This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About vcotton
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About vcotton
02-24-2022
18Posts
16Likes
0Solutions
Feb 24, 2022Last Visited
User
Activity
User
Profile
Latest posts by vcotton
| Subject | Views | Posted |
|---|---|---|
| 1066951 | 03-14-2021 12:49 PM | |
| 6328 | 10-06-2020 10:00 AM | |
| 31093 | 06-29-2020 12:17 PM | |
| 7061 | 06-25-2020 01:58 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 4 Likes | 10-06-2020 10:00 AM | |
| 12 Likes | 03-14-2021 12:49 PM | |
| 3 Likes | 06-25-2020 01:58 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 4 Likes | |||
| 7 Likes | |||
| 10 Likes | |||
| 5 Likes | |||
| 6 Likes |
My LIVEcommunity Articles Contributions
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
User Badges
Community Statistics
| Member Since | 11-26-2018 01:25 PM |
| Date Last Visited | 02-24-2022 01:45 PM |
| Posts | 18 |
| Total Likes Received | 13 |
03-14-2021
12:49 PM
12 Kudos
Cortex XDR Content Release Notes
January 29 2023 Release:
Added a new Low Analytics BIOC:
Kubernetes version disclosure (313b2109-4a11-49f6-b0be-0309eaabbddf) - added a new Low alert
Improved logic of 2 Low Analytics BIOCs:
Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
Improved logic of 2 Informational Analytics BIOCs:
VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - improved logic of an Informational Analytics BIOCs
Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
Removed an old Informational Analytics BIOC:
A user attempted to bypass OKTA MFA (3b7c5800-373a-11ed-98f6-acde48001122) - removed an old Informational alert
January 23 2023 Release:
Improved logic of a High Analytics BIOC:
A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOC
Improved logic of a Medium Analytics BIOC:
Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a Medium Analytics BIOC
Improved logic of 2 Low Analytics BIOCs:
SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs
Improved logic of a Low Analytics Alert:
Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alert
Improved logic of 9 Informational Analytics BIOCs:
Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of an Informational Analytics BIOCs
SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
AWS Root account activity (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs
First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of an Informational Analytics BIOCs
Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs
First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
Removed an old Informational Analytics BIOC:
A user deactivated an OKTA MFA factor (eb53b9a8-3756-11ed-b4a7-acde48001122) - removed an old Informational alert
January 15 2023 Release:
Decreased the severity to Medium for a BIOC:
LOLBIN created a PowerShell script file (5cbee940-dfad-11ea-b820-faffc26aac4a) - decreased the severity to Medium
Improved logic of 3 Medium Analytics BIOCs:
Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs
Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
Added a new Low Analytics BIOC:
Unusual Conditional Access operation for an identity (b2fdbf79-9e9c-42dd-91b7-a03f883e3521) - added a new Low alert
Improved logic of 2 Low Analytics BIOCs:
Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs
Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - improved logic of a Low Analytics BIOCs
Decreased the severity to Informational for a BIOC:
Injection into rundll32.exe (0c0a80af-06ff-4a10-b555-67e56ecbd410) - decreased the severity to Informational
Added a new Informational Analytics BIOC:
Authentication method added to an Azure account (4557bfa6-6090-4472-912f-3e625adda2a9) - added a new Informational alert
Improved logic of 5 Informational Analytics BIOCs:
Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs
SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
Uncommon communication to instant messaging server (af7411c9-596e-4400-8088-30ac46eddde0) - improved logic of an Informational Analytics BIOCs
Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs
Removed an old Informational Analytics Alert:
User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - removed an old Informational alert
January 08 2023 Release:
Increased the severity to High for an Analytics BIOC:
Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - increased the severity to High
Removed an old Medium BIOC:
Manipulation of Google Chrome extensions via Registry (5adc7a1b-c840-43fc-ac65-c1b6cdb5ca12) - removed an old Medium alert
Changed metadata of a Medium Analytics BIOC:
A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - changed metadata of a Medium Analytics BIOC
Improved logic of a Low Analytics Alert:
Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alert
Added a new Informational Analytics BIOC:
Uncommon communication to instant messaging server (af7411c9-596e-4400-8088-30ac46eddde0) - added a new Informational alert
Improved logic of an Informational Analytics BIOC:
Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOC
January 03 2023 Release:
Improved logic of 2 High Analytics BIOCs:
Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs
Improved logic of a High Analytics Alert:
Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert
Added a new Medium Analytics BIOC:
Kubernetes vulnerability scanner activity (01e27219-483a-4ec2-ba4c-641ee54b3059) - added a new Medium alert
Improved logic of 5 Medium Analytics BIOCs:
Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs
Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - improved logic of a Medium Analytics BIOCs
A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - improved logic of a Medium Analytics BIOCs
Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a Medium Analytics BIOCs
Improved logic of a Medium Analytics Alert:
Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert
Changed metadata of a Medium Analytics Alert:
A contained process attempted to escape using notify on release feature (7205a3a5-6c0e-4caf-95f1-c4444ec75b26) - changed metadata of a Medium Analytics Alert
Improved logic of 15 Low Analytics BIOCs:
Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs
Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs
Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs
AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs
Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs
An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs
AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs
A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs
AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs
GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs
Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs
Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs
Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs
Removed an old Low Analytics BIOC:
SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - removed an old Low alert
Improved logic of 5 Low Analytics Alerts:
Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts
IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts
An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts
Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - improved logic of a Low Analytics Alerts
Removed 2 old Low Analytics Alerts:
VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - removed an old Low alert
Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - removed an old Low alert
Decreased the severity to Informational for 5 Analytics BIOCs:
VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - decreased the severity to Informational, and improved detection logic
Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - decreased the severity to Informational, and improved detection logic
Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - decreased the severity to Informational, and improved detection logic
VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - decreased the severity to Informational, and improved detection logic
First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - decreased the severity to Informational, and improved detection logic
Added 2 new Informational Analytics BIOCs:
Unusual access to the AD Sync credential files (f28618e6-2d55-4e8b-9f85-5107b2b544e5) - added a new Informational alert
A cloud storage configuration was modified (2443ff34-fbdb-4281-9502-f1b1a33ccb3c4) - added a new Informational alert
Improved logic of 89 Informational Analytics BIOCs:
Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs
A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs
Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of an Informational Analytics BIOCs
GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs
GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs
AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs
A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of an Informational Analytics BIOCs
An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs
First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs
GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs
Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs
Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs
A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs
GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs
A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs
Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs
AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs
AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs
GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs
VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs
Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs
Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs
A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs
Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs
Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs
Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs
First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs
GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs
SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs
First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs
First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs
AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs
Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs
MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs
An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs
AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs
AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs
S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs
GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs
Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs
Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs
An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs
GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs
GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs
First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs
A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs
Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs
EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs
Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs
GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs
AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs
Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - improved logic of an Informational Analytics BIOCs
Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs
Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs
Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs
Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs
Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs
Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs
Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs
First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - improved logic of an Informational Analytics BIOCs
Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs
Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs
Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs
IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs
Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs
AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs
An identity logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - improved logic of an Informational Analytics BIOCs
VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs
GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs
Removed 2 old Informational Analytics BIOCs:
A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - removed an old Informational alert
User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - removed an old Informational alert
Improved logic of 4 Informational Analytics Alerts:
Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - improved logic of an Informational Analytics Alerts
Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts
Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - improved logic of an Informational Analytics Alerts
Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts
Removed an old Informational Analytics Alert:
A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - removed an old Informational alert
December 19 2022 Release:
Improved logic of 2 Medium Analytics BIOCs:
Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs
Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
Added 2 new Low Analytics BIOCs:
An unpopular process accessed the microphone on the host (dc7681e8-d75c-414e-aa5e-e4c40df31f1d) - added a new Low alert
Stored credentials exported using credwiz.exe (97f50040-5670-43b3-9afc-1d0e5b1a76bb) - added a new Low alert
Improved logic of 2 Low Analytics BIOCs:
Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - improved logic of a Low Analytics BIOCs
Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs
Removed an old Low Analytics BIOC:
Rundll32.exe used keymgr.dll to extract credentials (30d50445-32d4-4681-aefc-31ccc476cc14) - removed an old Low alert
Improved logic of 2 Low Analytics Alerts:
Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts
Improved logic of 5 Informational Analytics BIOCs:
Uncommon network tunnel creation (1be56e08-4817-4d49-852b-ec8affabf652) - improved logic of an Informational Analytics BIOCs
Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - improved logic of an Informational Analytics BIOCs
A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - improved logic of an Informational Analytics BIOCs
Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
December 11 2022 Release:
Improved logic of 2 Medium Analytics BIOCs:
Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs
Improved logic of a Medium Analytics Alert:
New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert
Improved logic of a Low Analytics BIOC:
Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOC
Changed metadata of a Low Analytics BIOC:
Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - changed metadata of a Low Analytics BIOC
Improved logic of a Low Analytics Alert:
TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - improved logic of a Low Analytics Alert
Decreased the severity to Informational for 3 Analytics BIOCs:
Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - decreased the severity to Informational, and improved detection logic
A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - decreased the severity to Informational, and improved detection logic
A disabled user attempted to authenticate via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - decreased the severity to Informational, and improved detection logic
Added 3 new Informational Analytics BIOCs:
A non-browser process accessed a website UI (fe11bc92-ba95-42ca-8191-f9fb15c1a237) - added a new Informational alert
Unusual ADConnect database file access (c24b0797-2a7a-48aa-9b52-4ecb55f24f81) - added a new Informational alert
A user deactivated an OKTA MFA factor (eb53b9a8-3756-11ed-b4a7-acde48001122) - added a new Informational alert
Improved logic of an Informational Analytics BIOC:
Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOC
December 04 2022 Release:
Decreased the severity to Medium for an Analytics BIOC:
Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - decreased the severity to Medium, and improved detection logic
Improved logic of a Medium Analytics BIOC:
Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOC
Improved logic of 2 Low Analytics BIOCs:
A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs
Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - improved logic of a Low Analytics BIOCs
Changed metadata of 2 Low Analytics BIOCs:
Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - changed metadata of a Low Analytics BIOCs
Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - changed metadata of a Low Analytics BIOCs
Improved logic of a Low Analytics Alert:
Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alert
Decreased the severity to Informational for an Analytics BIOC:
Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - decreased the severity to Informational
Added a new Informational Analytics BIOC:
A user attempted to bypass OKTA MFA (3b7c5800-373a-11ed-98f6-acde48001122) - added a new Informational alert
Improved logic of 6 Informational Analytics BIOCs:
A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs
Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs
SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
Added a new Informational Analytics Alert:
Multiple SSO MFA attempts were rejected by a user (5c2c2a42-3364-11ed-b0e6-acde48001122) - added a new Informational alert
November 27 2022 Release:
Improved logic of 2 High Analytics BIOCs:
Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs
A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs
Improved logic of a High Analytics Alert:
Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert
Improved logic of 4 Medium Analytics BIOCs:
MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - improved logic of a Medium Analytics BIOCs
Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs
Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs
Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs
Changed metadata of 6 Medium Analytics BIOCs:
Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - changed metadata of a Medium Analytics BIOCs
Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - changed metadata of a Medium Analytics BIOCs
Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs
LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - changed metadata of a Medium Analytics BIOCs
Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - changed metadata of a Medium Analytics BIOCs
Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - changed metadata of a Medium Analytics BIOCs
Improved logic of 2 Medium Analytics Alerts:
New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts
Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alerts
Added a new Low Analytics BIOC:
Masquerading as a default local account (4a70f477-a447-4bf8-8ef7-918737c5d7ab) - added a new Low alert
Improved logic of 11 Low Analytics BIOCs:
Suspicious DotNet log file created (064eebce-02fb-08e7-df1f-66ee933eefab) - improved logic of a Low Analytics BIOCs
Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - improved logic of a Low Analytics BIOCs
Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - improved logic of a Low Analytics BIOCs
VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - improved logic of a Low Analytics BIOCs
VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - improved logic of a Low Analytics BIOCs
Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs
Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs
Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs
A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs
PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - improved logic of a Low Analytics BIOCs
A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs
Improved logic of 8 Low Analytics Alerts:
Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alerts
Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts
Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - improved logic of a Low Analytics Alerts
IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts
Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts
Changed metadata of a Low Analytics Alert:
Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - changed metadata of a Low Analytics Alert
Decreased the severity to Informational for an Analytics BIOC:
Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - decreased the severity to Informational, and improved detection logic
Added a new Informational Analytics BIOC:
Unpopular rsync process execution (86d4e55a-1d30-46de-a426-1876a973220f) - added a new Informational alert
Improved logic of 31 Informational Analytics BIOCs:
First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - improved logic of an Informational Analytics BIOCs
Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
Tampering with the Windows User Account Controls (UAC) configuration (f161037f-b953-0828-69ba-5df0aac3f359) - improved logic of an Informational Analytics BIOCs
VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - improved logic of an Informational Analytics BIOCs
First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs
VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs
Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs
An identity logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - improved logic of an Informational Analytics BIOCs
Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs
Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - improved logic of an Informational Analytics BIOCs
Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - improved logic of an Informational Analytics BIOCs
A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs
Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - improved logic of an Informational Analytics BIOCs
Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
Msiexec execution of an executable from an uncommon remote location (5172f78b-0e6f-48d4-8be3-e8a9e470e267) - improved logic of an Informational Analytics BIOCs
Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs
First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs
A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs
A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs
Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs
A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs
VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs
Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs
Improved logic of 5 Informational Analytics Alerts:
Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts
A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - improved logic of an Informational Analytics Alerts
Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts
Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - improved logic of an Informational Analytics Alerts
November 21 2022 Release:
Improved logic of a Medium Analytics BIOC:
Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - improved logic of a Medium Analytics BIOC
Changed metadata of 14 Medium Analytics BIOCs:
Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - changed metadata of a Medium Analytics BIOCs
Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - changed metadata of a Medium Analytics BIOCs
Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - changed metadata of a Medium Analytics BIOCs
Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs
Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - changed metadata of a Medium Analytics BIOCs
A TCP stream was created directly in a shell (8a7a460a-420a-a42c-d8af-af5250f280ff) - changed metadata of a Medium Analytics BIOCs
Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOCs
Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs
Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - changed metadata of a Medium Analytics BIOCs
Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - changed metadata of a Medium Analytics BIOCs
Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs
Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - changed metadata of a Medium Analytics BIOCs
Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - changed metadata of a Medium Analytics BIOCs
Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - changed metadata of a Medium Analytics BIOCs
Increased the severity to Low for an Analytics BIOC:
Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - increased the severity to Low, and improved detection logic
Improved logic of a Low Analytics BIOC:
Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOC
Changed metadata of 3 Low Analytics BIOCs:
Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - changed metadata of a Low Analytics BIOCs
Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - changed metadata of a Low Analytics BIOCs
Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - changed metadata of a Low Analytics BIOCs
Decreased the severity to Informational for an Analytics BIOC:
Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - decreased the severity to Informational, and improved detection logic
Improved logic of an Informational Analytics BIOC:
Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOC
Removed an old Informational Analytics BIOC:
A suspicious file was written to the startup folder (5c9df403-aecc-4b54-99c5-50a779bae6ae) - removed an old Informational alert
Improved logic of an Informational Analytics Alert:
A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - improved logic of an Informational Analytics Alert
November 13 2022 Release:
Improved logic of a High Analytics BIOC:
Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOC
Changed metadata of a High Analytics BIOC:
Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - changed metadata of a High Analytics BIOC
Improved logic of a High Analytics Alert:
Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - improved logic of a High Analytics Alert
Changed metadata of a High Analytics Alert:
Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - changed metadata of a High Analytics Alert
Changed metadata of 3 Medium BIOCs:
Windows event logs cleared using wmic.exe (7316c8d9-07d8-40aa-b074-b452bc3d355c) - changed metadata of a Medium BIOCs
Delete Volume USN Journal with fsutil (9d79f0ce-15c2-4ab8-b63e-2f22d74423e3) - changed metadata of a Medium BIOCs
Clear logs - using dd and /dev/null (d5a156a9-d203-46ca-a53a-6090b173dfe0) - changed metadata of a Medium BIOCs
Added a new Medium Analytics BIOC:
A process was executed with a command line obfuscated by Unicode character substitution (2a0ea644-8181-470b-ad5d-d0c6c7c84946) - added a new Medium alert
Changed metadata of 25 Medium Analytics BIOCs:
Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - changed metadata of a Medium Analytics BIOCs
Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - changed metadata of a Medium Analytics BIOCs
Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Medium Analytics BIOCs
Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - changed metadata of a Medium Analytics BIOCs
Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - changed metadata of a Medium Analytics BIOCs
Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - changed metadata of a Medium Analytics BIOCs
Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - changed metadata of a Medium Analytics BIOCs
Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - changed metadata of a Medium Analytics BIOCs
Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - changed metadata of a Medium Analytics BIOCs
Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - changed metadata of a Medium Analytics BIOCs
Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs
Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - changed metadata of a Medium Analytics BIOCs
Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - changed metadata of a Medium Analytics BIOCs
Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - changed metadata of a Medium Analytics BIOCs
Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - changed metadata of a Medium Analytics BIOCs
Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs
Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - changed metadata of a Medium Analytics BIOCs
Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs
LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - changed metadata of a Medium Analytics BIOCs
Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - changed metadata of a Medium Analytics BIOCs
Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs
Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - changed metadata of a Medium Analytics BIOCs
Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - changed metadata of a Medium Analytics BIOCs
Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - changed metadata of a Medium Analytics BIOCs
Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs
Changed metadata of 5 Medium Analytics Alerts:
DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts
An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alerts
Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - changed metadata of a Medium Analytics Alerts
New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Medium Analytics Alerts
Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alerts
Changed metadata of 2 Low BIOCs:
Accessing bash history file using bash commands (cb05480f-17d8-4138-9992-f0f9fb50b671) - changed metadata of a Low BIOCs
Accessing bash history file (cb05480f-17d8-4138-9902-f0f9fb50b671) - changed metadata of a Low BIOCs
Improved logic of 4 Low Analytics BIOCs:
Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs
Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs
Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs
Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
Changed metadata of 39 Low Analytics BIOCs:
Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - changed metadata of a Low Analytics BIOCs
Suspicious data encryption (30df8779-1e1e-4c5a-a9de-40cb94d837e7) - changed metadata of a Low Analytics BIOCs
Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - changed metadata of a Low Analytics BIOCs
Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - changed metadata of a Low Analytics BIOCs
GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - changed metadata of a Low Analytics BIOCs
Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - changed metadata of a Low Analytics BIOCs
Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - changed metadata of a Low Analytics BIOCs
A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - changed metadata of a Low Analytics BIOCs
Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - changed metadata of a Low Analytics BIOCs
Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - changed metadata of a Low Analytics BIOCs
Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - changed metadata of a Low Analytics BIOCs
Kubectl administration command execution (8d013538-6e98-48ed-a018-fcf19866f367) - changed metadata of a Low Analytics BIOCs
Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - changed metadata of a Low Analytics BIOCs
Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - changed metadata of a Low Analytics BIOCs
Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - changed metadata of a Low Analytics BIOCs
AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - changed metadata of a Low Analytics BIOCs
Contained process execution with a rare GitHub URL (eadd0b5c-94bb-4582-8115-765e48e19353) - changed metadata of a Low Analytics BIOCs
An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - changed metadata of a Low Analytics BIOCs
Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - changed metadata of a Low Analytics BIOCs
An uncommon kubectl secret enumeration command was executed (d1d4f8ff-68d2-4c04-91ff-2a518ff60319) - changed metadata of a Low Analytics BIOCs
Linux system firewall was disabled (d50eedfa-7888-47aa-b390-929ccab92d80) - changed metadata of a Low Analytics BIOCs
Linux system firewall was modified (fac86d1c-01ac-4620-bcee-8330df48ad25) - changed metadata of a Low Analytics BIOCs
Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - changed metadata of a Low Analytics BIOCs
AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - changed metadata of a Low Analytics BIOCs
Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - changed metadata of a Low Analytics BIOCs
Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - changed metadata of a Low Analytics BIOCs
Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - changed metadata of a Low Analytics BIOCs
An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - changed metadata of a Low Analytics BIOCs
Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - changed metadata of a Low Analytics BIOCs
Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - changed metadata of a Low Analytics BIOCs
Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - changed metadata of a Low Analytics BIOCs
AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - changed metadata of a Low Analytics BIOCs
AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - changed metadata of a Low Analytics BIOCs
Suspicious container orchestration job (f358cda9-491e-4be6-af2a-6a5361ae23f9) - changed metadata of a Low Analytics BIOCs
Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - changed metadata of a Low Analytics BIOCs
Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - changed metadata of a Low Analytics BIOCs
Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - changed metadata of a Low Analytics BIOCs
Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs
Suspicious systemd timer activity (6aa321b8-0f2e-4182-b36b-aa3ba7944f25) - changed metadata of a Low Analytics BIOCs
Improved logic of 12 Low Analytics Alerts:
VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alerts
Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - improved logic of a Low Analytics Alerts
NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts
NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - improved logic of a Low Analytics Alerts
Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts
Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts
Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
Changed metadata of 9 Low Analytics Alerts:
IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - changed metadata of a Low Analytics Alerts
Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - changed metadata of a Low Analytics Alerts
Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - changed metadata of a Low Analytics Alerts
Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts
Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - changed metadata of a Low Analytics Alerts
Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - changed metadata of a Low Analytics Alerts
Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts
An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - changed metadata of a Low Analytics Alerts
Changed metadata of 9 Informational BIOCs:
Log deletion using the truncate command (1afe4c22-2163-45ad-a90a-f130eaed6ff2) - changed metadata of an Informational BIOCs
File timestamp tampering (624b8f91-842c-4f04-87e1-71aa7bdb727c) - changed metadata of an Informational BIOCs
Possible ARP reconnaissance (69b6a970-5018-4e34-8bc9-8cfcfe48fac2) - changed metadata of an Informational BIOCs
Possible log destruction using dd command (7620b496-3804-4b00-83eb-85378033b6bd) - changed metadata of an Informational BIOCs
Clearing logs by executing cat /dev/null (787aa313-7ef6-40a9-a68c-bdcc9610c35f) - changed metadata of an Informational BIOCs
Log deletion in known log file directories (4c91da94-296f-49c3-9e3d-4f040269391e) - changed metadata of an Informational BIOCs
Clearing logs by copying /dev/null to a log file (62affbe1-1c47-4dc1-88d2-bd701e9be6d7) - changed metadata of an Informational BIOCs
Log deletion via command-line tool (55ed9a90-b68b-4e55-a165-eda5d1cab906) - changed metadata of an Informational BIOCs
Windows Security audit Log was cleared (afc6329f-ccec-4c56-963d-5da63bb8a27d) - changed metadata of an Informational BIOCs
Decreased the severity to Informational for an Analytics BIOC:
Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - decreased the severity to Informational, and improved detection logic
Added 2 new Informational Analytics BIOCs:
Suspicious SSO authentication (e44cfdba-073c-11ed-8f68-acde48001122) - added a new Informational alert
A rare local administrator login (d0652036-2ba2-4d21-b724-e3bf38931d1f) - added a new Informational alert
Improved logic of 5 Informational Analytics BIOCs:
A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs
Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs
Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - improved logic of an Informational Analytics BIOCs
Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs
Changed metadata of 93 Informational Analytics BIOCs:
Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - changed metadata of an Informational Analytics BIOCs
Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - changed metadata of an Informational Analytics BIOCs
An identity logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - changed metadata of an Informational Analytics BIOCs
AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - changed metadata of an Informational Analytics BIOCs
An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - changed metadata of an Informational Analytics BIOCs
GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - changed metadata of an Informational Analytics BIOCs
Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - changed metadata of an Informational Analytics BIOCs
Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - changed metadata of an Informational Analytics BIOCs
Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - changed metadata of an Informational Analytics BIOCs
Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - changed metadata of an Informational Analytics BIOCs
EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - changed metadata of an Informational Analytics BIOCs
GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - changed metadata of an Informational Analytics BIOCs
A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - changed metadata of an Informational Analytics BIOCs
VM Detection attempt on Linux (5280dff5-14cd-4cf6-a70f-91c33bb43ae9) - changed metadata of an Informational Analytics BIOCs
Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - changed metadata of an Informational Analytics BIOCs
AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - changed metadata of an Informational Analytics BIOCs
File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - changed metadata of an Informational Analytics BIOCs
GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - changed metadata of an Informational Analytics BIOCs
AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - changed metadata of an Informational Analytics BIOCs
Suspicious proxy environment variable setting (63e4b643-8da3-4552-b693-bc6515d6ea4f) - changed metadata of an Informational Analytics BIOCs
AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - changed metadata of an Informational Analytics BIOCs
GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - changed metadata of an Informational Analytics BIOCs
Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - changed metadata of an Informational Analytics BIOCs
GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - changed metadata of an Informational Analytics BIOCs
Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - changed metadata of an Informational Analytics BIOCs
Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - changed metadata of an Informational Analytics BIOCs
AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - changed metadata of an Informational Analytics BIOCs
GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - changed metadata of an Informational Analytics BIOCs
Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - changed metadata of an Informational Analytics BIOCs
An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - changed metadata of an Informational Analytics BIOCs
A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - changed metadata of an Informational Analytics BIOCs
Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - changed metadata of an Informational Analytics BIOCs
GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - changed metadata of an Informational Analytics BIOCs
An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - changed metadata of an Informational Analytics BIOCs
AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - changed metadata of an Informational Analytics BIOCs
AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - changed metadata of an Informational Analytics BIOCs
A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - changed metadata of an Informational Analytics BIOCs
A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - changed metadata of an Informational Analytics BIOCs
Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - changed metadata of an Informational Analytics BIOCs
GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - changed metadata of an Informational Analytics BIOCs
GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - changed metadata of an Informational Analytics BIOCs
AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - changed metadata of an Informational Analytics BIOCs
AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - changed metadata of an Informational Analytics BIOCs
GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - changed metadata of an Informational Analytics BIOCs
GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - changed metadata of an Informational Analytics BIOCs
Rare Unix process divide files by size (64384c5f-40dd-4d5f-aa31-06907b60176d) - changed metadata of an Informational Analytics BIOCs
Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - changed metadata of an Informational Analytics BIOCs
S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - changed metadata of an Informational Analytics BIOCs
An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - changed metadata of an Informational Analytics BIOCs
Possible binary padding using dd (1a72139a-c453-4c91-839f-845561474775) - changed metadata of an Informational Analytics BIOCs
Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - changed metadata of an Informational Analytics BIOCs
System shutdown or reboot (3edad9ba-d804-4fd8-b8e6-7f353598d69e) - changed metadata of an Informational Analytics BIOCs
Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - changed metadata of an Informational Analytics BIOCs
GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - changed metadata of an Informational Analytics BIOCs
A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - changed metadata of an Informational Analytics BIOCs
Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - changed metadata of an Informational Analytics BIOCs
Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - changed metadata of an Informational Analytics BIOCs
Python HTTP server started (b43d77ba-696e-48e6-87d1-64e229201c36) - changed metadata of an Informational Analytics BIOCs
Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - changed metadata of an Informational Analytics BIOCs
IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - changed metadata of an Informational Analytics BIOCs
Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - changed metadata of an Informational Analytics BIOCs
AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - changed metadata of an Informational Analytics BIOCs
Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - changed metadata of an Informational Analytics BIOCs
GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - changed metadata of an Informational Analytics BIOCs
Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - changed metadata of an Informational Analytics BIOCs
Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - changed metadata of an Informational Analytics BIOCs
GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - changed metadata of an Informational Analytics BIOCs
GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - changed metadata of an Informational Analytics BIOCs
Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - changed metadata of an Informational Analytics BIOCs
Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - changed metadata of an Informational Analytics BIOCs
Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - changed metadata of an Informational Analytics BIOCs
Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - changed metadata of an Informational Analytics BIOCs
Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - changed metadata of an Informational Analytics BIOCs
GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - changed metadata of an Informational Analytics BIOCs
MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - changed metadata of an Informational Analytics BIOCs
Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - changed metadata of an Informational Analytics BIOCs
GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - changed metadata of an Informational Analytics BIOCs
Suspicious docker image download from an unusual repository (a4c3a156-5201-40e4-96fa-772ccbc3473d) - changed metadata of an Informational Analytics BIOCs
First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - changed metadata of an Informational Analytics BIOCs
Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - changed metadata of an Informational Analytics BIOCs
AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - changed metadata of an Informational Analytics BIOCs
Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - changed metadata of an Informational Analytics BIOCs
Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - changed metadata of an Informational Analytics BIOCs
GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - changed metadata of an Informational Analytics BIOCs
AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - changed metadata of an Informational Analytics BIOCs
GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - changed metadata of an Informational Analytics BIOCs
Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - changed metadata of an Informational Analytics BIOCs
A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - changed metadata of an Informational Analytics BIOCs
A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - changed metadata of an Informational Analytics BIOCs
Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - changed metadata of an Informational Analytics BIOCs
Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - changed metadata of an Informational Analytics BIOCs
Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - changed metadata of an Informational Analytics BIOCs
GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - changed metadata of an Informational Analytics BIOCs
Added a new Informational Analytics Alert:
A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - added a new Informational alert
Improved logic of 10 Informational Analytics Alerts:
SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts
User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alerts
Possible brute force on sudo user (a5a4f979-da78-4195-a288-7cc55ae00a43) - improved logic of an Informational Analytics Alerts
Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts
Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts
Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - improved logic of an Informational Analytics Alerts
NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts
A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts
Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts
A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts
Changed metadata of 7 Informational Analytics Alerts:
A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - changed metadata of an Informational Analytics Alerts
Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - changed metadata of an Informational Analytics Alerts
Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - changed metadata of an Informational Analytics Alerts
A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - changed metadata of an Informational Analytics Alerts
Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - changed metadata of an Informational Analytics Alerts
Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - changed metadata of an Informational Analytics Alerts
Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - changed metadata of an Informational Analytics Alert
November 06 2022 Release:
Improved logic of a High Analytics BIOC:
Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOC
Improved logic of a High Analytics Alert:
Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert
Improved logic of 3 Medium Analytics BIOCs:
Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOCs
Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs
Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs
Changed metadata of a Medium Analytics BIOC:
Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - changed metadata of a Medium Analytics BIOC
Improved logic of 2 Medium Analytics Alerts:
Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alerts
An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - improved logic of a Medium Analytics Alerts
Improved logic of 3 Low Analytics BIOCs:
Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs
A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs
Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs
Improved logic of 4 Low Analytics Alerts:
An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts
Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts
IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts
Removed an old Low Analytics Alert:
Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - removed an old Low alert
Added 2 new Informational Analytics BIOCs:
Cloud identity reached a throttling API rate (ac9d94ac-2f5b-11ed-9d8c-acde48001122) - added a new Informational alert
An uncommon file was created in the startup folder (426cd48f-af4f-46ae-b12d-61db5ba2d154) - added a new Informational alert
Improved logic of 17 Informational Analytics BIOCs:
Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs
User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs
First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs
Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs
Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
An identity logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - improved logic of an Informational Analytics BIOCs
Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs
Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs
Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs
Added a new Informational Analytics Alert:
Allocation of multiple cloud compute resources (653d6d6c-2f5b-11ed-8017-acde48001122) - added a new Informational alert
Improved logic of 2 Informational Analytics Alerts:
Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts
Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts
October 30 2022 Release:
Improved logic of 3 High Analytics BIOCs:
A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - improved logic of a High Analytics BIOCs
Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs
Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
Improved logic of a High Analytics Alert:
Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert
Improved logic of 3 Medium Analytics BIOCs:
Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs
Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs
Improved logic of 3 Medium Analytics Alerts:
Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - improved logic of a Medium Analytics Alerts
New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts
Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alerts
Improved logic of 20 Low Analytics BIOCs:
GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs
Possible Kerberos relay attack (5d950b94-729a-4fd3-bcbe-a9fefa922d30) - improved logic of a Low Analytics BIOCs
Possible Pass-the-Hash (ee4dad7a-348c-11eb-b388-acde48001122) - improved logic of a Low Analytics BIOCs
AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs
AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs
Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs
A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs
Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs
Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs
Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs
Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs
Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs
Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs
AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs
An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs
A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - improved logic of a Low Analytics BIOCs
Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs
Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs
Improved logic of 14 Low Analytics Alerts:
Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts
An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - improved logic of a Low Analytics Alerts
Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts
Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts
Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts
Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - improved logic of a Low Analytics Alerts
Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts
Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts
Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts
Added 2 new Informational Analytics BIOCs:
An identity logged in to the AWS console for the first time (1a1ec0d3-12ca-4e8a-8b81-c7ee43836459) - added a new Informational alert
Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - added a new Informational alert
Improved logic of 87 Informational Analytics BIOCs:
Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - improved logic of an Informational Analytics BIOCs
Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs
Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs
Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs
GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs
AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs
A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs
Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - improved logic of an Informational Analytics BIOCs
User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs
Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs
A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - improved logic of an Informational Analytics BIOCs
A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs
GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs
GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs
Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs
Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs
First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs
Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs
AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs
Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs
Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs
Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs
GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs
An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs
Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs
AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs
Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs
GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs
AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs
AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs
GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs
A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - improved logic of an Informational Analytics BIOCs
An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs
User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs
AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs
Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs
Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of an Informational Analytics BIOCs
Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs
IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs
Tampering with the Windows User Account Controls (UAC) configuration (f161037f-b953-0828-69ba-5df0aac3f359) - improved logic of an Informational Analytics BIOCs
GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs
Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs
Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs
Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs
MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs
EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs
GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs
AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs
Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs
Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs
Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs
Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs
Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs
Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs
GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs
Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - improved logic of an Informational Analytics BIOCs
Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs
GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs
Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs
Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs
Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs
Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs
Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs
GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs
AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs
A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - improved logic of an Informational Analytics BIOCs
Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs
Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs
Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs
AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs
Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs
Improved logic of 8 Informational Analytics Alerts:
Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts
Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts
Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts
Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - improved logic of an Informational Analytics Alerts
A user authenticated with weak NTLM to multiple hosts (01a04516-a112-4fe6-bacb-6ac1733f8fc2) - improved logic of an Informational Analytics Alerts
User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alerts
Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts
SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts
October 24 2022 Release:
Removed an old Medium BIOC:
Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - removed an old Medium alert
Improved logic of 3 Medium Analytics BIOCs:
Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs
Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - improved logic of a Medium Analytics BIOCs
Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - improved logic of a Medium Analytics BIOCs
Improved logic of a Medium Analytics Alert:
New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alert
Added 2 new Low Analytics BIOCs:
Uncommon access to Microsoft Teams credential files (1bb7c565-fa59-4fd8-b779-7f32ad96caad) - added a new Low alert
Rundll32.exe used keymgr.dll to extract credentials (30d50445-32d4-4681-aefc-31ccc476cc14) - added a new Low alert
Improved logic of 3 Low Analytics BIOCs:
Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs
Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs
A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs
Added a new Low Analytics Alert:
An identity dumped multiple secrets from a project (8c3ac6bb-f94e-4541-ae89-d8b34175d973) - added a new Low alert
Improved logic of 2 Low Analytics Alerts:
Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts
Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts
Changed metadata of a Low Analytics Alert:
Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - changed metadata of a Low Analytics Alert
Decreased the severity to Informational for an Analytics BIOC:
Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - decreased the severity to Informational, and improved detection logic
Added 3 new Informational Analytics BIOCs:
User added SID History to an account (c0b2402b-9a56-11ec-a4b4-faffc26aac4a) - added a new Informational alert
Globally uncommon injection from a signed process (183c6804-b6c2-4625-85bd-43d66f589970) - added a new Informational alert
Msiexec execution of an executable from an uncommon remote location (5172f78b-0e6f-48d4-8be3-e8a9e470e267) - added a new Informational alert
Improved logic of 5 Informational Analytics BIOCs:
Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs
A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs
Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs
Improved logic of an Informational Analytics Alert:
User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - improved logic of an Informational Analytics Alert
Changed metadata of 2 Informational Analytics Alerts:
Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - changed metadata of an Informational Analytics Alerts
A user accessed multiple time-consuming websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - changed metadata of an Informational Analytics Alerts
October 03 2022 Release:
Improved logic of 2 High Analytics BIOCs:
Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs
Improved logic of a High Analytics Alert:
Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert
Increased the severity to Medium for an Analytics BIOC:
Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - increased the severity to Medium, and improved detection logic
Improved logic of 3 Medium Analytics BIOCs:
Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs
Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs
Improved logic of a Medium Analytics Alert:
Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert
Changed metadata of a Medium Analytics Alert:
NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - changed metadata of a Medium Analytics Alert
Improved logic of a Low BIOC:
RDP connections enabled via Registry from a script host or rundll32.exe (0f705be9-8cd2-4263-9735-6d394f08b974) - improved logic of a Low BIOC
Added a new Low Analytics BIOC:
A cloud function was created with an unusual runtime (69089952-9f5a-4f77-b66b-b5ea99f54b03) - added a new Low alert
Improved logic of 12 Low Analytics BIOCs:
An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs
GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs
Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs
Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs
Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs
Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs
AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs
AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs
AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs
Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs
AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs
Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs
Added a new Low Analytics Alert:
Suspicious access to cloud credential files (2cbefc13-5012-4756-a435-d4d15d3fda86) - added a new Low alert
Improved logic of 5 Low Analytics Alerts:
Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts
Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts
IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts
Removed an old Informational BIOC:
WebDAV connection to internet (e29a5545-68c2-4019-b72c-0b54345f0914) - removed an old Informational alert
Added a new Informational Analytics BIOC:
A user enabled a default local account (ca4486d8-ded7-4cbb-ac7c-5e02b4e272f8) - added a new Informational alert
Improved logic of 2 Informational Analytics Alerts:
Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts
Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts
September 18 2022 Release:
Improved logic of a High Analytics BIOC:
Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - improved logic of a High Analytics BIOC
Removed an old Medium BIOC:
Tampering with the Windows User Account Controls (UAC) configuration (8efda7b1-30fe-49c7-b2b9-9c17f43bc951) - removed an old Medium alert
Improved logic of 4 Medium Analytics BIOCs:
Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs
Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - improved logic of a Medium Analytics BIOCs
Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - improved logic of a Medium Analytics BIOCs
RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
Changed metadata of 3 Medium Analytics BIOCs:
Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - changed metadata of a Medium Analytics BIOCs
Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - changed metadata of a Medium Analytics BIOCs
Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - changed metadata of a Medium Analytics BIOCs
Improved logic of a Medium Analytics Alert:
Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert
Changed metadata of 3 Medium Analytics Alerts:
DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - changed metadata of a Medium Analytics Alerts
New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - changed metadata of a Medium Analytics Alerts
Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - changed metadata of a Medium Analytics Alerts
Decreased the severity to Low for a BIOC:
RDP connections enabled via Registry from a script host or rundll32.exe (0f705be9-8cd2-4263-9735-6d394f08b974) - decreased the severity to Low
Decreased the severity to Low for an Analytics BIOC:
LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - decreased the severity to Low
Added a new Low Analytics BIOC:
Office process accessed an unusual .LNK file (15b39f42-b51e-7dec-576f-d1cef54a5baf) - added a new Low alert
Improved logic of 7 Low Analytics BIOCs:
Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - improved logic of a Low Analytics BIOCs
Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs
Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs
WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs
Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs
Changed metadata of 5 Low Analytics BIOCs:
Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - changed metadata of a Low Analytics BIOCs
Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - changed metadata of a Low Analytics BIOCs
Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - changed metadata of a Low Analytics BIOCs
Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - changed metadata of a Low Analytics BIOCs
Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - changed metadata of a Low Analytics BIOCs
Removed an old Low Analytics BIOC:
User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - removed an old Low alert
Decreased the severity to Low for an Analytics Alert:
Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - decreased the severity to Low, and improved detection logic
Improved logic of 5 Low Analytics Alerts:
IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts
Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts
Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts
Changed metadata of 5 Low Analytics Alerts:
Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - changed metadata of a Low Analytics Alerts
Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - changed metadata of a Low Analytics Alerts
Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - changed metadata of a Low Analytics Alerts
Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - changed metadata of a Low Analytics Alerts
Decreased the severity to Informational for 4 BIOCs:
Adobe Acrobat Reader drops an executable file to disk (61f01972-e07f-46d7-ba75-f1ec1309625a) - decreased the severity to Informational
Windows Firewall disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aad8f67) - decreased the severity to Informational
Manipulation of Windows Defender configuration (ee3e2e4a-0fca-4bc5-8b09-0e2b0681420c) - decreased the severity to Informational
Windows Firewall notifications disabled via Registry (31796d2e-08a9-4047-8f37-3a0c2aa11702) - decreased the severity to Informational
Decreased the severity to Informational for an Analytics BIOC:
Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - decreased the severity to Informational
Added a new Informational Analytics BIOC:
Tampering with the Windows User Account Controls (UAC) configuration (f161037f-b953-0828-69ba-5df0aac3f359) - added a new Informational alert
Improved logic of 25 Informational Analytics BIOCs:
Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs
Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs
Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs
A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs
Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs
LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs
Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs
Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs
A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs
Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs
SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs
User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
Changed metadata of an Informational Analytics BIOC:
Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - changed metadata of an Informational Analytics BIOC
Removed an old Informational Analytics BIOC:
A process was executed with an obfuscated command line (2a0ea644-8181-470b-ad5d-d0c6c7c84946) - removed an old Informational alert
Added a new Informational Analytics Alert:
Multiple discovery commands on Linux host (1499fa5b-ad53-4d60-ba2d-a3c790e20ca8) - added a new Informational alert
Improved logic of 4 Informational Analytics Alerts:
Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts
Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts
Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts
A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
September 11 2022 Release:
Added a new Low Analytics BIOC:
Uncommon AT task-job creation by user (082e4d29-7037-47d0-b83f-a0226016139c) - added a new Low alert
Added 2 new Informational BIOCs:
Web browser cookie and credential access (94c75384-9e3f-4eaa-994d-b7315a893b94) - added a new Informational alert
Credentials from Web Browsers (737d6f4d-8ddc-4334-abbd-dab5b9a6dc52) - added a new Informational alert
Added a new Informational Analytics BIOC:
A process was executed with an obfuscated command line (2a0ea644-8181-470b-ad5d-d0c6c7c84946) - added a new Informational alert
Improved logic of 2 Informational Analytics BIOCs:
VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs
A service was disabled (9d96de8e-036e-414d-baac-064aef4271bc) - improved logic of an Informational Analytics BIOCs
Added a new Informational Analytics Alert:
A user took numerous screenshots (c91f4f5f-b921-4e1b-971a-a59ca9f154bb) - added a new Informational alert
Improved logic of 2 Informational Analytics Alerts:
A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts
A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - improved logic of an Informational Analytics Alerts
Removed an old Informational Analytics Alert:
A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - removed an old Informational alert
September 06 2022 Release:
Improved logic of a Medium Analytics Alert:
Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert
Removed an old Low BIOC:
Remote process execution using WMI (5bab2bb9-882a-4101-ace1-700f84171a52) - removed an old Low alert
Increased the severity to Low for 2 Analytics BIOCs:
Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - increased the severity to Low, and improved detection logic
Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - increased the severity to Low
Improved logic of 3 Low Analytics BIOCs:
Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - improved logic of a Low Analytics BIOCs
Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - improved logic of a Low Analytics BIOCs
Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - improved logic of a Low Analytics BIOCs
Improved logic of 3 Low Analytics Alerts:
Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts
Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
Added a new Informational Analytics BIOC:
User discovery via WMI query execution (d60b2b53-4d04-4b9a-b51b-9f7ce490c931) - added a new Informational alert
Improved logic of 5 Informational Analytics BIOCs:
Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of an Informational Analytics BIOCs
A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs
A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
Removed an old Informational Analytics BIOC:
Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - removed an old Informational alert
Improved logic of an Informational Analytics Alert:
Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alert
August 28 2022 Release:
Changed metadata of 2 High BIOCs:
Pubprn.vbs signed script proxy execution (8d113cec-90be-4b24-856a-6f6c091e7510) - changed metadata of a High BIOCs
Regsvr32 may have run code from an untrusted source (41fe171e-5b79-4b15-a3c1-18f015dddd38) - changed metadata of a High BIOCs
Changed metadata of 7 Medium BIOCs:
Rundll32.exe launches an executable using ordinal numbers argument (421619b8-a26b-476a-b2e4-3c24ee33a4b0) - changed metadata of a Medium BIOCs
Rundll32.exe was used to run JavaScript (c9207f63-0b78-4488-9668-e24bc1b2f9d6) - changed metadata of a Medium BIOCs
WerFault ReflectDebugger key set in Registry (e22a0cab-0e71-408c-bbbc-39bf225df5fc) - changed metadata of a Medium BIOCs
Suspicious DLL load using Control.exe (68db2d19-082e-4703-8008-b5938298a910) - changed metadata of a Medium BIOCs
Execution of Fsociety tool pack (9a5b28a6-0a67-4386-9707-e7e4f1791c8a) - changed metadata of a Medium BIOCs
Rundll32.exe with 'main' as EntryPoint (7f5b7042-dca4-11ea-81aa-faffc26aac4a) - changed metadata of a Medium BIOCs
Conhost.exe spawned a suspicious child process (d9d0dfed-fdc3-4488-9e1b-5ca3eea82bee) - changed metadata of a Medium BIOCs
Changed metadata of 10 Medium Analytics BIOCs:
Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - changed metadata of a Medium Analytics BIOCs
Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - changed metadata of a Medium Analytics BIOCs
Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - changed metadata of a Medium Analytics BIOCs
Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - changed metadata of a Medium Analytics BIOCs
Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - changed metadata of a Medium Analytics BIOCs
Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - changed metadata of a Medium Analytics BIOCs
Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - changed metadata of a Medium Analytics BIOCs
Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - changed metadata of a Medium Analytics BIOCs
MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - changed metadata of a Medium Analytics BIOCs
Changed metadata of a Medium Analytics Alert:
An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - changed metadata of a Medium Analytics Alert
Changed metadata of 6 Low BIOCs:
Mshta.exe spawns from a browser (85ebde0e-4969-4d8e-a185-6c27688e0189) - changed metadata of a Low BIOCs
Microsoft Connection Manager Profile Installer loads a file from the users to temporary folder (6a53c562-8d65-4728-9fb3-46026904a1ca) - changed metadata of a Low BIOCs
UDP protocol scanner execution (d985da58-a4c5-4063-984b-357c80021aa1) - changed metadata of a Low BIOCs
Microsoft Connection Manager Profile Installer runs command line or PowerShell (c1252b9a-d057-4e08-871b-682148b7a9cc) - changed metadata of a Low BIOCs
Microsoft Connection Manager Profile Installer makes connections to the network (860f288c-f1d1-48c3-8883-12864f0b2ccc) - changed metadata of a Low BIOCs
Possible Oracle enumeration via tnscmd10g (2cb88b29-27c2-484b-be99-60158b575cf1) - changed metadata of a Low BIOCs
Added 3 new Low Analytics BIOCs:
Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - added a new Low alert
Uncommon creation or access operation of sensitive shadow copy (d4e071d6-2990-48bd-9d03-87fa8268ea7e) - added a new Low alert
Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - added a new Low alert
Improved logic of a Low Analytics BIOC:
Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - improved logic of a Low Analytics BIOC
Changed metadata of 7 Low Analytics BIOCs:
A compiled HTML help file wrote a script file to the disk (6f2817a6-f6b4-4ff5-b03e-ed488e60cd8a) - changed metadata of a Low Analytics BIOCs
Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - changed metadata of a Low Analytics BIOCs
Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - changed metadata of a Low Analytics BIOCs
Uncommon msiexec execution of an arbitrary file from remote location (8b919310-62f6-4035-b60b-ef61372947d9) - changed metadata of a Low Analytics BIOCs
Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - changed metadata of a Low Analytics BIOCs
Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - changed metadata of a Low Analytics BIOCs
Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - changed metadata of a Low Analytics BIOCs
Added a new Informational BIOC:
Key Certificate Search And Exfiltrate (81756563-9257-4141-9e66-2f1ad4d4566a) - added a new Informational alert
Improved logic of an Informational BIOC:
SSH key pair discovery (76d3e2e8-77dc-47a4-902f-f8189da8e883) - improved logic of an Informational BIOC
Changed metadata of 13 Informational BIOCs:
Enumeration of Windows services from public IP addresses (e98b5d62-69cf-4c62-b3de-7636f669fd3d) - changed metadata of an Informational BIOCs
Tampering with Windows Control Panel configuration (2ba4c53b-03de-4a34-92ec-225cfe1fe0b4) - changed metadata of an Informational BIOCs
Compiled HTML (help file) makes network connections (858a4ed7-36c4-4c43-9bff-d142f300035d) - changed metadata of an Informational BIOCs
Execution of regsvcs/regasm with uncommon paths (a1ce5d8b-5ea0-49d2-8d91-8ae4ea752ec0) - changed metadata of an Informational BIOCs
Installation of networking security tools (45818abb-9462-4074-ae83-fd56f715ef11) - changed metadata of an Informational BIOCs
Execution of commonly abused AutoIT script (13b17653-c885-4d10-bce2-51a63419cf8f) - changed metadata of an Informational BIOCs
SyncAppvPublishingServer used to run PowerShell code (a3d1fa93-c193-44d8-a469-a25dd1db7695) - changed metadata of an Informational BIOCs
Microsoft Office spawns curl/wget on a macOS device (3cbf66af-49c6-485c-b5fd-eacce8cc07ba) - changed metadata of an Informational BIOCs
Microsoft HTML Application Host spawns from CMD or PowerShell (bfca0d1c-91f9-4ed3-b812-f207ba100a3b) - changed metadata of an Informational BIOCs
Commonly abused process spawns out of rundll32.exe (3d7b9874-a18d-45c9-8002-f1f6575a4f3c) - changed metadata of an Informational BIOCs
Rundll32 loads a known abused DLL (340fd5f7-7a5c-4c6e-8b54-9bfce08bd2a3) - changed metadata of an Informational BIOCs
Browser downloads an .hta or .application file (ea25a4a1-5678-4674-b382-1a195e5dd25c) - changed metadata of an Informational BIOCs
Microsoft HTML Application Host spawns from Explorer.exe (b4f5a743-ebc9-4e2e-89aa-fa2505a47eae) - changed metadata of an Informational BIOCs
Decreased the severity to Informational for 2 Analytics BIOCs:
Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - decreased the severity to Informational, and improved detection logic
Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - decreased the severity to Informational, and improved detection logic
Added 4 new Informational Analytics BIOCs:
A suspicious file was written to the startup folder (5c9df403-aecc-4b54-99c5-50a779bae6ae) - added a new Informational alert
Suspicious docker image download from an unusual repository (a4c3a156-5201-40e4-96fa-772ccbc3473d) - added a new Informational alert
Creation or modification of the default command executed when opening an application (cd392d6e-e448-46d6-8af3-d2e8a6d79e71) - added a new Informational alert
Uncommon network tunnel creation (1be56e08-4817-4d49-852b-ec8affabf652) - added a new Informational alert
Improved logic of 2 Informational Analytics BIOCs:
An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs
A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
Changed metadata of 2 Informational Analytics BIOCs:
Python HTTP server started (b43d77ba-696e-48e6-87d1-64e229201c36) - changed metadata of an Informational Analytics BIOCs
Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - changed metadata of an Informational Analytics BIOCs
Improved logic of 2 Informational Analytics Alerts:
Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - improved logic of an Informational Analytics Alerts
Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
Changed metadata of an Informational Analytics Alert:
Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - changed metadata of an Informational Analytics Alert
August 21 2022 Release:
Added a new Medium Analytics BIOC:
Suspicious heavy allocation of compute resources - possible mining activity (62d96b58-14ef-4dc1-9624-bcbd5bae493d) - added a new Medium alert
Increased the severity to Low for 3 BIOCs:
Port Monitor added in Registry (bc1df7df-f4a0-4470-bfbd-e042fc8cfe0a) - increased the severity to Low
Print Processor Registration (d218018c-3fe1-43c3-816b-331dfb914401) - increased the severity to Low
Active Setup Registry Autostart (6dedf6eb-38a0-467b-858c-cacef3ddb3bb) - increased the severity to Low
Improved logic of a Low BIOC:
Internet Explorer home page modification (e4cf6b6e-70cc-4b02-a82d-148e10c36f76) - improved logic of a Low BIOC
Added a new Low Analytics BIOC:
Uncommon SSH session was established (18f84dd7-efb7-4d73-b556-1a5bfb377a81) - added a new Low alert
Improved logic of a Low Analytics BIOC:
Uncommon msiexec execution of an arbitrary file from remote location (8b919310-62f6-4035-b60b-ef61372947d9) - improved logic of a Low Analytics BIOC
Improved logic of a Low Analytics Alert:
Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alert
Improved logic of an Informational BIOC:
Shell history access (735fd839-4959-4e5d-9207-fdf517b977a1) - improved logic of an Informational BIOC
Removed an old Informational BIOC:
Time provider Registration (76d43800-76bb-459e-ad10-3e8b85e12a2f) - removed an old Informational alert
Decreased the severity to Informational for an Analytics BIOC:
Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - decreased the severity to Informational, and improved detection logic
Improved logic of an Informational Analytics Alert:
Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alert
August 14 2022 Release:
Improved logic of 19 High Analytics BIOCs:
A Successful VPN connection from TOR (0bfb014f-dfc2-444f-b66b-cab9a5f3477c) - improved logic of a High Analytics BIOCs
Memory dumping with comsvcs.dll (4c720885-7c14-4e18-94aa-c8e5a03edac8) - improved logic of a High Analytics BIOCs
Process execution with a suspicious command line indicative of the Spring4Shell exploit (0fc034a9-36ce-432f-bddb-1cfda20be004) - improved logic of a High Analytics BIOCs
Possible DCShadow attempt (a320aa30-20c3-11ea-b525-8c8590c9ccd1) - improved logic of a High Analytics BIOCs
Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
Possible Distributed File System Namespace Management (DFSNM) abuse (532490a8-f4fb-4eb7-a54d-8583bf54207d) - improved logic of a High Analytics BIOCs
Remote service command execution from an uncommon source (0adf28e0-092b-4e19-abbb-262ad270736a) - improved logic of a High Analytics BIOCs
Netcat makes or gets connections (15d32561-c499-4772-8934-883fcd1cd75f) - improved logic of a High Analytics BIOCs
Bronze-Bit exploit (115c6f43-ebb2-48d8-9044-9b52c0102e2f) - improved logic of a High Analytics BIOCs
Suspicious usage of File Server Remote VSS Protocol (FSRVP) (9f82d067-25e8-49da-bae3-62e7f9074943) - improved logic of a High Analytics BIOCs
Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOCs
A Successful login from TOR (ec9124e2-f2c3-4141-bdfa-4c707dfae296) - improved logic of a High Analytics BIOCs
Wbadmin deleted files in quiet mode (293c8cc3-d9c3-4293-bddc-5dbf65d979fc) - improved logic of a High Analytics BIOCs
PowerShell used to remove mailbox export request logs (2daec22b-6339-4217-afdc-ffaf60faa4c2) - improved logic of a High Analytics BIOCs
A successful SSO sign-in from TOR (f5382b13-4edd-4ecd-9246-a08db5a45fe6) - improved logic of a High Analytics BIOCs
Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs
Suspicious dump of ntds.dit using Shadow Copy with ntdsutil/vssadmin (e7deceda-807e-4e2e-993b-e577804c5d8f) - improved logic of a High Analytics BIOCs
Editing ld.so.preload for persistence and injection (135b986b-033a-2cc5-8800-4da034c291fc) - improved logic of a High Analytics BIOCs
Uncommon remote scheduled task creation (85516bae-e953-11e9-bbed-8c8590c9ccd1) - improved logic of a High Analytics BIOCs
Improved logic of 2 High Analytics Alerts:
Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alerts
Possible brute force or configuration change attempt on cytool (8e7961f4-82f3-4265-8a37-55eda26ac6ae) - improved logic of a High Analytics Alerts
Improved logic of 83 Medium Analytics BIOCs:
Recurring rare domain access from an unsigned process (7610373e-08d5-460a-bd9e-e79d1200230f) - improved logic of a Medium Analytics BIOCs
PowerShell runs suspicious base64-encoded commands (867fc0b0-4f9f-4d3b-b538-0b32266e2ab2) - improved logic of a Medium Analytics BIOCs
Uncommon PowerShell commands used to create or alter scheduled task parameters (a31e1c5b-f931-412b-b7ae-1932df342614) - improved logic of a Medium Analytics BIOCs
Possible RDP session hijacking using tscon.exe (015570a8-ffce-492b-99a9-e7b83dc8e216) - improved logic of a Medium Analytics BIOCs
A contained executable was executed by unusual process (d8c11b55-29b4-44b2-9e47-fd6c4cda4d7b) - improved logic of a Medium Analytics BIOCs
A contained executable from a mounted share initiated a suspicious outbound network connection (423a9cc9-735f-48cd-8fb5-6e4aeecd5d6d) - improved logic of a Medium Analytics BIOCs
Unicode RTL Override Character (525e3dd7-4ca6-11ea-8161-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
Remote WMI process execution (65c55916-23c3-4d1e-9e3d-e839c9c4b70f) - improved logic of a Medium Analytics BIOCs
PowerShell suspicious flags (4ce1b559-45b8-11ea-81bb-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
Uncommon jsp file write by a Java process (acaa34fd-b2b8-4218-aab0-b8d717e9dcc5) - improved logic of a Medium Analytics BIOCs
Possible Persistence via group policy Registry keys (3b3741b6-1993-0e75-6c33-51152991fa0a) - improved logic of a Medium Analytics BIOCs
Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs
Suspicious disablement of the Windows Firewall using PowerShell commands (cb8b6ba0-12cc-4c64-81f5-75da949bea0b) - improved logic of a Medium Analytics BIOCs
Possible malicious .NET compilation started by a commonly abused process (63627c16-7c3e-9538-f662-8f25568995f5) - improved logic of a Medium Analytics BIOCs
A machine certificate was issued with a mismatch (8cea4dd9-d9da-4af9-a5a5-b2230064e18b) - improved logic of a Medium Analytics BIOCs
TGT request with a spoofed sAMAccountName - Event log (aa13b505-66e8-11ec-b385-faffc26aac4a) - improved logic of a Medium Analytics BIOCs
Non-browser access to a pastebin-like site (c3036d85-d047-4ef9-9362-5a6cc3045758) - improved logic of a Medium Analytics BIOCs
Phantom DLL Loading (69ba5103-2954-4175-87b7-3a622ec07255) - improved logic of a Medium Analytics BIOCs
Possible Microsoft module side-loading into Microsoft process (d0a0b07d-3b72-41fc-b5aa-627cf23b4414) - improved logic of a Medium Analytics BIOCs
Discovery of misconfigured certificate templates using LDAP (7dbb9366-8b94-4a9f-bc18-f02fbe7b1433) - improved logic of a Medium Analytics BIOCs
SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
The CA policy EditFlags was queried (3c01fdf3-0cf3-49b6-b08f-b40df3c2e498) - improved logic of a Medium Analytics BIOCs
Modification of NTLM restrictions in the Registry (bba1f627-d154-4980-f752-b17096cd73a2) - improved logic of a Medium Analytics BIOCs
Service ticket request with a spoofed sAMAccountName (633ca673-5d09-11ec-b013-faffc26aac4a) - improved logic of a Medium Analytics BIOCs
TGT request with a spoofed sAMAccountName - Network (92c20cd9-60e8-11ec-80b1-acde48001122) - improved logic of a Medium Analytics BIOCs
Suspicious .NET process loads an MSBuild DLL (bb0e8ceb-94e4-888c-92a1-bc9c1b8c481c) - improved logic of a Medium Analytics BIOCs
Suspicious execution of ODBCConf (4bebfd54-6c21-b4bd-f30e-070f48ae8949) - improved logic of a Medium Analytics BIOCs
Suspicious authentication package registered (8beb68b4-a866-494d-a768-c4c391086c66) - improved logic of a Medium Analytics BIOCs
Indirect command execution using the Program Compatibility Assistant (324416dd-01a2-1fa3-f3f7-5757895e9926) - improved logic of a Medium Analytics BIOCs
PowerShell used to export mailbox contents (70b08c1e-ccfd-4ab9-bb92-66acaa83aa3a) - improved logic of a Medium Analytics BIOCs
Recurring rare domain access to dynamic DNS domain (00977673-b3ad-11ea-9508-acde48001122) - improved logic of a Medium Analytics BIOCs
Windows Installer exploitation for local privilege escalation (d6aeb50b-c3f9-4eb3-9504-636eb17f3a42) - improved logic of a Medium Analytics BIOCs
Interactive at.exe privilege escalation method (86c25db2-acaa-6673-a7d4-20aef374f0d1) - improved logic of a Medium Analytics BIOCs
Reverse SSH tunnel to external domain/ip (0098b910-5056-4ce9-988a-983dd0071c5a) - improved logic of a Medium Analytics BIOCs
Mshta.exe launched with suspicious arguments (0b174006-3946-43b6-af3c-ab400e6c7a87) - improved logic of a Medium Analytics BIOCs
Procdump executed from an atypical directory (7b947703-063a-7f35-0980-b57cfb0eada1) - improved logic of a Medium Analytics BIOCs
Suspicious print processor registered (cf14910d-0c56-48c7-97f2-903f3387ad6b) - improved logic of a Medium Analytics BIOCs
Executable created to disk by lsass.exe (b2f18102-e247-4986-8681-029741ebbfd5) - improved logic of a Medium Analytics BIOCs
Possible AWS Instance Metadata Service (IMDS) Abuse (39ea8f0c-d0d7-4470-b373-aa144394e579) - improved logic of a Medium Analytics BIOCs
A TCP stream was created directly in a shell (8a7a460a-420a-a42c-d8af-af5250f280ff) - improved logic of a Medium Analytics BIOCs
Script file added to startup-related Registry keys (9dee6c7b-1df0-4eb2-9db2-035f70e7c9d7) - improved logic of a Medium Analytics BIOCs
Office process creates a scheduled task via file access (f55359ad-1258-7ffe-1d97-ae01077dd8e1) - improved logic of a Medium Analytics BIOCs
Vulnerable driver loaded (1cc145f5-f667-4ca3-a722-79a29ed23caf) - improved logic of a Medium Analytics BIOCs
MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - improved logic of a Medium Analytics BIOCs
Microsoft Office Process Spawning a Suspicious One-Liner (aca7aaa1-4361-11ea-8fed-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
Scrcons.exe Rare Child Process (f62553d1-e952-11e9-81c4-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
Possible Search For Password Files (388d1fcc-4d9c-11ea-9daa-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
Suspicious hidden user created (eeb7b678-3c9b-11ec-879d-acde48001122) - improved logic of a Medium Analytics BIOCs
Uncommon Service Create/Config (4814ee91-468d-11ea-a78c-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
Suspicious SearchProtocolHost.exe parent process (86d04512-5c96-4f87-be1e-dc600e9d60f8) - improved logic of a Medium Analytics BIOCs
Suspicious PowerSploit's recon module (PowerView) net function was executed (bd95656f-6ba3-4c9d-ac06-8b0a957cf67f) - improved logic of a Medium Analytics BIOCs
Encoded information using Windows certificate management tool (33d390e1-2091-4a70-0dde-99fe29540b38) - improved logic of a Medium Analytics BIOCs
Rundll32.exe running with no command-line arguments (1fec6f01-b5de-935b-58e0-c124f2de6101) - improved logic of a Medium Analytics BIOCs
Possible new DHCP server (e5afa116-5041-4ed9-9d0c-18eaac133173) - improved logic of a Medium Analytics BIOCs
Fodhelper.exe UAC bypass (780d896e-19db-4c9d-ee3b-e496f745ee64) - improved logic of a Medium Analytics BIOCs
Suspicious certutil command line (eb9c9e41-072d-9975-fba3-d17a1cb39b49) - improved logic of a Medium Analytics BIOCs
Office process spawned with suspicious command-line arguments (b6d85e95-f65e-dbcc-9c9b-eb2f47593f8e) - improved logic of a Medium Analytics BIOCs
Manipulation of netsh helper DLLs Registry keys (02bf3838-23d9-4a6b-a4c9-7b6691663249) - improved logic of a Medium Analytics BIOCs
LDAP search query from an unpopular and unsigned process (64472a41-9670-4626-8926-98b713328ddf) - improved logic of a Medium Analytics BIOCs
Suspicious Udev driver rule execution manipulation (74805905-0d62-454d-90dc-2deeeb51e549) - improved logic of a Medium Analytics BIOCs
Suspicious time provider registered (2055b591-73b7-4a69-8c88-a6d8649d1e7b) - improved logic of a Medium Analytics BIOCs
A remote service was created via RPC over SMB (f33c6ecc-cb20-4f2a-8bf8-869d21f18b0e) - improved logic of a Medium Analytics BIOCs
Possible Microsoft process masquerading (e0a99ea0-977d-4646-b9d9-26e9e7a4341c) - improved logic of a Medium Analytics BIOCs
Rundll32.exe spawns conhost.exe (c91811ac-2fa7-af90-1d55-bc786fee62a6) - improved logic of a Medium Analytics BIOCs
Commonly abused AutoIT script connects to an external domain (5ce79fc6-a5d3-43d1-a9ff-d8c779958cc9) - improved logic of a Medium Analytics BIOCs
Possible network connection to a TOR relay server (a3e0fd91-11e5-34b8-92b3-a2bed507878a) - improved logic of a Medium Analytics BIOCs
Suspicious Encrypting File System Remote call (EFSRPC) to domain controller (82a37634-c112-4dd9-8c16-332855d96c30) - improved logic of a Medium Analytics BIOCs
Mailbox Client Access Setting (CAS) changed (d44c2188-9769-497d-a509-b980e9420f33) - improved logic of a Medium Analytics BIOCs
RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
Bitsadmin.exe persistence using command-line callback (96e5bf6b-3ed4-42f2-b824-6cdb16a31608) - improved logic of a Medium Analytics BIOCs
Execution of the Hydra Linux password brute-force tool (90010a1e-59b9-42a2-b768-2778a666f7a3) - improved logic of a Medium Analytics BIOCs
Suspicious Process Spawned by wininit.exe (9e4ba29f-8771-4f7b-acc4-562c91740934) - improved logic of a Medium Analytics BIOCs
Possible compromised machine account (853bb923-e53d-492c-8258-393d8f036431) - improved logic of a Medium Analytics BIOCs
Executable moved to Windows system folder (bab3ed69-9e51-2000-c383-34103b1fb8fd) - improved logic of a Medium Analytics BIOCs
Suspicious disablement of the Windows Firewall (7c28b163-4d2f-463c-97ba-5b3e7f13249b) - improved logic of a Medium Analytics BIOCs
Uncommon SetWindowsHookEx API invocation of a possible keylogger (09cf18c8-e607-44f4-bb06-1dfde6163839) - improved logic of a Medium Analytics BIOCs
LSASS dump file written to disk (dd78e167-1c96-de84-d476-d48cba3370cd) - improved logic of a Medium Analytics BIOCs
Non-browser failed access to a pastebin-like site (be47eb8c-3407-46d6-ad35-2961f3f669b0) - improved logic of a Medium Analytics BIOCs
Machine account was added to a domain admins group (3c3c9d51-56c1-11ec-8706-acde48001122) - improved logic of a Medium Analytics BIOCs
Suspicious PowerSploit's recon module (PowerView) used to search for exposed hosts (dd806bdc-9025-47ff-816a-72ee47c322a3) - improved logic of a Medium Analytics BIOCs
Autorun.inf created in root C drive (cee2bedd-66d1-84d6-fd43-652725459a71) - improved logic of a Medium Analytics BIOCs
Removed an old Medium Analytics BIOC:
External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - removed an old Medium alert
Improved logic of 12 Medium Analytics Alerts:
A contained process attempted to escape using notify on release feature (7205a3a5-6c0e-4caf-95f1-c4444ec75b26) - improved logic of a Medium Analytics Alerts
An internal Cloud resource performed port scan on external networks (7e7af0ac-0eac-44e2-8d0f-ea94831bb0df) - improved logic of a Medium Analytics Alerts
Random-Looking Domain Names (ce6ae037-aaf9-45fb-a22e-e0a3b5d4f25a) - improved logic of a Medium Analytics Alerts
Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alerts
New Administrative Behavior (5025fa6b-f06d-43e4-ba1b-d3eae3f1725f) - improved logic of a Medium Analytics Alerts
A new machine attempted Kerberos delegation (0f9a92bd-916c-40ad-80a9-58c2adaaa946) - improved logic of a Medium Analytics Alerts
Remote account enumeration (7ee73b65-466e-4d4d-b2a6-0058f11b442d) - improved logic of a Medium Analytics Alerts
Sudoedit Brute force attempt (e1d6cdd8-845f-440b-b89e-a430eafea941) - improved logic of a Medium Analytics Alerts
Kerberos Pre-Auth Failures by Host (eab7815c-27c1-11ea-9f3f-8c8590c9ccd1) - improved logic of a Medium Analytics Alerts
Kerberos User Enumeration (a371b533-c9f4-11eb-879e-acde48001122) - improved logic of a Medium Analytics Alerts
DNS Tunneling (61a5263c-e7cf-45b5-ac89-f7bb6edf93ac) - improved logic of a Medium Analytics Alerts
NTLM Hash Harvesting (3cc30c5c-2d73-11eb-a32a-acde48001122) - improved logic of a Medium Analytics Alerts
Added a new Low Analytics BIOC:
Abnormal network communication through TOR using an uncommon port (33e11128-c9c5-4cf6-a640-a664c2f504b7) - added a new Low alert
Improved logic of 129 Low Analytics BIOCs:
Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of a Low Analytics BIOCs
Interactive login by a service account (603bfd03-d88b-4a3e-844b-5286b6971960) - improved logic of a Low Analytics BIOCs
First SSO access from ASN in organization (324399e5-67d2-48db-99b1-03cb29374e13) - improved logic of a Low Analytics BIOCs
Possible network sniffing attempt via tcpdump or tshark (10d3d8d1-1edd-4992-beb3-53d4f5afcde8) - improved logic of a Low Analytics BIOCs
Possible network service discovery via command-line tool (e2e77dfb-d869-405e-ab1f-2a2477c931cc) - improved logic of a Low Analytics BIOCs
AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs
Possible Pass-the-Hash (ee4dad7a-348c-11eb-b388-acde48001122) - improved logic of a Low Analytics BIOCs
Unusual AWS credentials creation (e13d7877-3308-4f35-9fb8-6ee466b69080) - improved logic of a Low Analytics BIOCs
Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
A disabled user attempted to log in to a VPN (2a092ebe-ed9a-4eaa-bdcc-4b378c4ce4d7) - improved logic of a Low Analytics BIOCs
Uncommon remote service start via sc.exe (85cdb57d-e953-11e9-859b-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Uncommon Security Support Provider (SSP) registered via a registry key (3d1283d0-409c-4d95-8995-dcc7b1ab23e1) - improved logic of a Low Analytics BIOCs
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs
A computer account was promoted to DC (87de9d8c-7d52-11ec-b568-acde48001122) - improved logic of a Low Analytics BIOCs
SSO authentication by a machine account (45d7792a-46fc-4279-b363-56a9e56ecc35) - improved logic of a Low Analytics BIOCs
Keylogging using system commands (5456f17e-c97f-4484-893a-035d728efc81) - improved logic of a Low Analytics BIOCs
WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Suspicious systemd timer activity (6aa321b8-0f2e-4182-b36b-aa3ba7944f25) - improved logic of a Low Analytics BIOCs
LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs
Microsoft Office process spawns a commonly abused process (e15a97e1-466c-11ea-90c6-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
Remote service start from an uncommon source (972072a7-9f23-4354-824d-7295de90e804) - improved logic of a Low Analytics BIOCs
Suspicious process executed with a high integrity level (81e70ab2-b1f1-4a1c-bf94-3929f6d7e1b2) - improved logic of a Low Analytics BIOCs
Remote DCOM command execution (e5e3c27a-a0c5-49b7-8143-5012d1180d2c) - improved logic of a Low Analytics BIOCs
Uncommon msiexec execution of an arbitrary file from remote location (8b919310-62f6-4035-b60b-ef61372947d9) - improved logic of a Low Analytics BIOCs
Suspicious DotNet log file created (064eebce-02fb-08e7-df1f-66ee933eefab) - improved logic of a Low Analytics BIOCs
Certutil pfx parsing (3719af79-bdde-4c84-9277-cbf41c86cd39) - improved logic of a Low Analytics BIOCs
Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
A user created an abnormal password-protected archive (a2632ea1-ca21-4b5f-8aee-f26044b1b8ed) - improved logic of a Low Analytics BIOCs
Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs
A suspicious process enrolled for a certificate (4cbef8f8-ec99-40d1-9b8b-bfbd3cda5f4b) - improved logic of a Low Analytics BIOCs
Image File Execution Options Registry key injection by unsigned process (4588be44-8912-41c5-9a7d-6921691140db) - improved logic of a Low Analytics BIOCs
Suspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdlet (c640fd86-9c58-4fe2-82ed-c3975866393a) - improved logic of a Low Analytics BIOCs
Suspicious failed HTTP request - potential Spring4Shell exploit (1028c23d-f8f0-4adb-9e12-bffce9104359) - improved logic of a Low Analytics BIOCs
Unsigned process injecting into a Windows system binary with no command line (1d8789e7-6629-4549-7064-d384adc339bc) - improved logic of a Low Analytics BIOCs
GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs
Suspicious process accessed certificate files (21df20db-09cb-4bc4-b7ea-c6b1cb2e9667) - improved logic of a Low Analytics BIOCs
Suspicious PowerShell Command Line (d2aa3dde-4d73-11ea-923a-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs
Kubectl administration command execution (8d013538-6e98-48ed-a018-fcf19866f367) - improved logic of a Low Analytics BIOCs
VPN login by a service account (5430df85-d0ff-4b41-8683-6ad6bed1b657) - improved logic of a Low Analytics BIOCs
Suspicious process loads a known PowerShell module (23ac9a23-8a43-4900-95e1-6cdb422dd854) - improved logic of a Low Analytics BIOCs
AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs
Uncommon IP Configuration Listing via ipconfig.exe (02501f5c-e953-11e9-954d-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Linux system firewall was disabled (d50eedfa-7888-47aa-b390-929ccab92d80) - improved logic of a Low Analytics BIOCs
Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs
Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs
Suspicious process execution by scheduled task (56bc5f4c-e481-41de-81e4-ec618fb1f004) - improved logic of a Low Analytics BIOCs
Failed Login For Locked-Out Account (51767214-200f-11ea-acd2-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Windows Event Log was cleared using wevtutil.exe (be2210fb-9884-49e7-8078-6e59c35d925e) - improved logic of a Low Analytics BIOCs
Delayed Deletion of Files (9801a8bd-4695-11ea-bb20-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
New addition to Windows Defender exclusion list (97bd1ad3-df0f-459c-be72-88193ce7b667) - improved logic of a Low Analytics BIOCs
System information discovery via psinfo.exe (5347ae54-08ba-4cee-81a7-a26016928e27) - improved logic of a Low Analytics BIOCs
VPN login with a machine account (9818431a-c039-49eb-a93c-8731c7f48fec) - improved logic of a Low Analytics BIOCs
Rare SSH Session (85f62ab8-e953-11e9-beca-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Suspicious access to shadow file (e4b279f9-3e47-4906-a9d3-4b2a7550da04) - improved logic of a Low Analytics BIOCs
Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs
Setuid and Setgid file bit manipulation (86c8f625-febe-42d3-8682-9ef405985379) - improved logic of a Low Analytics BIOCs
Uncommon ARP cache listing via arp.exe (85a9b5a1-e953-11e9-939b-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs
An uncommon kubectl secret enumeration command was executed (d1d4f8ff-68d2-4c04-91ff-2a518ff60319) - improved logic of a Low Analytics BIOCs
Windows event logs were cleared with PowerShell (9730c9bb-7107-42e5-8d2c-746b89086856) - improved logic of a Low Analytics BIOCs
Suspicious sshpass command execution (4b8f54e1-60ef-4e8f-b8a3-d53564b02cd9) - improved logic of a Low Analytics BIOCs
Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs
Wscript/Cscript loads .NET DLLs (5844326f-d597-410f-aea0-7d369029b218) - improved logic of a Low Analytics BIOCs
Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs
Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs
SPNs cleared from a machine account (973d9ec2-5dce-11ec-8dbf-acde48001122) - improved logic of a Low Analytics BIOCs
SUID/GUID permission discovery (3f90bf2c-05bb-4916-8e70-3fe7a81ea23d) - improved logic of a Low Analytics BIOCs
Suspicious data encryption (30df8779-1e1e-4c5a-a9de-40cb94d837e7) - improved logic of a Low Analytics BIOCs
Suspicious runonce.exe parent process (b72692c3-9579-4547-b657-43dc4e6be816) - improved logic of a Low Analytics BIOCs
Unusual compressed file password protection (72b20348-2bee-4c54-bb17-65c0b611747f) - improved logic of a Low Analytics BIOCs
Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - improved logic of a Low Analytics BIOCs
Suspicious RunOnce Parent Process (565f0500-ad74-11ea-abe7-acde48001122) - improved logic of a Low Analytics BIOCs
Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - improved logic of a Low Analytics BIOCs
Suspicious PowerShell Enumeration of Running Processes (9ed9d8ee-6dbb-11ea-a5d9-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
Extracting credentials from Unix files (3eac1dcb-2aec-45e4-b44a-3f982d8979e1) - improved logic of a Low Analytics BIOCs
Suspicious container orchestration job (f358cda9-491e-4be6-af2a-6a5361ae23f9) - improved logic of a Low Analytics BIOCs
A compiled HTML help file wrote a script file to the disk (6f2817a6-f6b4-4ff5-b03e-ed488e60cd8a) - improved logic of a Low Analytics BIOCs
Suspicious process modified RC script file (711175b0-03ac-469b-ae5a-2ffb727816b2) - improved logic of a Low Analytics BIOCs
SSO authentication by a service account (ebc09251-2c1d-4cfd-b8fe-eff7940f746b) - improved logic of a Low Analytics BIOCs
PowerShell Initiates a Network Connection to GitHub (8b34f70a-b84d-4d98-aa19-7ee88037e467) - improved logic of a Low Analytics BIOCs
Failed Login For a Long Username With Special Characters (de8eb00f-2016-11ea-8f2b-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs
Rare communication over email ports to external email server by unsigned process (7b424216-fe61-4589-bcee-67e9e7b267be) - improved logic of a Low Analytics BIOCs
Unusual AWS user added to group (dcfca104-1393-4efb-8081-a582925be678) - improved logic of a Low Analytics BIOCs
AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs
Microsoft Office adds a value to autostart Registry key (32e4eb1d-659c-317b-42a7-910db9f2f3b7) - improved logic of a Low Analytics BIOCs
Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - improved logic of a Low Analytics BIOCs
Screensaver process executed from Users or temporary folder (463d34d4-d448-40f2-8093-6ce58cf2bdbb) - improved logic of a Low Analytics BIOCs
Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs
Rare security product signed executable executed in the network (f9e9ff14-df6e-4ed4-a15d-326bd444199b) - improved logic of a Low Analytics BIOCs
Suspicious sAMAccountName change (3a44e454-61ab-11ec-a8b5-acde48001122) - improved logic of a Low Analytics BIOCs
Reading bash command history file (e5dcfbcd-7c34-69a7-be3b-3ff9893435d7) - improved logic of a Low Analytics BIOCs
Installation of a new System-V service (b99df31c-bebf-47e6-8f72-1c733751823d) - improved logic of a Low Analytics BIOCs
Suspicious AMSI decode attempt (f3885db4-6be6-40b9-82c1-9858f97a4229) - improved logic of a Low Analytics BIOCs
Suspicious Certutil AD CS contact (06545c74-04c2-4964-9af5-eb99080c274e) - improved logic of a Low Analytics BIOCs
SecureBoot was disabled (e8a6caaf-89c1-4e19-8e27-1ced582293e0) - improved logic of a Low Analytics BIOCs
A disabled user successfully authenticated via SSO (e1b350c1-9081-4c1c-b92c-ac608d9c12d5) - improved logic of a Low Analytics BIOCs
Unusual process accessed the PowerShell history file (c5e0c7e3-5e55-11eb-9453-acde48001122) - improved logic of a Low Analytics BIOCs
Cached credentials discovery with cmdkey (18087540-1443-11ea-a73b-88e9fe502c1f) - improved logic of a Low Analytics BIOCs
Suspicious LDAP search query executed (95ffd373-d208-4fae-8d1e-adfeca7b9fb5) - improved logic of a Low Analytics BIOCs
Possible Kerberos relay attack (5d950b94-729a-4fd3-bcbe-a9fefa922d30) - improved logic of a Low Analytics BIOCs
Masquerading as Linux crond process (5823c47a-35fc-49c6-a602-a0b81ec342bc) - improved logic of a Low Analytics BIOCs
Change of sudo caching configuration (8aebc46d-4ec7-4705-b499-324f5821a85e) - improved logic of a Low Analytics BIOCs
Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - improved logic of a Low Analytics BIOCs
Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs
Rare Unsigned Process Spawned by Office Process Under Suspicious Directory (dff03970-bf7a-11ea-86c7-acde48001122) - improved logic of a Low Analytics BIOCs
Attempt to execute a command on a remote host using PsExec.exe (ddf3b8d9-53e0-8410-c76a-d2e6b5203438) - improved logic of a Low Analytics BIOCs
Uncommon local scheduled task creation via schtasks.exe (8581c273-e953-11e9-b670-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Possible code downloading from a remote host by Regsvr32 (1f358bb5-aede-3ff6-40e4-50edd570d9e3) - improved logic of a Low Analytics BIOCs
A WMI subscriber was created (5a1964f8-87a0-49d6-bbf2-2c1a5a5eb3e1) - improved logic of a Low Analytics BIOCs
Command running with COMSPEC in the command line argument (2feeb01f-0a81-476a-8ec0-d49fd2bf807b) - improved logic of a Low Analytics BIOCs
Linux system firewall was modified (fac86d1c-01ac-4620-bcee-8330df48ad25) - improved logic of a Low Analytics BIOCs
User successfully connected from a suspicious country (2f0796a2-c33c-4437-b592-ac13f0929e7d) - improved logic of a Low Analytics BIOCs
Wsmprovhost.exe Rare Child Process (f5b580fd-e952-11e9-91de-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
An uncommon service was started (4f9dff40-917e-4bde-be77-b42a4e05cac7) - improved logic of a Low Analytics BIOCs
Suspicious SSO access from ASN (03087ece-306f-47b4-941b-875e178f9270) - improved logic of a Low Analytics BIOCs
Conhost.exe spawned a suspicious child process (a3e8022a-979a-5a80-8c5f-a90c80dfe19d) - improved logic of a Low Analytics BIOCs
Uncommon user management via net.exe (f78dfe5e-e952-11e9-b300-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Uncommon GetClipboardData API function invocation of a possible information stealer (086617b1-eaea-4b50-9712-318faeb71c10) - improved logic of a Low Analytics BIOCs
An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs
Contained process execution with a rare GitHub URL (eadd0b5c-94bb-4582-8115-765e48e19353) - improved logic of a Low Analytics BIOCs
AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs
Uncommon routing table listing via route.exe (758e8ed7-e953-11e9-b4ee-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs
Elevation to SYSTEM via services (a1962f05-c1da-4765-8e4a-59729c70dde0) - improved logic of a Low Analytics BIOCs
Sensitive browser credential files accessed by a rare non browser process (8743168f-360d-4274-ae06-33f397417247) - improved logic of a Low Analytics BIOCs
Unsigned process creates a scheduled task via file access (f07fd364-9b51-48ec-8225-32ae98a8ffe5) - improved logic of a Low Analytics BIOCs
MpCmdRun.exe was used to download files into the system (bae10b1e-5850-452a-9623-d86e959d34d4) - improved logic of a Low Analytics BIOCs
Improved logic of 34 Low Analytics Alerts:
Impossible traveler - SSO (4f3fff54-e970-4f54-ba86-fd18f94ef559) - improved logic of a Low Analytics Alerts
Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts
IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - improved logic of a Low Analytics Alerts
Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts
Large Upload (Generic) (03bb2cd4-a667-11ea-9d88-820e27035801) - improved logic of a Low Analytics Alerts
NTLM Brute Force on an Administrator Account (aed1e32e-8df0-48d7-8e78-4ebcb6e09a94) - improved logic of a Low Analytics Alerts
Failed DNS (74c65024-df5c-41f4-ae9f-3a80746826e9) - improved logic of a Low Analytics Alerts
Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts
NTLM Brute Force on a Service Account (33b7f308-fb95-4d9c-afc3-a5ca9c7ab50d) - improved logic of a Low Analytics Alerts
NTLM Relay (620c6d61-39f7-11eb-b979-acde48001122) - improved logic of a Low Analytics Alerts
Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
Impossible traveler - VPN (6acd5f71-0f52-41b7-b996-67f3c800a2b9) - improved logic of a Low Analytics Alerts
Outlook files accessed by an unsigned process (ef33bda6-d0c5-48ef-95a6-e80c0f19df79) - improved logic of a Low Analytics Alerts
Multiple suspicious user accounts were created (b60687dc-f312-11eb-9f0a-faffc26aac4a) - improved logic of a Low Analytics Alerts
Suspicious reconnaissance using LDAP (72a78521-6907-40c0-90da-5c1a733a8ed6) - improved logic of a Low Analytics Alerts
Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts
New Shared User Account (0d29cc9c-cdc3-11eb-afcb-acde48001122) - improved logic of a Low Analytics Alerts
Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
Kerberos Pre-Auth Failures by User and Host (7d1dadeb-27e6-11ea-8ecc-8c8590c9ccd1) - improved logic of a Low Analytics Alerts
VPN login Brute-Force attempt (7a69443f-48af-4c3b-8c18-b448e403561c) - improved logic of a Low Analytics Alerts
A user connected a new USB storage device to multiple hosts (09214199-d414-486e-bcf5-dc5034b2c424) - improved logic of a Low Analytics Alerts
Large Upload (SMTP) (c4918b11-9dc3-11ea-bebb-88e9fe502c1f) - improved logic of a Low Analytics Alerts
User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of a Low Analytics Alerts
Large Upload (HTTPS) (81bfe385-c6a1-11ea-be5e-acde48001122) - improved logic of a Low Analytics Alerts
Interactive local account enumeration (d4608074-aafc-49cc-aa04-292c0a87332e) - improved logic of a Low Analytics Alerts
Multiple Weakly-Encrypted Kerberos Tickets Received (eb1ad81a-7341-4584-9aff-f21757d05799) - improved logic of a Low Analytics Alerts
TGT reuse from different hosts (pass the ticket) (a3ae81d9-6d4a-45a8-a720-df7380d2afc8) - improved logic of a Low Analytics Alerts
Account probing (aab71996-63ac-4760-bb97-51d8ba196365) - improved logic of a Low Analytics Alerts
Login Password Spray (3e879bb8-6412-11eb-9fa5-acde48001122) - improved logic of a Low Analytics Alerts
Excessive user account lockouts (ed56d140-47ce-11ec-a9b1-faffc26aac4a) - improved logic of a Low Analytics Alerts
Failed Connections (928397bd-f372-4dee-9ff4-ae2d62da1921) - improved logic of a Low Analytics Alerts
Large Upload (FTP) (c2941b82-b9fb-11ea-aaa5-88e9fe502c1f) - improved logic of a Low Analytics Alerts
Spam Bot Traffic (7a460bde-9a95-11ea-9661-88e9fe502c1f) - improved logic of a Low Analytics Alerts
Improved logic of 180 Informational Analytics BIOCs:
Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs
System shutdown or reboot (3edad9ba-d804-4fd8-b8e6-7f353598d69e) - improved logic of an Informational Analytics BIOCs
User attempted to connect from a suspicious country (27468461-e398-415c-9174-bdb33f17edda) - improved logic of an Informational Analytics BIOCs
AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs
Possible binary padding using dd (1a72139a-c453-4c91-839f-845561474775) - improved logic of an Informational Analytics BIOCs
AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs
Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - improved logic of an Informational Analytics BIOCs
Uncommon Managed Object Format (MOF) compiler usage (d8069d23-e953-11e9-bb13-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
Possible Email collection using Outlook RPC (d79e5210-e386-4bb6-aff9-c33afb3ba9d6) - improved logic of an Informational Analytics BIOCs
GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs
First VPN access attempt from a country in organization (e143bc60-67d0-45e8-b0cb-682ecf82a04d) - improved logic of an Informational Analytics BIOCs
VM Detection attempt (579c1479-a14e-4366-ab09-6bfefe0dc7f7) - improved logic of an Informational Analytics BIOCs
Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
Rare SMTP/S Session (4a634ad4-e954-11e9-b86b-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs
Interactive login from a shared user account (caf8236b-b276-11eb-b927-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs
Suspicious active setup registered (8c293cef-3d98-492d-be14-7bff66877bc7) - improved logic of an Informational Analytics BIOCs
Modification of PAM (9aa924bd-64e8-4077-af6e-2dd5ef8e8b0d) - improved logic of an Informational Analytics BIOCs
Service execution via sc.exe (d25d07fa-015c-47a6-a6a0-15ff46020cc5) - improved logic of an Informational Analytics BIOCs
Rare Unix process divide files by size (64384c5f-40dd-4d5f-aa31-06907b60176d) - improved logic of an Informational Analytics BIOCs
Adding execution privileges (c37112ff-5c49-45cc-b199-5a8d3b49b48c) - improved logic of an Informational Analytics BIOCs
SSO with abnormal operating system (c79df24b-b1f6-4be1-afa6-8fc8b978a8ed) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs
AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs
Microsoft Office injects code into a process (da155b88-6973-a1b8-9ccd-5fad9a1e3455) - improved logic of an Informational Analytics BIOCs
GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs
LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs
First connection from a country in organization (9bb1be67-b2f7-4d43-8ec4-61d3039d32ea) - improved logic of an Informational Analytics BIOCs
Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs
GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs
Permission Groups discovery commands (f7781c61-821c-4601-b5b2-bb2a8c7f8da5) - improved logic of an Informational Analytics BIOCs
GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs
GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs
An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs
An unusual archive file creation by a user (eb510c2a-3446-4775-941e-0b0cb8f38526) - improved logic of an Informational Analytics BIOCs
Possible data obfuscation (aec61660-d52d-489a-813e-7cf2610f829e) - improved logic of an Informational Analytics BIOCs
Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs
A user connected a USB storage device for the first time (e3bc7997-3aec-4a0c-abc9-bdf744a34f39) - improved logic of an Informational Analytics BIOCs
A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs
AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs
IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs
Rare process execution in organization (8d02294c-21bd-11eb-afd9-acde48001122) - improved logic of an Informational Analytics BIOCs
Commonly abused AutoIT script drops an executable file to disk (267a6168-f45b-4274-9c78-7519395f47d4) - improved logic of an Informational Analytics BIOCs
Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs
MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs
SSO with abnormal user agent (88bf1554-d12d-4e23-b244-81e195916948) - improved logic of an Informational Analytics BIOCs
Hidden Attribute was added to a file using attrib.exe (5414fab8-c803-40c5-914a-a601b23acb5a) - improved logic of an Informational Analytics BIOCs
AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs
A user account was modified to password never expires (a38d281e-4ad2-11ec-abe6-acde48001122) - improved logic of an Informational Analytics BIOCs
Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs
Interactive login by a machine account (1114b340-fc05-4ad0-925d-6c2867d2b5d9) - improved logic of an Informational Analytics BIOCs
A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs
Ping to localhost from an uncommon, unsigned parent process (91d8831e-18ed-48b3-a316-f5091d647738) - improved logic of an Informational Analytics BIOCs
Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
Uncommon kernel module load (86fdbf9c-bdc7-4f88-a201-70331bbdd7ff) - improved logic of an Informational Analytics BIOCs
First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
A user connected to a VPN from a new country (e3ecf189-5b16-46df-abfe-c3fb2550c676) - improved logic of an Informational Analytics BIOCs
GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs
A user added a Windows firewall rule (4d52f94d-2344-439b-a7a8-5adb7d37be90) - improved logic of an Informational Analytics BIOCs
Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs
Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs
Rare connection to external IP address or host by an application using RMI-IIOP or LDAP protocol (72931f2e-a43f-4e77-ad81-48c29164017f) - improved logic of an Informational Analytics BIOCs
Uncommon net localgroup execution (4adaa6ba-e954-11e9-b566-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs
A user created a pfx file for the first time (5ddac38b-51e2-48c4-9fb7-43144bc3a148) - improved logic of an Informational Analytics BIOCs
A suspicious file was written to the startup folder (5c9df403-aecc-4b54-99c5-50a779bae6ae) - improved logic of an Informational Analytics BIOCs
Administrator groups enumerated via LDAP (ab78c189-98f0-4646-b67b-0ce05576ddbf) - improved logic of an Informational Analytics BIOCs
GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs
Sensitive account password reset attempt (d53de368-576a-11ec-9556-acde48001122) - improved logic of an Informational Analytics BIOCs
Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs
A service was disabled (9d96de8e-036e-414d-baac-064aef4271bc) - improved logic of an Informational Analytics BIOCs
Indicator blocking (fad21a46-1b2c-4308-9b3b-46153e86cf07) - improved logic of an Informational Analytics BIOCs
VM Detection attempt on Linux (5280dff5-14cd-4cf6-a70f-91c33bb43ae9) - improved logic of an Informational Analytics BIOCs
Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs
Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs
Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs
A browser was opened in private mode (9c499a04-883b-4cfe-9c1f-eb1be965a0cc) - improved logic of an Informational Analytics BIOCs
Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - improved logic of an Informational Analytics BIOCs
Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
File transfer from unusual IP using known tools (1329a84b-de85-4d33-9e8a-aa2e5e142530) - improved logic of an Informational Analytics BIOCs
Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
PsExec was executed with a suspicious command line (a3a029c0-dbb8-10d2-9109-8cc458cf1e6e) - improved logic of an Informational Analytics BIOCs
A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs
Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs
GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs
Browser bookmark files accessed by a rare non-browser process (7c464967-346f-4017-a765-0ddbfd513cb7) - improved logic of an Informational Analytics BIOCs
Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs
Rare NTLM Access By User To Host (05413bad-3d79-4e9a-9611-3471e3b25da5) - improved logic of an Informational Analytics BIOCs
Uncommon net group or localgroup execution (8525c63d-e953-11e9-9388-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs
Rare machine account creation (45d670c2-61d9-11ec-9f91-acde48001122) - improved logic of an Informational Analytics BIOCs
Rare WinRM Session (861cea23-e953-11e9-84ba-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs
Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs
Suspicious domain user account creation (49c01587-efa8-11eb-ab9a-acde48001122) - improved logic of an Informational Analytics BIOCs
S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs
Rare NTLM Usage by User (41374948-45f3-448a-bec2-2efe049aa69f) - improved logic of an Informational Analytics BIOCs
First VPN access from ASN in organization (4f94ffc0-6f8c-411b-a0ca-e0fb65ee8a5b) - improved logic of an Informational Analytics BIOCs
WebDAV drive mounted from net.exe over HTTPS (233491ca-e954-11e9-90bd-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
Uncommon DotNet module load relationship (56f63574-0ba4-4ad3-bb5d-2f4219f80fbe) - improved logic of an Informational Analytics BIOCs
AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs
Unusual weak authentication by user (438a1ba6-98e1-4b02-9c94-76c437fd682d) - improved logic of an Informational Analytics BIOCs
Suspicious proxy environment variable setting (63e4b643-8da3-4552-b693-bc6515d6ea4f) - improved logic of an Informational Analytics BIOCs
System profiling WMI query execution (cf32631b-369a-451d-91ca-d2bc5b903363) - improved logic of an Informational Analytics BIOCs
Remote command execution via wmic.exe (f42fdaa8-4685-11ea-94be-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs
Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of an Informational Analytics BIOCs
Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs
A user accessed an uncommon AppID (d9f7bb18-bf8b-4902-85cf-18a3e4ebad67) - improved logic of an Informational Analytics BIOCs
VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs
VPN login by a dormant user (9f9d7576-b3c0-4c11-983e-71e250b03a6d) - improved logic of an Informational Analytics BIOCs
AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs
First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs
Discovery of host users via WMIC (6593c57d-14fe-11ea-9297-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs
An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs
A user connected from a new country (918f03bf-3c6d-455e-90ee-a571cae49cb5) - improved logic of an Informational Analytics BIOCs
Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs
GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs
Uncommon RDP connection (239ae240-e954-11e9-9f0a-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
A user changed the Windows system time (12131d90-51dd-45cc-9c9f-ad84985b6cc6) - improved logic of an Informational Analytics BIOCs
LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs
Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
Command execution via wmiexec (797eba35-3ac8-4e84-8dc4-dbe804b9dee3) - improved logic of an Informational Analytics BIOCs
Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs
EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs
Rare signature signed executable executed in the network (c3ce1512-5a5b-4dca-8bd7-0d06845311ee) - improved logic of an Informational Analytics BIOCs
AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs
Suspicious process execution from tmp folder (79d2fa50-a76e-443e-8e8b-da0bb57fa125) - improved logic of an Informational Analytics BIOCs
Registration of Uncommon .NET Services and/or Assemblies (df0fcd8c-637b-11ea-b635-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs
Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs
Copy a process memory file (12785e19-c4ec-499d-a0f6-c6ccad857d35) - improved logic of an Informational Analytics BIOCs
AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs
Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs
Space after filename (a9b04a4a-a99b-4bb9-a386-5c72935ac5e5) - improved logic of an Informational Analytics BIOCs
A user was added to a Windows security group (4432b4bd-7d25-11ec-9553-acde48001122) - improved logic of an Informational Analytics BIOCs
Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs
Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs
VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs
New process created via a WMI call (6d726469-71ac-4741-9b41-abd75259ff74) - improved logic of an Informational Analytics BIOCs
Rare process spawned by srvany.exe (95b2dea2-4531-4eb4-892e-bb6422293ac9) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs
User account delegation change (b6c63bd1-8506-11ec-b228-acde48001122) - improved logic of an Informational Analytics BIOCs
Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs
Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
A suspicious process queried AD CS objects via LDAP (69bfcbc2-04a1-400b-9516-14c987fedb05) - improved logic of an Informational Analytics BIOCs
Local account discovery (99206b5b-f52d-4850-95ab-0135cf3db645) - improved logic of an Informational Analytics BIOCs
Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs
Suspicious User Login to Domain Controller (90c356a6-460a-11eb-a2b0-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
Possible use of a networking driver for network sniffing (335fb03a-3c85-4029-8033-ec575b3479ae) - improved logic of an Informational Analytics BIOCs
Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs
GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs
Security tools detection attempt (502d0305-4670-49e3-b62b-2fab82bdda6e) - improved logic of an Informational Analytics BIOCs
GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs
A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
First VPN access from ASN for user (a8a4d03b-d016-4e67-a497-c0388e08adc7) - improved logic of an Informational Analytics BIOCs
Iptables configuration command was executed (bbb7b421-2de6-438d-a270-e28ed2a95b35) - improved logic of an Informational Analytics BIOCs
Python HTTP server started (b43d77ba-696e-48e6-87d1-64e229201c36) - improved logic of an Informational Analytics BIOCs
Suspicious curl user agent (14166076-1ee3-4d9b-954d-eaad065ca0c0) - improved logic of an Informational Analytics BIOCs
Abnormal process connection to default Meterpreter port (9de6cf91-007d-11ea-a77c-8c8590c9ccd1) - improved logic of an Informational Analytics BIOCs
SSO with new operating system (ec1fc790-a266-44e7-ba3f-3c17d282d241) - improved logic of an Informational Analytics BIOCs
Rare process execution by user (4cf96b80-2278-11eb-9f9a-acde48001122) - improved logic of an Informational Analytics BIOCs
A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs
PowerShell pfx certificate extraction (1195bbe0-884c-4f4c-b1cf-4c8288cbeffc) - improved logic of an Informational Analytics BIOCs
GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs
Login by a dormant user (0d700470-a3fa-4a78-b1fa-5c1e47db9a60) - improved logic of an Informational Analytics BIOCs
A user cleared their browser's history (8c76ebbd-13ce-4bb0-9f28-d964ea488670) - improved logic of an Informational Analytics BIOCs
Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs
Run downloaded script using pipe (b4fbd149-ec4d-475a-8704-a8df5d5a6298) - improved logic of an Informational Analytics BIOCs
A compressed file was exfiltrated over SSH (22d00dc1-8df1-4ad5-90ce-07d3dcc41042) - improved logic of an Informational Analytics BIOCs
A user connected a new USB storage device to a host (43c2c43d-3c3c-4a16-b06c-3ad5de1fb3be) - improved logic of an Informational Analytics BIOCs
Suspicious External RDP Login (1d94db42-4371-4b62-8218-c5b338fe6e02) - improved logic of an Informational Analytics BIOCs
Removed an old Informational Analytics BIOC:
External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - removed an old Informational alert
Added 3 new Informational Analytics Alerts:
A user accessed an abnormal number of files on a remote shared folder (4b4e9cd7-2c3d-419e-87e3-7cf97d2cba75) - added a new Informational alert
User added to a group and removed (5e7de7c5-a9c9-11ec-b6e2-acde48001122) - added a new Informational alert
A user accessed an abnormal number of remote shared folders (90519c99-0374-4b59-99b5-42d08d11bfe9) - added a new Informational alert
Improved logic of 24 Informational Analytics Alerts:
A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts
A user printed an unusual number of files (cbe07552-7163-418f-ad4f-03ae261bdc2d) - improved logic of an Informational Analytics Alerts
Multiple Rare Process Executions in Organization (3d78f74c-a8f0-11eb-923e-acde48001122) - improved logic of an Informational Analytics Alerts
A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
Possible Brute-Force attempt (17ae9c82-4ecb-449a-997c-e1c609948bf2) - improved logic of an Informational Analytics Alerts
NTLM Brute Force (c8cf2a36-7f8c-46dc-a644-85e090113628) - improved logic of an Informational Analytics Alerts
Uncommon multiple service stop commands (09db6c8f-189e-4e07-b94a-3fe5a188e4b0) - improved logic of an Informational Analytics Alerts
Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts
Massive file compression by user (50fc7f19-39ba-428f-864b-152b6e26b95c) - improved logic of an Informational Analytics Alerts
Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts
Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts
Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts
Possible brute force on sudo user (a5a4f979-da78-4195-a288-7cc55ae00a43) - improved logic of an Informational Analytics Alerts
Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts
Increase in Job-Related Site Visits (3ccaa62d-7762-11eb-93b0-acde48001122) - improved logic of an Informational Analytics Alerts
NTLM Password Spray (9113b2f2-263e-49b1-b72b-90e385430c44) - improved logic of an Informational Analytics Alerts
A user accessed multiple time-wasting websites (b529b510-ebe8-44ce-a56c-1a276b17217c) - improved logic of an Informational Analytics Alerts
Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts
Multiple users authenticated with weak NTLM to a host (863cf845-00bf-4084-a08a-dd527ca720a4) - improved logic of an Informational Analytics Alerts
SSH authentication brute force attempts (be5524ca-60ab-49eb-9045-9aa65d1d89fd) - improved logic of an Informational Analytics Alerts
A user authenticated with weak NTLM to multiple hosts (01a04516-a112-4fe6-bacb-6ac1733f8fc2) - improved logic of an Informational Analytics Alerts
Possible LDAP enumeration by unsigned process (85c187ec-80d1-464e-ab1e-a9aa5af7f191) - improved logic of an Informational Analytics Alerts
Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - improved logic of an Informational Analytics Alerts
Multiple user accounts were deleted (a334c4fa-569a-11ec-ad30-acde48001122) - improved logic of an Informational Analytics Alerts
August 07 2022 Release:
Added a new High Analytics BIOC:
Possible Distributed File System Namespace Management (DFSNM) abuse (532490a8-f4fb-4eb7-a54d-8583bf54207d) - added a new High alert
Improved logic of 3 High Analytics BIOCs:
Unprivileged process opened a registry hive (9937ddbf-beb9-49b0-ac34-e005d53a127b) - improved logic of a High Analytics BIOCs
Suspicious usage of EC2 token (72595090-4615-11ec-9984-acde48001122) - improved logic of a High Analytics BIOCs
Suspicious API call from a Tor exit node (ac17179d-68dd-46cc-8d2a-68d506e6626e) - improved logic of a High Analytics BIOCs
Improved logic of a High Analytics Alert:
Suspicious objects encryption in an AWS bucket (4252215f-9929-472d-ae5a-9357997517a8) - improved logic of a High Analytics Alert
Improved logic of 7 Medium Analytics BIOCs:
External cloud storage access with an unusual ASN (b16278de-5dd6-4526-bac1-ff35e0657ea1) - improved logic of a Medium Analytics BIOCs
SMB Traffic from Non-Standard Process (f35bd6b0-9836-11ea-90f2-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
MSI accessed a web page running a server-side script (afb57884-36f1-4127-b1ac-43009c32899b) - improved logic of a Medium Analytics BIOCs
Penetration testing tool activity (f6e71c10-dfd2-11eb-8670-acde48001122) - improved logic of a Medium Analytics BIOCs
RDP Connection to localhost (23679c11-e954-11e9-9002-8c8590c9ccd1) - improved logic of a Medium Analytics BIOCs
Kerberos Traffic from Non-Standard Process (b3a944d7-98e2-11ea-b222-88e9fe502c1f) - improved logic of a Medium Analytics BIOCs
Suspicious GCP compute instance metadata modification (720e05f1-bdd0-44f4-89ab-ea006367072b) - improved logic of a Medium Analytics BIOCs
Improved logic of a Medium Analytics Alert:
Suspicious identity downloaded multiple objects from a bucket (a92f5d7c-4471-4b1e-8f55-f142da1e55bc) - improved logic of a Medium Analytics Alert
Improved logic of 30 Low Analytics BIOCs:
Unusual resource modification/creation by newly seen user (e4606659-2c15-4ac6-9282-8d9e1843eff0) - improved logic of a Low Analytics BIOCs
Azure Event Hub Deletion (e04bdd9c-2c8f-4095-a676-c815288073c9) - improved logic of a Low Analytics BIOCs
AWS web ACL deletion (c041fcc4-1c52-477f-9a19-88aeb0ef3ca7) - improved logic of a Low Analytics BIOCs
An Azure Firewall policy deletion (23147b80-cca4-4480-9418-5a61d193978d) - improved logic of a Low Analytics BIOCs
Unsigned and unpopular process performed a DLL injection (5396ebed-c7ef-4462-a02b-9cf7232b27b8) - improved logic of a Low Analytics BIOCs
Suspicious process changed or created the ssh_authorized_keys file (98bc28e2-92a2-49c6-8c4e-86188a351b75) - improved logic of a Low Analytics BIOCs
Recurring access to rare IP (85efd97a-e265-4498-9037-f15f6d041991) - improved logic of a Low Analytics BIOCs
Uncommon msiexec execution of an arbitrary file from remote location (8b919310-62f6-4035-b60b-ef61372947d9) - improved logic of a Low Analytics BIOCs
AWS Flow Logs deletion (a3c77c71-a13e-4ffb-b1b7-4ab624f70b27) - improved logic of a Low Analytics BIOCs
GCP Logging Sink Deletion (45fb0bb6-8fcb-41b9-86ca-9a4fbf6c3d82) - improved logic of a Low Analytics BIOCs
Cloud Trail logging deletion (4814ba3a-94ec-476d-b246-faa7ff5701e4) - improved logic of a Low Analytics BIOCs
Remote usage of AWS Lambda's token (06858b5e-7d15-11ec-85d7-acde48001122) - improved logic of a Low Analytics BIOCs
AWS network ACL rule deletion (9d5fb50c-8adb-4790-a6b9-47149a98bfa4) - improved logic of a Low Analytics BIOCs
Uncommon NtWriteVirtualMemoryRemote API invocation with a PE header buffer (ef23e0d8-6987-4e2d-8e00-76ac07e50bdc) - improved logic of a Low Analytics BIOCs
Remote usage of an AWS service token (dc9cf640-dcd9-11ec-8caa-acde48001122) - improved logic of a Low Analytics BIOCs
Suspicious SMB connection from domain controller (13c8d855-3949-4a3a-9c8f-9c222fca5680) - improved logic of a Low Analytics BIOCs
Possible Kerberoasting without SPNs (52d63320-2bc9-467f-9675-80b34ea02dba) - improved logic of a Low Analytics BIOCs
Unsigned and unpopular process performed an injection (6bcd74bb-6301-4f52-9a9f-1b38e6a54342) - improved logic of a Low Analytics BIOCs
Possible DCSync from a non domain controller (b00baad9-ded6-4ff2-92d7-d0c2861f4c55) - improved logic of a Low Analytics BIOCs
Suspicious Process Spawned by Adobe Reader (497d6ba3-9d46-40f4-909d-05ee574e1f57) - improved logic of a Low Analytics BIOCs
Execution of dllhost.exe with an empty command line (cc3bf426-10ed-4955-a0ab-302f81e22873) - improved logic of a Low Analytics BIOCs
WmiPrvSe.exe Rare Child Command Line (f4c5d502-e952-11e9-80aa-8c8590c9ccd1) - improved logic of a Low Analytics BIOCs
Azure Network Watcher Deletion (585d8256-6fd5-4f6f-ab50-a03130e0dd8b) - improved logic of a Low Analytics BIOCs
Authentication Attempt From a Dormant Account (c755f028-9f51-4885-8ae8-b365b7c095b3) - improved logic of a Low Analytics BIOCs
Disable encryption operations (dbeb37d1-79c9-4577-b186-69e06616cfd0) - improved logic of a Low Analytics BIOCs
Weakly-Encrypted Kerberos Ticket Requested (28e3b4ac-3060-4a3e-a7d6-78c95aa20de9) - improved logic of a Low Analytics BIOCs
AWS Guard-Duty detector deletion (a6849e4e-1a3e-4746-aba5-310368502de0) - improved logic of a Low Analytics BIOCs
Execution of renamed lolbin (d2600df6-4489-4ad6-b92b-0b560f958d57) - improved logic of a Low Analytics BIOCs
LOLBIN process executed with a high integrity level (365221fa-4c36-440f-824a-43885e9f3a6e) - improved logic of a Low Analytics BIOCs
Unusual Lolbins Process Spawned by InstallUtil.exe (cc340a8f-9cd0-4e26-891f-be1a01652715) - improved logic of a Low Analytics BIOCs
Removed 2 old Low Analytics BIOCs:
Globally uncommon root-domain port combination from a signed process (557d3fac-1cfd-47dd-8db9-631ae264feac) - removed an old Low alert
Globally uncommon root domain from a signed process (10febb79-f10d-4765-8c40-92c8c276457f) - removed an old Low alert
Increased the severity to Low for an Analytics Alert:
Short-lived user account (88add18f-533c-11ec-8aca-acde48001122) - increased the severity to Low, and improved detection logic
Improved logic of 8 Low Analytics Alerts:
Multiple Rare LOLBIN Process Executions by User (48a855c0-6eed-11eb-8f08-faffc26aac4a) - improved logic of a Low Analytics Alerts
Suspicious large allocation of compute resources - possible mining activity (896e2a9a-9c4f-4aea-9314-1e3e15050b44) - improved logic of a Low Analytics Alerts
Suspicious allocation of compute resources in multiple regions - possible mining activity (30f4d71c-a3f7-43b0-82ca-f2951995e420) - improved logic of a Low Analytics Alerts
User collected remote shared files in an archive (de85c5aa-21e8-43d7-af13-3862f787549f) - improved logic of a Low Analytics Alerts
Possible external RDP Brute-Force (fd879de7-fb74-44f0-b699-805d0b08b1fd) - improved logic of a Low Analytics Alerts
Multiple discovery commands (97dd1d4d-602a-4bc7-b39a-73fdad3d6053) - improved logic of a Low Analytics Alerts
IAM Enumeration sequence (c8452a94-0662-11ec-b585-acde48001122) - improved logic of a Low Analytics Alerts
Suspicious cloud infrastructure enumeration activity (fdd2a2a5-494d-48c9-96a9-b0f1986fd982) - improved logic of a Low Analytics Alerts
Improved logic of 91 Informational Analytics BIOCs:
AWS CloudWatch log stream deletion (33453a9d-e24e-47b9-bab9-8e6e75dcda8a) - improved logic of an Informational Analytics BIOCs
Unusual Identity and Access Management (IAM) activity (b13f8836-6f08-4444-adc2-db5d868b4950) - improved logic of an Informational Analytics BIOCs
Commonly abused process launched as a system service (3cbd172e-6e2f-11ea-8d8e-88e9fe502c1f) - improved logic of an Informational Analytics BIOCs
Azure diagnostic configuration deletion (9d97d9f3-7242-4ef2-ad0e-15205d8c264e) - improved logic of an Informational Analytics BIOCs
Cloud Trail Logging has been stopped/suspended (431bfe5d-b1dd-4587-a14a-39e50a9e0e31) - improved logic of an Informational Analytics BIOCs
Signed process performed an unpopular DLL injection (9e699960-30e7-4b6e-bb71-30cdbf635307) - improved logic of an Informational Analytics BIOCs
Rare scheduled task created (e9238163-64bf-40d1-9568-68c0e9d7fb72) - improved logic of an Informational Analytics BIOCs
MFA device was removed/deactivated from an IAM user (52d74622-2fa5-4eae-b7d0-8eb52e0caaf3) - improved logic of an Informational Analytics BIOCs
Azure Key Vault modification (c253e0bb-f704-45c8-9abe-ad0ec9345b54) - improved logic of an Informational Analytics BIOCs
Remote usage of an App engine Service Account token (b5b760e8-8747-11ec-b26b-acde48001122) - improved logic of an Informational Analytics BIOCs
Cloud impersonation by unusual identity type (e3858b4a-79df-4a70-867f-a6bfec0b7762) - improved logic of an Informational Analytics BIOCs
An IAM group was created (af19f0d0-1e67-4327-9528-a1dc496a548f) - improved logic of an Informational Analytics BIOCs
GCP VPC Firewall Rule Deletion (4c47ea31-a67a-4b2f-b88a-154d8aac420b) - improved logic of an Informational Analytics BIOCs
AWS user creation (242c9abb-1def-4778-ba5e-88817b4dc89f) - improved logic of an Informational Analytics BIOCs
VPN access with a new operating system for a user (0973136b-a66a-4ad1-ad9c-068971bfcbb8) - improved logic of an Informational Analytics BIOCs
GCP IAM Custom Role Creation (830eb74a-a6a5-4e5c-9890-0f5857408000) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Cloud (VPC) Network Deletion (d9158b41-8de9-4f6d-98b0-3155d4deb092) - improved logic of an Informational Analytics BIOCs
Unusual AWS systems manager activity (345c0d9c-2b47-43ff-96ca-4fb722c56973) - improved logic of an Informational Analytics BIOCs
Signed process performed an unpopular injection (365bfca2-a3e1-4a44-9487-1353903a6c61) - improved logic of an Informational Analytics BIOCs
Root user logged in to AWS console (447ef512-2b73-4c8e-b0f4-c85415e7659f) - improved logic of an Informational Analytics BIOCs
Unusual key management activity (63ebcc0f-ad7c-4b8b-b268-d9ed3a5f6856) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket deletion (d681c6c5-41e7-4042-bd07-7f666889d59c) - improved logic of an Informational Analytics BIOCs
Azure Resource Group Deletion (634020d0-c181-46a6-87bd-947296bfa692) - improved logic of an Informational Analytics BIOCs
Unusual secret management activity (0eee1723-5402-4e2f-b638-1da3e73aa040) - improved logic of an Informational Analytics BIOCs
AWS network ACL rule creation (a04d827e-9c62-4e2e-be28-1308c695446e) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket Configuration Modification (d1ad46ca-4412-445a-a0be-17d9b29880d3) - improved logic of an Informational Analytics BIOCs
GCP Logging Bucket Deletion (8ceac70b-ed02-476c-a332-81406993b594) - improved logic of an Informational Analytics BIOCs
AWS System Manager API call execution (c7b0f3a5-dd93-4ff3-9eb8-04a5b4098b9a) - improved logic of an Informational Analytics BIOCs
Azure Automation Runbook Deletion (ba481ed7-9957-489f-a29d-b78f92cc0644) - improved logic of an Informational Analytics BIOCs
Aurora DB cluster stopped (37242e95-a845-4043-87d6-ad07edfd7c99) - improved logic of an Informational Analytics BIOCs
Azure Automation Webhook creation (c5393a54-b199-4474-a603-75b276903766) - improved logic of an Informational Analytics BIOCs
AWS Cloud Trail log trail modification (35cf35c7-7ba8-4bd0-ba1d-12f621cc2076) - improved logic of an Informational Analytics BIOCs
GCP Logging Sink Modification (cc436ab2-4894-4766-870a-d2136c60f688) - improved logic of an Informational Analytics BIOCs
Tampering with Internet Explorer Protected Mode configuration (670fd2a0-8523-85f1-49c9-28a1f2ccb69a) - improved logic of an Informational Analytics BIOCs
Azure Automation Runbook Creation/Modification (abeed5ee-9620-4c31-b751-f090b3a82c37) - improved logic of an Informational Analytics BIOCs
EC2 snapshot attribute has been modification (1c516548-f413-4117-b759-d98d5bec3ed5) - improved logic of an Informational Analytics BIOCs
An AWS RDS Global Cluster Deletion (1b957d24-d4c3-11eb-9122-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP Pub/Sub Topic Deletion (2acac71c-6a19-4b2f-a4d3-b95fa4cab768) - improved logic of an Informational Analytics BIOCs
Rare LOLBIN Process Execution by User (b19eb321-6ed0-11eb-b616-faffc26aac4a) - improved logic of an Informational Analytics BIOCs
Cloud Watch alarm deletion (a6e92e30-ba80-4ac1-8f0a-2ca128d9f7a7) - improved logic of an Informational Analytics BIOCs
AWS config resource deletion (7c992418-9687-44ea-8b12-1c680bf1c901) - improved logic of an Informational Analytics BIOCs
An Identity accessed a secret from Secret Manager (050cd586-bc43-4586-850d-162c0123ad6e) - improved logic of an Informational Analytics BIOCs
GCP Firewall Rule creation (a84dbd23-67d0-4851-a73a-7dc7430600cf) - improved logic of an Informational Analytics BIOCs
AWS IAM resource group deletion (5938b08b-62db-4dce-a695-f365dbc1ed36) - improved logic of an Informational Analytics BIOCs
Suspicious process accessed a site masquerading as Google (2a868ccf-d9cb-4efe-8dcc-bcffca46d24b) - improved logic of an Informational Analytics BIOCs
AWS EC2 instance exported into S3 (c6ad16c5-f2be-46de-9d3b-c44613f46d27) - improved logic of an Informational Analytics BIOCs
LOLBAS executable injects into another process (76190f98-9582-9c60-cca0-3ee2e8f0bf15) - improved logic of an Informational Analytics BIOCs
Rare AppID usage to a rare destination (2c4ccc31-a8cd-433b-a952-06fedd78e3ec) - improved logic of an Informational Analytics BIOCs
LDAP Traffic from Non-Standard Process (5e72a7b4-39ed-4669-98ca-b2495088f653) - improved logic of an Informational Analytics BIOCs
Unusual IAM enumeration activity by a non-user Identity (1684d2d6-bec9-11eb-83d2-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP IAM Role Deletion (e0fe91e0-6179-4a3d-9d71-95144f4ebb25) - improved logic of an Informational Analytics BIOCs
IAM User added to an IAM group (440b6ea7-2f9e-4ad1-8443-2586eb796298) - improved logic of an Informational Analytics BIOCs
AWS Role Trusted Entity modification (cada381e-8af6-45fa-8c3f-a4e93c4e1885) - improved logic of an Informational Analytics BIOCs
First SSO access from ASN for user (8622889d-334a-4df4-a8e5-18ffed330943) - improved logic of an Informational Analytics BIOCs
AWS RDS cluster deletion (818dcc3f-c6e9-4ad5-a7ac-633cb75ebe71) - improved logic of an Informational Analytics BIOCs
GCP Pub/Sub Subscription Deletion (12e3bc4a-69f6-4923-932e-0272621aa21a) - improved logic of an Informational Analytics BIOCs
A process connected to a rare external host (5dff906e-243b-4da0-b74a-2ac5e7e0bea4) - improved logic of an Informational Analytics BIOCs
A LOLBIN was copied to a different location (55c8b498-1f5e-4abf-9dfc-ca8bf0bcb3b9) - improved logic of an Informational Analytics BIOCs
VPN access with an abnormal operating system (1adc594f-4a49-4f75-adee-5b72c4dd4e70) - improved logic of an Informational Analytics BIOCs
AWS Config Recorder stopped (faf20659-6ec1-4caa-a7f5-0f10c1fc1ac4) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Network Route Creation (00e3b67d-2ef2-4341-b017-a6183b7dd8c8) - improved logic of an Informational Analytics BIOCs
Remote usage of VM Service Account token (e65c3658-79d7-11ec-bba6-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP Virtual Private Network Route Deletion (db6e96a7-a47a-4ba3-b92c-623713ba3d67) - improved logic of an Informational Analytics BIOCs
Unusual certificate management activity (8b9e6554-d620-4d03-a3e6-9d61705acf71) - improved logic of an Informational Analytics BIOCs
Azure virtual machine commands execution (6a069681-c378-4b9c-a2e2-0414a64cc36e) - improved logic of an Informational Analytics BIOCs
GCP Service Account deletion (bf134ec2-a907-4f4f-a316-0b68625ff236) - improved logic of an Informational Analytics BIOCs
A suspicious file was written to the startup folder (5c9df403-aecc-4b54-99c5-50a779bae6ae) - improved logic of an Informational Analytics BIOCs
AWS CloudWatch log group deletion (64689ed5-54e5-4b90-9600-5f09845761ac) - improved logic of an Informational Analytics BIOCs
Penetration testing tool attempt (2147c964-e3b1-11eb-8909-acde48001122) - improved logic of an Informational Analytics BIOCs
Azure user creation (a03230a6-05a6-484e-b90e-2d5fa2e9b60f) - improved logic of an Informational Analytics BIOCs
Log4J exploitation attempt against cloud hosted resources (bdef5aae-a272-4c70-b1cd-165cac5039c3) - improved logic of an Informational Analytics BIOCs
GCP IAM Service Account Key Deletion (7a30c221-6450-4c5a-bafc-f6633a5b7f7f) - improved logic of an Informational Analytics BIOCs
A cloud identity had escalated its permissions (eec5cdfa-4ba8-11ec-b4d5-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP Service Account creation (f29b6fd5-3da3-4e40-867d-ef8c82d95116) - improved logic of an Informational Analytics BIOCs
First access to a bucket by an identity (f58b8b01-95b6-487f-8014-6bb9f7ed9e5b) - improved logic of an Informational Analytics BIOCs
GCP Storage Bucket Permissions Modification (5ed09b6c-a603-4c5d-8c63-74245e42faed) - improved logic of an Informational Analytics BIOCs
GCP Service Account Disable (ee82516d-e047-4172-a427-17e30e037706) - improved logic of an Informational Analytics BIOCs
S3 configuration deletion (68ebffe9-ce22-4453-bf44-5cd1affd67a0) - improved logic of an Informational Analytics BIOCs
Activity in a dormant region of a cloud project (22e661ae-3081-4a2d-9550-c65b6b660af1) - improved logic of an Informational Analytics BIOCs
Remote PsExec-like command execution (f2282012-53aa-44f0-bda2-e45cd6b8b61a) - improved logic of an Informational Analytics BIOCs
External cloud storage access with unusual user agent (ca366600-2391-4685-9f5a-4c70aba596a3) - improved logic of an Informational Analytics BIOCs
Azure Event Hub Authorization rule creation/modification (ba1fb18f-9031-4b7c-9ec3-d029f5e5ee0e) - improved logic of an Informational Analytics BIOCs
A disabled user attempted to log in (fea20ef8-b12b-4d2c-b978-feac1d2b517e) - improved logic of an Informational Analytics BIOCs
Azure Automation Account Creation (878335a8-daf9-4380-a856-9df94a8f9e8d) - improved logic of an Informational Analytics BIOCs
GCP Firewall Rule Modification (780f6209-1829-45e2-9ab9-a22999d6ef6e) - improved logic of an Informational Analytics BIOCs
A cloud identity executed an API call from an unusual country (32cff288-9e1e-11ec-ac34-acde48001122) - improved logic of an Informational Analytics BIOCs
GCP Service Account key creation (d0604f23-ee52-4587-864e-39ed5c8a32bb) - improved logic of an Informational Analytics BIOCs
Azure Blob Container Access Level Modification (28efc491-b0a3-4edc-96ab-15156dec80e4) - improved logic of an Informational Analytics BIOCs
Iptables configuration command was executed (bbb7b421-2de6-438d-a270-e28ed2a95b35) - improved logic of an Informational Analytics BIOCs
Suspicious cloud identity impersonation (d70fa2aa-2e60-4642-b16b-32bf2a733ab1) - improved logic of an Informational Analytics BIOCs
Azure Storage Account key generated (72443a25-c783-494e-adaa-98cd96a54997) - improved logic of an Informational Analytics BIOCs
Added a new Informational Analytics Alert:
Massive upload to a rare storage or mail domain (ec84de68-b372-48f9-8c20-1de4b50bd3b4) - added a new Informational alert
Improved logic of 8 Informational Analytics Alerts:
A user performed suspiciously massive file activity (206ab12c-7258-47eb-a430-23d37485f6be) - improved logic of an Informational Analytics Alerts
Cloud user performed multiple actions that were denied (1e2401a8-f548-11eb-82d6-acde48001122) - improved logic of an Informational Analytics Alerts
Possible internal data exfiltration over a USB storage device (9850f270-c70f-4edd-8731-a5354375c989) - improved logic of an Informational Analytics Alerts
Port Scan (083f7cb7-23d2-4379-a9e9-f899bc5d28a2) - improved logic of an Informational Analytics Alerts
Possible data exfiltration over a USB storage device (ca25afc8-5edd-4a46-84eb-8f3f93e2d6ef) - improved logic of an Informational Analytics Alerts
Massive file activity abnormal to process (75c4e5df-904a-4c1d-a88b-f0853553f372) - improved logic of an Informational Analytics Alerts
Multi region enumeration activity (4352a5db-4260-4ddc-9187-845aa6349a04) - improved logic of an Informational Analytics Alerts
A user accessed multiple unusual resources via SSO (205ad747-beef-11ec-8db2-acde48001122) - improved logic of an Informational Analytics Alerts
... View more
- Find more articles tagged with:
- BIOC
- Content Release Notes
- Cortex
- Cortex XDR
- release note
Labels:
10-06-2020
10:00 AM
4 Kudos
Empathy is the hallmark of creating a great customer experience in a customer's journey. Our customers experience is a holistic perception in every interaction they have with our company and digital touch points. I am proud to be an active advocate and emissary of superior Customer Experience here at Palo Alto Networks. I feel supported by our leadership and our amazing team in this mission.
~vcotton, Platform Community Manager, LIVEcommunity
... View more
06-29-2020
12:17 PM
Thank you for the immense value you all bring to our community and the knowledge you tirelessly share with others! Congratulations!
... View more
This much anticipated LIVEcommunity program is about to launch! We are excited to share the details! Stay tuned….
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-24-2022
01:45 PM
|
Latest Tags
No tags yet
Likes From
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks