August 23, 2024

This content release includes:

Updates to rules to improve the user experience
Specific updates are enumerated and summarized below

note

Rule DNS query for dynamic DNS provider (LEGACY-S00180) is slated for removal the week of 2024-09-02. The rule is being removed from global content due to the untenable nature of maintaining the list of dynamic DNS providers within the rule expression. To retain this rule, it must be duplicated prior to the date of removal.

Rules

[Updated] MATCH-S00816 Interactive Logon to Domain Controller
- Updated expression match list to use new domain_controllers_hostnames instead of domain_controllers which was generating false positives due to IP dependency.
[Updated] LEGACY-S00105 Suspicious DC Logon
- Updated expression match list to use new domain_controllers_hostnames instead of domain_controllers which was generating false positives due to IP dependency.

srcDevice_hostname and srcDevice_ip have been removed from signal summaries to avoid `null` values for the following rules:

[Updated] MATCH-S00874 AWS Lambda Function Recon
[Updated] MATCH-S00825 AWS Secrets Manager Enumeration
[Updated] MATCH-S00513 Critical Severity Intrusion Signature
[Updated] THRESHOLD-S00085 Excessive Outbound Firewall Blocks
[Updated] MATCH-S00666 High Severity Intrusion Signature
[Updated] MATCH-S00669 Informational Severity Intrusion Signature
[Updated] MATCH-S00668 Low Severity Intrusion Signature
[Updated] MATCH-S00667 Medium Severity Intrusion Signature
[Updated] THRESHOLD-S00095 Password Attack

Removed MITRE ATT&CK Subtechnique T1003.007 (OS Credential Dumping: Proc Filesystem) for the following rules:

[Updated] MATCH-S00429 LSASS Memory Dumping +
[Updated] MATCH-S00161 Malicious PowerShell Get Commands +
[Updated] MATCH-S00190 Malicious PowerShell Invoke Commands +
[Updated] MATCH-S00198 Malicious PowerShell Keywords +
[Updated] MATCH-S00191 Suspicious PowerShell Keywords +
[Updated] MATCH-S00431 Suspicious Use of Procdump +
[Updated] MATCH-S00583 WCE wceaux.dll Access +
[Updated] MATCH-S00274 Windows Credential Editor (WCE) Tool Use Detected +
[Updated] MATCH-S00291 Windows Credential Editor (WCE) in use +

Added exclusion to match expression for `OneDrive` to reduce false positives and removed fields producing nulls in the signal summary for the following rules:

[Updated] THRESHOLD-S00111 Sharepoint - Excessive Documents Accessed by External IP
[Updated] THRESHOLD-S00101 Sharepoint - Excessive Documents Accessed by User
[Updated] THRESHOLD-S00100 Sharepoint - Excessive Documents Downloaded
[Updated] THRESHOLD-S00110 Sharepoint - External IP Downloaded Excessive Documents

Rules​

srcDevice_hostname and srcDevice_ip have been removed from signal summaries to avoid null values for the following rules:​

Removed MITRE ATT&CK Subtechnique T1003.007 (OS Credential Dumping: Proc Filesystem) for the following rules:​

Added exclusion to match expression for OneDrive to reduce false positives and removed fields producing nulls in the signal summary for the following rules:​

Rules

srcDevice_hostname and srcDevice_ip have been removed from signal summaries to avoid `null` values for the following rules:

Removed MITRE ATT&CK Subtechnique T1003.007 (OS Credential Dumping: Proc Filesystem) for the following rules:

Added exclusion to match expression for `OneDrive` to reduce false positives and removed fields producing nulls in the signal summary for the following rules: