational Analytics Alerts
    • Kubernetes environment enumeration activity (13c1ff62-8bcb-452b-8cc8-b31402aab401) - changed metadata of an Informational Analytics Alerts
    • Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - changed metadata of an Informational Analytics Alerts
    • A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - changed metadata of an Informational Analytics Alerts
    • A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - changed metadata of an Informational Analytics Alerts
    • Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Suspicious container reconnaissance activity in a Kubernetes pod (ec0013e8-b43b-4e84-ad42-b80ebcf1c0a0) - changed metadata of an Informational Analytics Alerts
    • Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts
    • Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Multiple failed logins from a single IP (db1f568a-89c4-11ed-91b5-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - changed metadata of an Informational Analytics Alerts
    • Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - changed metadata of an Informational Analytics Alerts
    • Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of an Informational Analytics Alerts
    • SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - changed metadata of an Informational Analytics Alerts
    • IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Impossible travel by a cloud identity (1a4aae10-38f7-436e-aa77-ad3db460b4c3) - changed metadata of an Informational Analytics Alerts
    • A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - changed metadata of an Informational Analytics Alerts
    • Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - changed metadata of an Informational Analytics Alerts
    • A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - changed metadata of an Informational Analytics Alerts
    • An identity performed a suspicious download of multiple cloud storage objects (7921f22e-582b-4fb2-b4ab-5da2b1cb0b4a) - changed metadata of an Informational Analytics Alerts
    • Multiple cloud snapshots export (260551b5-3a19-44f6-b9c0-820da4c9fc9c) - changed metadata of an Informational Analytics Alerts
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - changed metadata of an Informational Analytics Alerts
    • Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - changed metadata of an Informational Analytics Alerts
    • Short-lived Azure AD user account (0e060502-5e8b-4454-b275-4e510a7aa413) - changed metadata of an Informational Analytics Alerts
    • User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - changed metadata of an Informational Analytics Alerts

August 21 2023 Release:

  • Added 2 new Low Analytics BIOCs:
    • Billing admin role was removed (2a6e6c44-40cf-47c1-8276-67dea08eb4c6) - added a new Low alert
    • A GCP service account was delegated domain-wide authority in Google Workspace (ba4ca0f5-a845-4c62-b3bd-9f801d427767) - added a new Low alert
  • Improved logic of 3 Low Analytics BIOCs:
    • Office process accessed an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - improved logic of a Low Analytics BIOCs
    • Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Low Analytics BIOCs
  • Improved logic of a Low Analytics Alert:
    • Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alert
  • Temporarily removed a Low Analytics Alert for improvement:
    • Abnormal sensitive RPC traffic to multiple hosts (1820b60e-2c62-4a52-8fab-d16c70a3cf0b) - temporarily removed Low alert for improvement
  • Decreased the severity to Informational for an Analytics BIOC:
    • Identity assigned an Azure AD Administrator Role (d301f221-c0f2-4948-bb33-78246666092b) - decreased the severity to Informational, and improved detection logic
  • Added 2 new Informational Analytics BIOCs:
    • A Google Workspace service was configured as unrestricted (17592d37-0d67-42bf-b87b-9fe3771e26b1) - added a new Informational alert
    • Google Workspace third-party application's security settings were changed (76df6f82-0c2d-4918-bc2e-e8da5049ed21) - added a new Informational alert
  • Improved logic of 5 Informational Analytics BIOCs:
    • Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - improved logic of an Informational Analytics BIOCs
    • Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - improved logic of an Informational Analytics BIOCs
    • Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
    • Azure AD account unlock/password reset attempt (e42a3506-9590-4fa7-b510-34e0a548c671) - improved logic of an Informational Analytics BIOCs
    • An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - improved logic of an Informational Analytics BIOCs
  • Improved logic of 4 Informational Analytics Alerts:
    • Exchange mailbox delegation permissions added (710df6df-f6cb-479c-b2e3-0b669994ac26) - improved logic of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts
    • Kubernetes enumeration activity (fa894bad-448b-418c-9d98-7fdb88ae60cf) - improved logic of an Informational Analytics Alerts

 

August 14 2023 Release:

  • Increased the severity to High for an Analytics BIOC:
    • Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - increased the severity to High, and improved detection logic
  • Improved logic of 4 High Analytics BIOCs:
    • Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - improved logic of a High Analytics BIOCs
    • Suspicious SaaS API call from a Tor exit node (5d9c8173-95ba-4c22-8797-1e7850f7dd97) - improved logic of a High Analytics BIOCs
    • A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs
    • A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs
  • Improved logic of 4 Medium Analytics BIOCs:
    • Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - improved logic of a Medium Analytics BIOCs
    • Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - improved logic of a Medium Analytics BIOCs
    • A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs
    • PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOCs
  • Removed an old Medium Analytics BIOC:
    • Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - removed an old Medium alert
  • Improved logic of a Medium Analytics Alert:
    • Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - improved logic of a Medium Analytics Alert
  • Changed metadata of a Medium Analytics Alert:
    • NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alert
  • Decreased the severity to Low for 2 Analytics BIOCs:
    • Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - decreased the severity to Low
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - decreased the severity to Low, and improved detection logic
  • Added 5 new Low Analytics BIOCs:
    • Copy a user's GnuPG directory with rsync (759d73fc-246b-4d3a-bd34-027174dfb9fc) - added a new Low alert
    • Download a script using the python requests module (73619608-e776-4837-98dd-1ac6339ce4d5) - added a new Low alert
    • Suspicious Print System Remote Protocol usage by a process (f9d3b9e8-68f0-4510-bc01-895fd1e45256) - added a new Low alert
    • Compressing data using python (1a8bbf16-65ad-46de-86aa-0091f0e529a1) - added a new Low alert
    • A suspicious direct syscall was executed (84d13d9d-700c-41e2-a30d-d5cc3bb0f29f) - added a new Low alert
  • Improved logic of 7 Low Analytics BIOCs:
    • An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - improved logic of a Low Analytics BIOCs
    • Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - improved logic of a Low Analytics BIOCs
    • Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - improved logic of a Low Analytics BIOCs
    • Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - improved logic of a Low Analytics BIOCs
    • Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - improved logic of a Low Analytics BIOCs
    • Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - improved logic of a Low Analytics BIOCs
    • Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - improved logic of a Low Analytics BIOCs
  • Changed metadata of 3 Low Analytics BIOCs:
    • Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs
    • A domain was added to the trusted domains list (4e319d93-69d2-4b48-be92-58433fa19e8a) - changed metadata of a Low Analytics BIOCs
    • Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs
  • Added a new Low Analytics Alert:
    • A user received multiple weakly encrypted service tickets (45834731-305c-49c8-adc9-afa726ca3e77) - added a new Low alert
  • Improved logic of 8 Low Analytics Alerts:
    • Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - improved logic of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - improved logic of a Low Analytics Alerts
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
    • Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts
  • Changed metadata of 6 Low Analytics Alerts:
    • Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - changed metadata of a Low Analytics Alerts
    • Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - changed metadata of a Low Analytics Alerts
    • VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - changed metadata of a Low Analytics Alerts
    • NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - changed metadata of a Low Analytics Alerts
    • Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - changed metadata of a Low Analytics Alerts
  • Decreased the severity to Informational for an Analytics BIOC:
    • A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - decreased the severity to Informational
  • Added 8 new Informational Analytics BIOCs:
    • A Kubernetes namespace was created or deleted (7deabb7f-e423-476d-b613-0319a217fa31) - added a new Informational alert
    • A Kubernetes service account was created or deleted (e0241ab7-1742-46da-911b-07d0d72f08e1) - added a new Informational alert
    • A Kubernetes ConfigMap was created or deleted (ec93361c-ba0a-4d59-8c0c-a4cf1bd46aff) - added a new Informational alert
    • Unusual access to the Windows Internal Database on an ADFS server (4e37d789-4249-4dc1-b390-57216ee663c8) - added a new Informational alert
    • A Kubernetes deployment was created or deleted (3b5d2964-9998-4cb8-ae88-710685db15e9) - added a new Informational alert
    • Possible DLL Side Loading (ecaac249-ccea-4c66-b7c1-d726f8eb9ddc) - added a new Informational alert
    • A Kubernetes service was created or deleted (ad8b1dcd-c5b6-456c-98fc-b583aa6ab7cc) - added a new Informational alert
    • Cloud Disk Snapshot Creation or Modification (a41624fc-22e0-11ed-acc2-00155d825142) - added a new Informational alert
  • Improved logic of 12 Informational Analytics BIOCs:
    • Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs
    • Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - improved logic of an Informational Analytics BIOCs
    • File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - improved logic of an Informational Analytics BIOCs
    • Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - improved logic of an Informational Analytics BIOCs
    • A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - improved logic of an Informational Analytics BIOCs
    • Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - improved logic of an Informational Analytics BIOCs
    • Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - improved logic of an Informational Analytics BIOCs
    • Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - improved logic of an Informational Analytics BIOCs
    • A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - improved logic of an Informational Analytics BIOCs
    • Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - improved logic of an Informational Analytics BIOCs
    • SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
    • User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 15 Informational Analytics BIOCs:
    • First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - changed metadata of an Informational Analytics BIOCs
    • Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - changed metadata of an Informational Analytics BIOCs
    • A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - changed metadata of an Informational Analytics BIOCs
    • First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - changed metadata of an Informational Analytics BIOCs
    • First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - changed metadata of an Informational Analytics BIOCs
    • First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - changed metadata of an Informational Analytics BIOCs
    • Google Marketplace restrictions were modified (9d20f71c-9527-4dcc-b3eb-3797b0237d20) - changed metadata of an Informational Analytics BIOCs
    • Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - changed metadata of an Informational Analytics BIOCs
    • A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - changed metadata of an Informational Analytics BIOCs
    • An app was added to Google Marketplace (137e88c2-fb10-4156-b5aa-95bfa7fac343) - changed metadata of an Informational Analytics BIOCs
    • Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - changed metadata of an Informational Analytics BIOCs
    • A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs
    • A Google Workspace identity created, assigned or modified a role (d8aeb187-888f-4495-9557-c55a7ff21fc5) - changed metadata of an Informational Analytics BIOCs
    • First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - changed metadata of an Informational Analytics BIOCs
  • Removed an old Informational Analytics BIOC:
    • A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - removed an old Informational alert
  • Added a new Informational Analytics Alert:
    • Multiple TGT requests for users without Kerberos pre-authentication (48a111cb-3982-461e-ae76-1500df17473c) - added a new Informational alert
  • Improved logic of 5 Informational Analytics Alerts:
    • Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of an Informational Analytics Alerts
    • User moved Exchange sent messages to deleted items (489d24dd-572d-4634-8463-114cae68c98e) - improved logic of an Informational Analytics Alerts
    • A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts
    • Multiple cloud snapshots export (260551b5-3a19-44f6-b9c0-820da4c9fc9c) - improved logic of an Informational Analytics Alerts
  • Changed metadata of 10 Informational Analytics Alerts:
    • Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - changed metadata of an Informational Analytics Alerts
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - changed metadata of an Informational Analytics Alerts
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - changed metadata of an Informational Analytics Alerts
    • A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - changed metadata of an Informational Analytics Alerts
    • A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - changed metadata of an Informational Analytics Alerts
    • Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - changed metadata of an Informational Analytics Alerts
    • Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - changed metadata of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - changed metadata of an Informational Analytics Alerts
    • A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - changed metadata of an Informational Analytics Alerts
    • A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - changed metadata of an Informational Analytics Alerts
  • Removed 3 old Informational Analytics Alerts:
    • Download pattern that resembles Peer to Peer traffic (4c325fcd-7574-435d-a83d-46d6633749f8) - removed an old Informational alert
    • Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - removed an old Informational alert
    • Suspicious ICMP traffic (bd17a758-e4b8-43fc-a6a6-4510f71b5d07) - removed an old Informational alert

 

July 17 2023 Release:

  • Improved logic of a High Analytics BIOC:
    • A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOC
  • Improved logic of 2 Medium Analytics BIOCs:
    • Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs
    • Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs
  • Removed an old Medium Analytics BIOC:
    • Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - removed an old Medium alert
  • Improved logic of 5 Medium Analytics Alerts:
    • NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - improved logic of a Medium Analytics Alerts
    • Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - improved logic of a Medium Analytics Alerts
    • DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts
    • An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - improved logic of a Medium Analytics Alerts
    • Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alerts
  • Improved logic of 7 Low Analytics BIOCs:
    • Exchange user mailbox forwarding (01d8ce0d-b0b6-4b44-bac1-f34e8b1b228b) - improved logic of a Low Analytics BIOCs
    • Exchange transport forwarding rule configured (765287dd-d123-47f8-9ded-77debd902c64) - improved logic of a Low Analytics BIOCs
    • A Possible crypto miner was detected on a host (4ad3b056-d273-41b7-b3db-90f5d5950faa) - improved logic of a Low Analytics BIOCs
    • Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - improved logic of a Low Analytics BIOCs
    • A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs
    • Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - improved logic of a Low Analytics BIOCs
    • Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - improved logic of a Low Analytics BIOCs
  • Improved logic of 17 Low Analytics Alerts:
    • Suspicious ICMP traffic that resembles smurf attack (72694178-fe8e-42b3-b78c-be1522d79353) - improved logic of a Low Analytics Alerts
    • Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts
    • NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts
    • A user uploaded malware to SharePoint or OneDrive (406a04b3-020b-42ec-a51e-8c63e1802acb) - improved logic of a Low Analytics Alerts
    • Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
    • Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
    • User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of a Low Analytics Alerts
    • NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - improved logic of a Low Analytics Alerts
    • Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts
    • Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts
    • Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
    • Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
    • Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
    • NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts
    • Rare LDAP enumeration (fcb12ef3-ac18-40c0-947c-c2891c6ecaf7) - improved logic of a Low Analytics Alerts
    • A user rejected an SSO request from an unusual country (f686543a-1978-11ed-9cff-acde48001122) - improved logic of a Low Analytics Alerts
  • Added a new Informational Analytics BIOC:
    • User accessed SaaS resource via anonymous link (ff7ca4b5-1813-45fe-a8ab-aa9b46433e87) - added a new Informational alert
  • Improved logic of 6 Informational Analytics BIOCs:
    • Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs
    • Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - improved logic of an Informational Analytics BIOCs
    • Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - improved logic of an Informational Analytics BIOCs
    • Exchange inbox forwarding rule configured (3158b2ab-c393-495c-ad47-4a3ca9af9a4c) - improved logic of an Informational Analytics BIOCs
    • Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - improved logic of an Informational Analytics BIOCs
    • Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - improved logic of an Informational Analytics BIOCs
  • Changed metadata of 2 Informational Analytics BIOCs:
    • Unusual guest user invitation (e4107001-6972-4bef-bec2-ef019a91af60) - changed metadata of an Informational Analytics BIOCs
    • Exchange compliance search created (2a43812b-eec3-4641-b21e-618bb1356548) - changed metadata of an Informational Analytics BIOCs
  • Improved logic of 15 Informational Analytics Alerts:
    • A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
    • Upload pattern that resembles Peer to Peer traffic (56641a1d-2201-4113-998c-fe4b958bf34d) - improved logic of an Informational Analytics Alerts
    • NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts
    • Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
    • Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts
    • Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts
    • SSO Brute Force (ac4547b5-329e-11ed-a90d-acde48001122) - improved logic of an Informational Analytics Alerts
    • Download pattern that resembles Peer to Peer traffic (4c325fcd-7574-435d-a83d-46d6633749f8) - improved logic of an Informational Analytics Alerts
    • A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts
    • Suspicious ICMP traffic (bd17a758-e4b8-43fc-a6a6-4510f71b5d07) - improved logic of an Informational Analytics Alerts
    • Suspicious DNS traffic (2a77fad6-c6f9-4dd1-ab5a-43ce1d203fd4) - improved logic of an Informational Analytics Alerts
    • SSO Password Spray (505f4705-10ab-11ed-bf5c-acde48001122) - improved logic of an Informational Analytics Alerts
    • NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - improved logic of an Informational Analytics Alerts
    • Intense SSO failures (c4f6c1b6-aec9-4588-9faf-34a9911552d2) - improved logic of an Informational Analytics Alerts
    • SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts
  •  

 

Rate this article:
(1)
Who rated this article