Skip to main content

Responses are generated using AI and may contain mistakes.

New-Scale Security Operations PlatformNew-Scale Security Operations Platform Release Notes

July 2026

The New-Scale Security Operations Platform includes the following addressed features and new features for July 2026.

Attack Surface Insights

Feature

Description

Email Address and Primary Login (Email Format) Linking

To reduce duplicate and orphan entities if the user identity data in your environment is inconsistent or incomplete, Attack Surface Insights now links the email_address event field with the Primary Login (Email Format) Active Directory field.

If an incoming event is identified by the email_address field and there is no matching email_address in context, Attack Surface Insights now looks for the field value under the Primary Login (Email Format) field. If there is a matching field value, the entity is linked to that context record.

Automation Management

Feature

Description

New Actions for threatcenter Pre-Built Service

You can now return all case and alert details with two new actions for the pre-built threatcenter service.

You can use the the Get Case Details action to return:

  • alertCreationTimestamp – The date and time the associated alert was created

  • alertId – The UUID of the associated alert

  • approxLogTime – The date and time Search indexes an event

  • assignee – The assignee assigned to respond to the case

  • assigneeId – The ID of the person assigned to respond to the case

  • creationTimestamp – The date and time the case was created

  • caseId – The UUID of the case

  • caseNumber – The number assigned to the case

  • creationBy – Who created the case

  • stage – The current case stage

  • closedReason – If the case is closed, the selected pre-defined case closed reason

  • supportingReason – If the case is closed, the comment added to the pre-defined case closed reason

  • alertDescription – Case description in either plain text or HTML format. For example Suspicious Activity (plain text) or <strong>Suspicious Activity<strong> (HTML). If HTML formatting is used, it will also be reflected in the Threat Center web interface.

  • hasAttachments – A boolean value indicating whether the case has attachments.

  • isDeleted – A boolean value indicating whether the case is deleted.

  • lastModifiedBy – Who last modified the case.

  • lastModifiedTimestamp – The date and time the case was last modified.

  • mitres – The associated MITRE ATT&CK® tactic and technique and their corresponding keys.

  • alertName – The name of the associated alert.

  • priority – The case priority: Low, Medium, High, Critical, or Undefined.

  • riskScore – The case risk score

  • queue – The queue assigned to respond to the case

  • status – Whether the case is read or unread

  • tags – Tags added to the case

  • useCases – Associated Exabeam use cases

  • products – The products associated with related detections

  • vendors – The vendors associated with related detections

  • srcHosts – The source host names associated with related detections.

  • srcIps – The source host IP addresses associated with related detections

  • destHosts – The destination host names associated with related detections

  • destIps – The destination IP addresses associated with related detections

  • users – The users associated with related detections

  • groupedbyKey – The attribute by which detections are grouped

  • groupedbyValue – The attribute value by which detections are grouped

  • ingestTimestamp

  • srcEndpoints – The source host names and IP addresses associated with related detections

  • destEndpoints – The destination host names and IP addresses associated with related detections

  • groupingRuleId – The ID of the detection grouping rule used to group related detections

  • rules – The triggered analytics rules, correlation rules, and Advanced Analytics associated with related detections

You can use the Get Alert Details action to return:

  • creationTimestamp – The date and time the alert was created

  • alertId – The UUID of the alert

  • caseId – The UUID of the associated case

  • approxLogTime – The date and time Search indexes an event

  • creationBy – Who created the case

  • alertDescription – Alert description in either plain text or HTML format. For example Suspicious Activity (plain text) or <strong>Suspicious Activity<strong> (HTML). If HTML formatting is used, it will also be reflected in the Threat Center web interface.

  • lastModifiedBy – Who last modified the alert

  • lastModifiedTimestamp – The date and time the alert was last modified

  • mitres – The associated MITRE ATT&CK® tactic and technique and their corresponding keys.

  • alertName – The name of the alert

  • priority – The alert priority: Low, Medium, High, Critical, or Undefined

  • riskScore – The alert risk score

  • status – Whether the associated case is read or unread

  • tags – Tags added to the alert

  • useCases – Associated Exabeam use cases

  • products – The products associated with related detections

  • vendors – The vendors associated with related detections

  • srcHosts – The source host names associated with related detections.

  • srcIps – The source host IP addresses associated with related detections

  • destHosts – The destination host names associated with related detections

  • destIps – The destination IP addresses associated with related detections

  • users – The users associated with related detections

  • groupedbyKey – The attribute by which detections are grouped

  • groupedbyValue – The attribute value by which detections are grouped

  • ingestTimestamp

  • srcEndpoints – The source host names and IP addresses associated with related detections

  • destEndpoints – The destination host names and IP addresses associated with related detections

  • groupingRuleId – The ID of the detection grouping rule used to group related detections

  • rules – The triggered analytics rules, correlation rules, and Advanced Analytics associated with related detections

  • alertStatus – Whether the alert is read or unread

Cloud Collectors

Feature

Description

Google Workspace Context Cloud Collector

The Google Workspace Context Cloud Collector is now available as part of Cloud Collectors to facilitate ingestion of user context data.

Early Access Collectors

Armis Cloud Collector

The Armis Cloud Collector is now available as part of Cloud Collectors early access program to facilitate ingestion of alerts logs from Armis.

The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Armis Context Cloud Collector

The Armis Context Cloud Collector is now available as part of Cloud Collectors early access program to facilitate ingestion of context data from Armis.

The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

AWS Inspector Cloud Collector

The AWS Inspector Cloud Collector is now available as part of Cloud Collectors early access program to facilitate ingestion of data from Amazon Inspector.

The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

AWS Redshift Cloud Collector

The AWS Redshift Cloud Collector is now available as part of Cloud Collectors early access program to facilitate ingestion of Redshift cluster management events from Amazon Redshift.

The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Cybereason Cloud Collector

The Cybereason Cloud Collector is now available as part of Cloud Collectors early access program to facilitate ingestion of Cybereason logs.

The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Google Security Operations Cloud Collector

The Google Security Operations Cloud Collector is now available as part of Cloud Collectors early access program to facilitate ingestion of all supported default and custom logs from your Google SecOps account.

The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Palo Alto SaaS Security Cloud Collector

The Palo Alto SaaS Security Cloud Collector is now available as part of Cloud Collectors early access program to facilitate ingestion of SaaS Security log events.

The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Symantec CloudSOC Cloud Collector

The Symantec CloudSOC Cloud Collector is now available as part of Cloud Collectors early access program to facilitate ingestion of Symantec CloudSoc logs that include Investigate Service App logs, Detect App (Incidents) logs and Investigate App logs.

The early access program offers you an opportunity to gain access to the latest cloud collectors before their official release. To participate, see Sign Up for the Early Access Program.

Log Sources

The following features were introduced in Log Sources during July 2026.

Feature

Description

User-initiated Deletion of Log Source Policies

Log Sources features now offer enhancements to the user-initiated deletion of log source policies. You can delete one or more policies. For bulk deletion, the available actions are displayed dynamically based on the status of the log source policy - Enabled or Disabled. The Delete action is displayed only when all selected policies are disabled.

Recommendations for Overlapping Policy Conditions

To resolve the errors caused due to overlapping conditions that result in to routing errors, quiet log sources, and policy conflicts, recommendations are added to the Log Sources documentation. In case a raw log event is assigned to an incorrect log source policy due to overlapping conditions, the conflict can be resolved using recommendation and specific policy precedence rules.

Support for Custom Silent Monitoring Threshold

Under Silent Monitoring Threshold, you can now enter a custom value in in the Warn After Silent for field or select a duration from 30 minutes to 72 hours to define the condition for detecting a silent log source. You can enter the custom value while creating a new log source policy or while editing an existing log source policy.

Log Stream

Feature

Description

Native Field Extraction Expressions for Enrichment Rules

A new set of expressions is available when defining conditions for custom enrichment rules. These new expressions streamline the multi-step process of extracting sub-string values from complex fields like /user/local/bin/app.sh. Each new expression calls a dedicated extraction function that identifies and returns a specific sub-field value.

These new expressions eliminate the need to define multiple manual Regex patterns and provide the following benefits:

  • Resilience for downstream applications

  • Increased precision in enrichment rule conditions

  • Adaptability when changes occur in input formats

  • Logic to handle edge cases and non-standard scenarios.

The new native field extraction expressions include the following:

Input Type

Output

File Path

Directory, Name, Extension

URL

Registered Domain, Top Domain/Public Suffix, Subdomain, Path, Query String, Path + Query String

Process Path

Directory, Name

OS Normalization

OS Name, Major Version

For information and examples of each expression, see Native Field Extraction Expressions in the Log Stream Guide

Important

These new expressions can be used only to define conditions when building a custom enrichment rule. They cannot be used to support custom parser creation.

New-Scale Platform

Feature

Description

Capture Failed Login Attempts in Audit Log

Failed login attempts are now captured in the Audit Log. Previously, only successful logins were recorded. With this update, authentication failures are logged as query-able events, giving visibility into unauthorized access attempts, account enumeration, and potential credential attacks.

Failed login events share the same schema as success events and can be queried using the same filters.

MCP User-Delegated Authentication

You can now connect an AI client (such as Claude, ChatGPT, or Microsoft Copilot) to Exabeam via the Model Context Protocol (MCP) with user-level authentication using your Exabeam credentials. Previously, MCP connections only used application-level API keys shared across users.

All actions taken through the AI client are performed under your identity, respect your existing role-based permissions, and are attributed to you in the Exabeam Audit Log.  With user-delegated authentication, each analyst's AI client session is individually authorized.

For more information see Connect to Exabeam MCP Server in the New-Scale Security Operations Platform Administration Guide.

Notice of Audit Activity Type Deprecations

Exabeam is in the process of streamlining and and simplifying the activity_type values available for audit logs in New-Scale applications. Specifically, 46 activity_type values are being deprecated from the common information model (CIM). Instead, all audit events are being consolidated into a single, unified activity_type:

audit-log:success/fail

The parser affected by this update is exabeam-audit-json-alert-case-success.

The change can affect downstream applications if, for example, you rely on audit log activity types in filters for saved searches or for custom dashboards or visualizations. To provide enough time to make any necessary downstream updates, the deprecations will be implemented at the end of September.

The following are the audit log activity_type values being deprecated:

  • alert-modify

  • alert-create

  • alert-delete

  • alert-read

  • case-modify

  • case-create

  • case-delete

  • case-read

  • detection_group_rule-create

  • detection_group_rule-modify

  • detection_group_rule-delete

  • detection_group_rule-enable

  • detection_group_rule-disable

  • parser-create

  • parser-delete

  • parser-modify

  • parser-import

  • parser-enable

  • parser-disable

  • log-search

  • log-download

  • log-export

  • log_source-remove

  • log_source-enable

  • log_source-disable

  • log_source-add

  • log_source-modify

  • log_account-create

  • log_account-delete

  • log_account-modify

  • context_table-create

  • context_table-modify

  • context_table-delete

  • site_collector-create

  • site_collector-delete

  • site_collector-enable

  • site_collector-disable

  • site_collector-modify

  • collector-create

  • collector-modify

  • collector-delete

  • collector-enable

  • collector-disable

  • template-delete

  • template-create

  • template-modify

Search

Feature

Description

Expanded Date Range for Queries in the Timeline View

The supported date range for viewing search results in the Timeline view has been expandedfrom 7 days to 31 days.

For more information, see Timeline View of Search Results in the Search Guide.

Server-Side Filter for Showing Only Detections

Early Access Opportunity

An early access opportunity is available to change the behavior of the Show only rows with detections toggle in the Timeline view or results. When enabled, the detections only filter runs as a server-side filter and re-queries the entire dataset, rather than the initial set of 5,000 records, to return detection results from the full dataset.

If you would like to take advantage of this early access opportunity, email the following group: [email protected]

Natural Language Query Improvements

Natural language functionality benefits from exposure to use and Exabeam continues to work on extending the supported use cases. AI training has now been expanded to generate reliably accurate results for the following types of real-world use cases:

  • Windows file paths with back slashes

  • Bi-directional search for bare IP addresses

  • User and device entity recognition

  • Time field parsing

  • IP ranges using CIDR notation

  • Domain pattern recognition

  • Comparison operators in multiple languages

For information, see Natural Language Search n the Search Guide.

Site Collectors 2.21

Feature

Description

Unsupported Ports

The following ports are no longer supported for Site Collectors: 8880, 9093, 9877, 9878, and 9879.

Ensure that unsupported ports, such as 8880 and 9093 are removed or closed, and that the remaining ports are configured to match your specific environment.

Deprecation of Log Sources Monitoring Feature from Site Collectors

The Log Source Monitoring feature will be deprecated effective September 1, 2026. After this date, the functionality will no longer be available. It is recommended to use the Log Sources tile on the New-Scale Security Operations Platform home page to monitor log sources and get notified of any issues.

Threat Center

Feature

Description

Exabeam Nova Analyst Assistant Safeguards

To get more reliable and predictable answers and to prevent misuse, Exabeam Nova Analyst Assistant safeguards now ensure your conversations are focused on alert triage and case investigations.

When you enter general purpose or unrelated prompts, Exabeam Nova Analyst Assistant now asks you to refocus on security operations.

Detection Grouping Display Enhancement

To more easily understand how detections are grouped at a glance, cases or alerts whose detections are grouped by multiple fields now display as <first detection grouping field value> + <count>.

The count indicates the number of additional fields by which detections are grouped. You can hover over the count to reveal the additional fields by which detections are grouped.

threatcenter-july2026releasenotes-detectiongroupingdisplayenhancement.png

Dynamic Exabeam Nova Generated Titles

To more quickly understand cases and alerts and to prioritize investigations more effectively, Exabeam Nova now automatically updates case and alert titles whenever there is new evidence in the case or alert.

Exabeam Nova Investigation Summary Enhancement

To understand key findings more quickly, you can now view a more concise and accurate Exabeam Nova Investigation Summary.

To create more concise and accurate case and alert summaries, Exabeam Nova Investigation Summary consolidates duplicate detections and considers additional metadata from the original event.

Threat Detection Management

Feature

Description

New Early Access Pre-Built Analytics Rules

New pre-built analytics rules are now released as part of an early access program before becoming generally available. Analytics rules in early access have [Early Access] in their names.

You can now better detect abnormal cloud application activity with the following early access pre-built analytics rules:

  • Fact-MFADisable – MFA was disabled.

  • NumCP-MFADisable-UC – An abnormal number of MFA disable events have been observed for this user.

  • Fact-EMRC-FwR-IntDom – An inbox rule has been configured to forward emails to an email address that's in the domain of the rule's creator.

  • Fact-MM-AutoFwR-ExtDom – A user enabled the auto forwarding setting to forward emails to external email domain.

  • Prof-MIRead-U-Plt-U – This is the first time a mailbox throttled by this user for this platform. In Outlook the logs for reading emails write how much emails a user read and after some number it keep the number and say that the mailbox is throttled. It means the user read more than the maximum number of emails the logs keep track on. This could be an indication of email collection

  • NumDCP-FS-EC-U-FP – An abnormal number of files have been shared by this user.

  • Prof-MItem-U-U-MailboxOwner – This is the first time this user accessed a mailbox owned by this user.

  • Prof-SLC-PublicLnkType-O-U – This is the first time a public shared link creation has been observed for this user.

  • NumCP-PC-KextloadCmdC-DE – An abnormal number of 'kextload' (Kernel Extension Load) process executions have been observed for this endpoint.

  • Prof-Fwrite-E-O-DE-Plist – This is the first time a plist file was created on this endpoint.

  • Prof-Fwrite-E-O-U-Xdg – This is the first time a XDG autostart file was created by this user.

  • Prof-Fwrite-U-O-U-KernelModExt – This is the first time a kernel module file was created on unix system by this user.

  • Prof-PC-E-O-SE-Kextload – This is the first time a process execution of a 'kextload' (Kernel Extension Load) command has been observed on this endpoint.

  • Cntx-GA-PrivU – User is privileged: True\False

  • Fact-EA-SuspEncServiceNotKrbtgt – Suspicious or weak encryption type used for obtaining kerberos TGTs using non kerberos service. These events may include both failed and successful authentication.

  • Prof-Web-Method-WebDom-Method – This is the first time an HTTP communication to an internal resource in this web domain with this request method has been observed.

You can now better detect use of unapproved access tools with the following early access pre-built analytics rules:

  • Cntx-PC-UAT – Process is an unapproved access tool: True\False

  • Prof-PC-UAT-O-UAT – This is the first execution of this unapproved access tool in the organization.

  • Prof-PC-UAT-O-UD – This is the first execution of this unapproved access tool in this department.

  • Prof-PC-UAT-O-U – This is the first execution of this unapproved access tool for this user.

To better account for ephemeral ports and to replace an obsolete pre-built analytics rule, the following early access pre-built analytics rule was created:

  • NumSP-Network-BytesFromExtIP-DZ-Bytes – An abnormal amount of bytes have been sent in externally initiated communication to this network zone. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator. These events may include both failed and successful communications.

Updated and Removed Pre-Built Analytics Rules

You can now better detect DLP-related events, first time user and system anomalies, and network communications with updated and removed pre-built analytics rules.

To ensure rule logic captures real-world DLP-related log values, which typically start with DLP rather than matching the string exactly,trainOnCondition was updated for the following pre-built analytics rules:

  • NumSP-SADLP-Bytes-U-Bytes – This is the first time a DLP alert triggered on this domain for this protocol.

  • NumDCP-SADLP-ProtoC-U-Proto – An abnormal number of unique protocols have been observed in DLP alerts for this user.

  • Prof-SADLP-Proto-U-Proto – This is the first time a DLP alert triggered on this protocol for this user.

  • Prof-SADLP-Tld-Proto-Tld – This is the first time a DLP alert triggered on this domain for this protocol.

To prevent over-triggering on first-time observations and to establish a good baseline, minimumTrainingPeriodInDays was updated to 14 for the following pre-built analytics rules:

  • Prof-PC-O-COD – This is the first time a process execution of an Office application has opened a remote document from this web domain.

  • Prof-SADLP-Tld-Proto-Tld – This is the first time a DLP alert triggered on this domain for this protocol.

  • Prof-DllLoad-Dir-O-FD – This is the first time a DLL image file was loaded from this folder for the organization.

  • Prof-DllLoad-Dll-O-FN – This is the first time this DLL image file was loaded in the organization.

  • Prof-CA-SPM-AddMember-O-U – This is the first time this user has successfully modified the attributes of a compute snapshot in AWS and shared it with a user/group.

  • Prof-PC-U-COD – This is the first time a process execution of an Office application has opened a remote document from this web domain for this user.

  • Prof-SADLP-Proto-U-Proto – This is the first time a DLP alert triggered on this protocol for this user.

To prevent over-triggering on first-time observations and to establish a good baseline, minimumTrainingPeriodInDays, checkFeatureMaturity, and maturityThreshold were updated for the following pre-built analytics rule:

  • Prof-RegW-COM-O-CLSID – This is the first time the registry path to a COM class with this CLSID has been modified.

To prevent over-triggering on first-time observations and to establish a good baseline, minimumTrainingPeriodInDays and checkFeatureMaturity were updated for the following pre-built analytics rule:

  • Prof-RegW-COM-U-CLSID – This is the first time this user has modified the registry path to a COM class with this CLSID.

To prevent over-triggering on first-time observations, minOrderOfMagnitude and maturityThreshold were updated for the following pre-built analytics rule:

  • NumSP-MItemRead-NMS-U-NA – An abnormal number of emails have been read by this user.

To account for URLs that have been normalized to use a single slash, actOnCondition was updated for the following pre-built analytics rules:

  • Fact-PCDotNet-CommandLine – This .NET supporting process was created with an URL in the commandline.

To account for URLs that have been normalized to use a single slash, trainOnCondition was updated for the following pre-built analytics rules:

  • Prof-PC-O-COD – This is the first time a process execution of an Office application has opened a remote document from this web domain.

  • Prof-PC-U-COD – This is the first time a process execution of an Office application has opened a remote document from this web domain for this user.

To remove a superfluous space at the beginning of the expression, trainOnCondition was updated for the following pre-built analytics rules:

  • Prof-CA-SPM-AddMember-O-U – This is the first time this user has successfully modified the attributes of a compute snapshot in AWS and shared it with a user/group.

  • Prof-CA-IPM-AddMember-O-U – This is the first time a user has successfully modified the attributes of a compute image in AWS and shared it with a user/group.

To correct a typo, description was updated for the following pre-built analytics rules:

  • Prof-Login-E-UD-DZ – This is the first time a user in this department successfully logged into this network zone.

  • Prof-Login-E-DE-SZ – This is the first time a successful login has been observed from this network zone to this endpoint.

  • Prof-Login-E-SE-DZ – This is the first time a user on this endpoint successfully logged into this network zone.

  • Prof-MFA-AuthMethod-U-AuthMethod – This is the first time this user authenticates with MFA authentication using this authentication method. These events may include both failed and successful logins.

  • Prof-MFA-MFADevice-U-MFADevice – This is the first time this user authenticates with MFA authentication using this device. These events may include both failed and successful logins.

  • Prof-EA-Kerberos-O-ET – This is the first time a Kerberos authentication has been observed with this encryption type for the organization. These events may include both failed and successful authentication.

To remove a redundant condition already accounted for in applicable_events, trainOnCondition was updated for the following pre-built analytics rule:

  • NumCP-UPwdMod-O – An abnormal amount of password reset events were observed for this user.

To simplify rule logic and remove empty string checks, trainOnCondition was updated for the following pre-built analytics rule:

  • NumSP-Web-Bytes-AIA-U-DownloadBytesIn – An abnormal inbound byte volume was observed for this user from download-related domains categorized as AI, ML, Generative AI, LLM, or equivalent by a web security vendor.

To optimize performance by filtering out non-relevant data earlier in the evaluation process, applicable_events was updated for the following pre-built analytics rules:

  • Prof-GA-E-Plt-SZ – This is the first time an activity from this network zone has been observed for this platform.

  • Prof-GA-Plt-UD-Plt – This is the first activity observed on this platform for users in this department.

  • Prof-GA-Plt-U-Plt – This is the first activity observed on this platform for this user.

To map pre-built analytics rules to the Stealth tactic and remove the mapping to the obsolete Defense Evasion tactic, mitre was updated for the following pre-built analytics rules:

  • Fact-Login-PenTT – A domain associated with known hacking tools has been observed in a login event.

  • NumDCP-FRead-EC-SA-FP – An abnormal number of unique files have been read in this storage account for this user.

  • Prof-USwtch-U-U-DU – This is the first time this user has performed an account switch to this account.

  • NumCP-ELF-EC-U-SE – An abnormal number of failed endpoint logins from this endpoint have been observed for this user.

  • Prof-GA-PrivU-PltOp-PrivU – This is the first time this successful operation has been performed on this platform by a non-privileged user. Operations can include function types, APIs, application activities and more.

  • Fact-PCpcalua-IC – The PCALUA (Program Compatibility Assistant Service) process has been used to execute an indirect command. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/deprecated/windows/proc_creation_win_indirect_cmd.yml

  • NumDCP-EL-DEC-SE-DE – An abnormal number of unique destination endpoints have been observed in successful endpoint login events from this endpoint. These events may include interactive Window logins and other (interactive or not) OS logins.

  • NumDCP-EL-DEC-O-DE – An abnormal number of unique destination endpoints have been observed in endpoint login events for the organization. These events may include interactive Window logins and other (interactive or not) OS logins, both failed as successful.

  • Fact-PCbcdedit-BootEM – bcdedit.exe usage (e.g., delete, deletevalue, import, safeboot, network) tied to boot configuration tampering which may indicate attempts to damage the system or maintain persistence. This sigma rule is authored by @neu5ron. The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License). Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml

  • NumDCP-GA-OpC-UPlt-FOp – An abnormal number of unique failed operations have been observed in this platform for this user.

  • Prof-RA-R-U-RA – This is the first time this user assumed this role.

  • Fact-PCrundll32-PwrshellDll-PCL – rundll32.exe to execute PowerShell related code through DLL loading techniques. This sigma rule is authored by Markus Neis, Nasreddine Bencherchali (Nextron Systems). The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License). Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml

  • Prof-GA-Mime-O-Mime – This is the first time this MIME type has been observed for the organization. These events do not include network or endpoint platforms.

  • Fact-PCbitsadmin-FDnld – The BITSAdmin (Background Intelligent Transfer Service Admin) process has been used to download a file. This sigma rule is authored by Michael Haag, FPT.EagleEye and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml

  • Prof-RegW-CORPROFILER-O-U – This is the first time this user has modified or created a registry value for an environment variable associated with the COR_PROFILER.

  • Prof-GA-RGN-O-RGN – This is the first time this cloud region has been observed for the organization.

  • Fact-PCmwc-PExec – The Microsoft Workflow Compiler process has been executed. Microsoft Workflow Compiler may permit the execution of arbitrary unsigned code. This sigma rule is authored by Nik Seetharaman, frack113 and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml

  • Fact-RegW-ControlPanel – A control panel item has been registered by writing to a registry key/value under HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls.

  • Fact-ELF-SA – A service account failed to log into an endpoint using an interactive Windows logon type. A service account is a user account that belongs to an application rather than an end user.

  • Fact-PCcertutil-SuspCmd – The CertUtil (Certification Utility) process has been executed with suspicious command line parameters. This sigma rule is authored by Florian Roth (Nextron Systems), juju4, keepwatch and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml, https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml, https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml.

  • Fact-PCwmic-ELT – The WMIC (WMI Command Line) process has been used to clear or delete an event log. This sigma rule is authored by Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml

  • Prof-GMA-U-O-UD – This is the first time a user has been added to a group by a user in this department.

  • Prof-PLA-Loc-U-LocCity – This is the first time this user has physically accessed a building in this city.

  • Prof-UPwdMod-U-O-U – This is the first time this user has modified the password of another user account.

  • Fact-PCdevtool-BinExec – The DevToolsLauncher process has deployed a process. This sigma rule is authored by Beyu Denis, oscd.community (rule), @_felamos (idea) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml

  • Fact-PCcertutil-AP – The CertUtil (Certification Utility) process has been spawned by a command line executable. This sigma rule is authored by Florian Roth (Nextron Systems), Tim Shelton and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml

  • Fact-PCpwrshell-Base64En-Hidden – The PowerShell has been used to execute a known malicious encoded command. This sigma rule is authored by John Lambert (rule) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml

  • Prof-RegW-U-DetailsLen – An abnormal registry details length has been observed for this user.

  • Fact-PCrundll32-ADllLoad-Susp – The 'rundll32.exe' process has executed an exported module function using an ordinal number. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml

  • Fact-PCcsc-AP – The CSC (C# Compiler) process has been spawned by a command line executable or a Microsoft Office process. This sigma rule is authored by Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml

  • Fact-PChh-HtmlExec – The HH (HTML Help) process has loaded a '.chm' (Compiled HTML) file. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml

  • Prof-GA-Plt-UD-Plt – This is the first activity observed on this platform for users in this department.

  • NumDCP-Login-DZC-U-DZ – An abnormal number of unique destination network zones have been observed in login events for this user. These events may include both failed and successful logins.

  • Prof-Login-E-UD-DZ – This is the first time a user in this department successfully logged into this network zone.

  • Prof-FDel-UnixLogFiles-O-U – This is the first time a log file deletion has been observed for this user in Unix systems.

  • Fact-PCsc-SvcMod-Ingt – The SC (Service Controller) process has been used to change a service binary path or failure command configuration with medium integrity level executed. This sigma rule is authored by Teymur Kheirkhabarov and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml

  • Prof-RegW-EnvVarPath-O-U – This is the first time this user has modified the PATH environment variable by writing to the registry value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path'.

  • Prof-PCnet-U-O-U-netlocalgroup – This is the first time a user account has been added to a group using 'net.exe' for this user.

  • Prof-RegW-Services-O-UD – This is the first time users in this department have modified or created a service by writing a registry key\value under the key 'HKLM\SYSTEM\CurrentControlSet\Services'.

  • Fact-RegD-RDPCon – The RDP connection history has been cleared via the registry.

  • Prof-PC-CmdArgs-Msbuild-O-XMLParam – This is the first time the 'msbuild.exe' process has been used to build a project with this xml file.

  • Fact-PCpwrshell-ADS – The PowerShell process has been used to execute a PowerShell script from an ADS (Alternate Data Stream). This sigma rule is authored by Sergey Soldatov, Kaspersky Lab, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml

  • Prof-PC-PN-Pdir – This is the first time a process execution has been observed from this directory for this process.

  • Prof-PCpwrshell-En-O-PP – This is the first time a process execution of PowerShell with an encrypted command has been observed for this parent process.

  • Fact-PCwevtutil-EventTracingClear – The WEvtUtil (Windows Event Utility) process has been used to clear an ETW (Event Tracing for Windows). This sigma rule is authored by @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml

  • Fact-PCpwrshell-BitsJob – The PowerShell process has been used to execute a BITS (Background Intelligent Transfer Service) transfer. This sigma rule is authored by Endgame, JHasenbusch (ported to sigma for oscd.community) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules-deprecated/windows/proc_creation_win_powershell_bitsjob.yml

  • NumDCP-EL-DEC-U-DE – An abnormal number of unique destination endpoints have been observed in endpoint login events for this user. These events may include interactive Window logins and other (interactive or not) OS logins, both failed as successful.

  • Prof-RegW-Services-O-U – This is the first time this user has modified or created a service by writing a registry key\value under the key 'HKLM\SYSTEM\CurrentControlSet\Services'.

  • Prof-PCnet-U-O-U-netuser – This is the first time a user account has been enabled or disabled using 'net.exe' for this user.

  • Fact-PCcmstp-UAC – The CMSTP (Connection Manager Profile Installer) has been used to silently install a service profile for all users on an endpoint. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml

  • Prof-PC-O-Pdir – This is the first time a process execution has been observed from this directory.

  • Fact-PC-DExt – A process with an '.exe' extension following a non-executable extension has been executed. This sigma rule is authored by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml

  • Prof-PLA-Loc-U-LocDoor – This is the first time this user has physically accessed this door.

  • Prof-PC-CmdArgs-InstallUtil-O-DLLParam – This is the first time the 'installutil.exe' process has been executed with this DLL file as a parameter.

  • Prof-Login-E-DE-SZ – This is the first time a successful login has been observed from this network zone to this endpoint.

  • Prof-FDel-U-O-U-LogFile – This is the first time a log file has been deleted by this user.

  • Fact-PCrundll32-PwrshellDll-PPN – The PowerShell process has been used to spawn 'rundll32.exe' and execute a DLL from a temporary folder.

  • Prof-Login-E-U-DZ – This is the first time this user successfully logged into this network zone.

  • Fact-PC-ClearComHistory – This can help the attacker ot evade detection.

  • Prof-Login-E-DZ-SZ – This is the first time a successful login has been observed from this source network zone to this destination network zone.

  • Fact-PCcdb-DSE – The CDB (Console Debugger) process has been used to execute a script. This sigma rule is authored by Beyu Denis, oscd.community, Nasreddine Bencherchali and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml

  • Prof-GA-RGN-U-RGN – This is the first time this cloud region has been observed for this user.

  • Prof-PC-CmdArgs-Msbuild-O-CsprojParam – This is the first time the 'msbuild.exe' process has been used to build this C# project.

  • Prof-GMA-GN-O-GN – This is the first time a user has been added to this group.

  • Prof-Login-E-U-SZ – This is the first time a successful login has been observed from this network zone for the this user.

  • Prof-GMA-U-O-U – This is the first time a user has been added to a group by this user.

  • NumDCP-FRead-EC-B-FP – An abnormal number of unique files have been read in this bucket for this user.

  • Prof-LogCl-E-O-DE – An abnormal number of unique files have been read in this bucket for this user.

  • Fact-LogCl-LogClear-AT – An audit log has been cleared.

  • Fact-PCrundll32-ProcMemDump-1 – The 'rundll32.exe' process has been used to dump process memory using the 'minidump' exported function in 'comsvcs.dll'. This sigma rule is authored by Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml

  • Fact-PCIOC-ZxShell – The 'rundll32.exe' process has been used to execute a known 'ZxShell' backdooring software module. This sigma rule is authored by Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml

  • Prof-LogCl-U-O-U – This is the first time an audit log has been cleared by this user.

  • Prof-Login-EmD-Plt-EmD – This is the first time this email domain has been used to successfully log into this platform.

  • NumCP-Auth-MfaEC-U – An abnormal number of Multi-Factor Authentication (MFA) authentication events for this user have been observed. These events may include both failed and successful authentications to an MFA service.

  • NumCP-ELF-EC-U-DZ – An abnormal number of failed logins to endpoints in this network zone have been observed for this user.

  • Fact-PC-SysP – The 'rundll32.exe' process has been used to execute a command associated with CVE-2023-23397.

  • Fact-PCnwp-NWP – A Windows system process has been executed from a folder it shouldn't normally execute from. This sigma rule is authored by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml

  • Fact-PC-TFE-Write – The Tasks folder in system32 and syswow64 are globally writable paths that can be abused using shell built-ins such as 'copy', 'echo', 'type', 'file createnew' to stage or execute payloads. This sigma rule is authored by Sreeman. The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License). Reference: https://github.com/SigmaHQ/sigma/blob/799acec38b9e0696cc1d5767a9416033f620aca0/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml

  • Fact-GA-TITOR – An IP address associated with TOR has been observed.

  • Fact-Fwrite-HiddenFile – Creating a file that starts with ".". File that starts with "." is a hidden file. An attacker can create hidden file to evade detection.

  • Fact-PC-MshtaScriptExecution – The MsHTA (Microsoft HTML Application) process has been used to execute a script code.

  • Fact-PCdctask64-Zoho – The ZOHO 'dctask64.exe' process has been used to perform process injection. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml

  • NumCP-FDel-EC-U – An abnormal number of file deletion events have been observed for this user.

  • Fact-PCcsi-AP – PowerShell starting the C# Interactive Console (csi.exe), which may be used to execute code in an unusual or hidden way. This sigma rule is authored by Michael R. (@nahamike01). The content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License). Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_use_of_csharp_console.yml

  • NumSP-FRead-FS-SA-Bytes – An abnormal amount of file bytes have been read in this storage account for this user.

  • Prof-Login-E-SE-DZ – This is the first time a user on this endpoint successfully logged into this network zone.

  • Fact-PCmsiexec-WebExec – The MsiExec process (Windows Installer) has been used to execute a remote script using a web addresses parameter. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml

  • Prof-PC-CmdArgs-Regsvr32-O-SCTParam – This is the first time the 'regsvr32.exe' process has been executed with this SCT file as a parameter.

  • Fact-PCDotNet-CommandLine – This .NET supporting process was created with an URL in the commandline.

  • Fact-PCpwrshell-ELT – The PowerShell process has been used to clear or delete an event log. This sigma rule is authored by Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml

  • Prof-PCMsbuild-E-O-DE – This is the first time the 'msbuild.exe' process has been used to build and execute a project on this endpoint.

  • Fact-PCsvchost-NoArg – The SvcHost (Service Host) process has been executed without any command line arguments. This sigma rule is authored by David Burkett, @signalblur and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml

  • Fact-PCrundll32-Meterpreter – The 'rundll32.exe' process has been used to execute a known Meterpreter/Cobalt Strike module. This sigma rule is authored by Teymur Kheirkhabarov, Ecco, Florian Roth and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml

  • Fact-PCgup-AF – The Notepad++ updater has been executed from a folder it shouldn't normally execute from. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_gup.yml

  • Fact-PCping-HexEn – The 'ping.exe' process has been used to ping a hex encoded IP address. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml

  • NumDCP-FDel-U-DE – An abnormal number of unique remote destination endpoints have been observed in file deletion events on this endpoint for this user.

  • Prof-EL-EDC-U-SZ – This is the first time an endpoint login event to a domain controller has been observed originating from this network zone for this user. These events may include both failed and successful logins.

  • Prof-Login-E-O-SZ – This is the first time a successful login has been observed from this network zone for the organization.

  • Fact-PCmshta-JsExec – The MsHTA (Microsoft HTML Application) process has been used to execute javascript. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml

  • Fact-PC-Shell-Base64 – Identifies base64 being decoded and passed to a Linux shell

  • Cntx-GA-SuspCountry – The source country is suspicious: True\False

  • Fact-PC-Chflags-HiddenFile – The "setfile" unix process can be used to make files hidden by modifying their attributes, making sure they remain undetected by users. An attacker can create hidden file to evade detection.

  • Fact-PCtaskmgr-SysPerm – The task manager process has been executed by the system user. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml

  • Fact-FWrite-EtcLldSo – The /etc/ld.so.preload file, if present, allows users to add additional shared libraries that will be loaded before the standard libraries. This can be useful for various purposes, such as implementing custom libraries, applying system-wide modifications, or debugging and profiling applications. Attackers could use this file to force the loading of their own malicious libraries, enabling them to modify system behavior, escalate privileges, or intercept sensitive data.

  • Prof-GA-Plt-U-Plt – This is the first activity observed on this platform for this user.

  • NumCP-ELF-EC-U-DE – An abnormal number of failed endpoint logins to this endpoint have been observed for this user.

  • Prof-EL-E-U-SC – This is the first time this user has successfully logged into an endpoint from this country, determined by geolocation lookup.

  • Prof-PC-CmdArgs-InstallUtil-O-EXEParam – This is the first time the 'installutil.exe' process has been executed with this EXE file as a parameter.

  • Fact-PCecho-EchoP – The 'echo.exe' process has been used to execute a command associated with Meterpreter and Cobalt Strike's GetSystem system privilege escalation function.

  • Prof-AuditPolicyMod-E-O-SE – This is the first time an audit policy modification has been observed from this endpoint. These events may include both failed and successful modifications.

  • Prof-GMA-OU-GN-UOU – This is the first time a user in this OU has been added to this group.

  • Fact-PCbginfo-VBExec – The BgInfo (Background Information) process has used a .bgi file to bypass application whitelisting. This is notable as this method allows blindly trusted signed binaries to write code which can be leveraged to run malicious actions. This sigma rule is authored by Beyu Denis, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml

  • Prof-ULck-U-O-U – This is the first time this user has locked a user account.

  • Fact-PCopenwith-Exec – The OpenWith process has been used to execute a program. This sigma rule is authored by Beyu Denis, oscd.community (rule), @harr0ey (idea) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml

  • Fact-PCcontrol-CPLFExec – The Windows control panel process has loaded control panel items outside of the folders they are loaded from by default. This sigma rule is authored by Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml

  • Fact-PCdllhost-UACCOM – The 'dllhost.exe' process has been used to bypass UAC using COM objects. This sigma rule is authored by Nik Seetharaman, Christian Burkard (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml

  • Fact-PCpwrshell-En-SuspEnc – The PowerShell process has been used to execute a command associated with the ChromeLoader malware. This sigma rule is authored by Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml

  • Fact-PCfsutil-JDel – The FSUtil (File System Utility) process has been used to create or delete a journal. This sigma rule is authored by Ecco, E.M. Anhaus, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml

  • Fact-PCnwp-NWP-PPP – A Windows system process has been spawned by a parent process that's in a folder it shouldn't normally execute from. This sigma rule is authored by vburov and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml

  • NumCP-FDel-UnixLogFilesC-U – An abnormal number of log files have been deleted by this user in Unix systems.

  • Fact-PCforfiles-IC – The 'forfiles.exe' process has spawned a child process. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml

  • NumDCP-Login-DZC-UD-DZ – An abnormal number of unique destination network zones have been observed in login events for users in this department. These events may include both failed and successful logins.

  • Fact-PCpwrshell-Base64En – The PowerShell process has been used to decode a Base64 string using 'frombase64string'. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml

  • Prof-Web-WebDom-O-Tld – This is the first time a successful HTTP communication to this top level domain has been observed for the organization.

  • NumSP-FRead-FS-B-Bytes – An abnormal amount of file bytes have been read in this bucket for this user.

  • Fact-EL-UnauthorizedWindowsRDP – An unauthorized user has attempted and failed a Remote Desktop Protocol (RDP) login to a Windows endpoint.

  • Prof-PLA-Loc-U-LocBldg – This is the first time this user has physically accessed this building.

  • Prof-Login-Plt-U-Plt – This is the first time this user has attempted to log into this platform. These events do not include endpoint events and may include both failed and successful logins.

  • Prof-AuditPolicyMod-U-O-U – This is the first time this user has performed an audit policy modification. These events may include both failed and successful modifications.

  • NumDCP-PLA-LocC-U-LocCity – An abnormal number of unique cities have been observed in physical access events for this user.

  • Fact-PCbitsadmin-AbP – The 'bitsadmin.exe' process has been spawned by a command line executable. This sigma rule is authored by Florian Roth (Nextron Systems), Tim Shelton and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml

  • Fact-PCrundll32-ADllLoad-Trojan – The 'rundll32.exe' process has loaded a module from the AppData folder. This sigma rule is authored by Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml

  • Prof-GA-Op-Plt-Op – This is the first time this operation has been observed for this platform. Operations can include function types, APIs, application activities and more.

  • Prof-GA-E-Plt-SZ – This is the first time an activity from this network zone has been observed for this platform.

  • NumDCP-PLA-LocC-U-LocDoor – An abnormal number of unique doors have been observed in physical access events for this user.

  • Fact-FWrite-DExt – A file with an '.exe' extension following a non-executable extension was written to. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml

  • Fact-PCrundll32-Cpl – The Windows control panel process has spawned the 'rundll32.exe' process. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml

  • Fact-PCIOC-Archer – The 'rundll32.exe' process has executed a command associated with the Archer malware service. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_malware_fireball.yml

  • Prof-PCpwrshell-En-O-U – This is the first time a process execution of a PowerShell process with an encrypted command has been observed for this user.

  • Fact-WebMtgM-RmPwd – A meeting has been modified to remove the meeting password.

To map pre-built analytics rules to the Defense Impairment tactic and remove the mapping to the obsolete Defense Evasion tactic, mitre was updated for the following pre-built analytics rule:

  • Fact-PC-DisableHistoryCol – History collection can be disabled in unix shells by modifying the history environment variables. This can help the attacker ot evade detection.

  • Fact-PCreg-WDigest – The 'reg.exe' has been used to enable WDigest authentication through the registry.

  • Prof-DS-E-UD-SE – This is the first time a user in this department performed an activity on a directory service object from this endpoint.

  • Fact-RA-WDigest – The WDigest authentication protocol, which uses clear-text credential caching, has been enabled via the registry.

  • Prof-PCca-U-O-U – This is the first time root certificate has been installed on a Linux machine using 'update-ca-certificates' or 'update-ca-trust' for this user.

  • Fact-PCnetsh-FD – The NetSh (Network Shell) process has been used to disable the Windows firewall. This sigma rule is authored by Fatih Sirin and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml

  • Prof-DS-E-O-SE – This is the first time a user in the organization performed an activity on a directory service object from this endpoint.

  • Prof-DS-E-O-SZ – This is the first time a user in the organization performed an activity on a directory service object from this network zone.

  • Fact-PC-DisableAuditd – Auditd service was disabled.

  • NumCP-PC-ChownCount-U – An abnormal number of 'chown' (Change Owner) process executions have been observed for this user.

  • Fact-PCtakeown-FO – The 'takeown.exe' process has been used to take ownership of a file or a folder.

  • Fact-PCfltmc-SysmonDU – The FltMC (Filter Manager Control) process has been used to unload the Sysmon driver. This sigma rule is authored by Kirill Kiryanov, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml

  • Fact-FWrite-SELinuxConfigFile – The SELinux (Security-Enhanced Linux) configuration file was written to.

  • NumCP-DSOW-EC-O – An abnormal number of directory service write events have been observed for the organization. Directory services typically manage various types of objects to organize and administer resources within a network environment.

  • Prof-DS-DSOC-U-DSOC – This is the first time this user performed an activity on a directory service object with this object class.

  • Fact-U-PrivMM – A non-privileged user has been observed accessing an attribute of a privileged directory service user account.

  • Prof-Fwrite-U-O-U-Plist – This is the first time a plist file was created by this user.

  • NumDCP-FWrite-AuditRule-U-DE – An abnormal number of unique endpoints where this user modified the audit.rules file in Unix system.

  • Prof-DSF-AT-U-AT – This is the first time this directory service activity type failed for this user. Directory services typically manage various types of objects to organize and administer resources within a network environment.

  • NumDCP-CA-DAC-U-Disks – An abnormal number of volumes were attached to instances by this user. These events may include both failed and successful attachments.

  • Fact-PCsetenforce-DisableSELinux – The 'setenforce' command has been used to disable the SELinux (Security-Enhanced Linux).

  • Fact-RegW-SIP – A SIP component has been modified via the registry.

  • Prof-DSF-AT-UD-AT – This is the first time this directory service activity type failed for users in this department. Directory services typically manage various types of objects to organize and administer resources within a network environment.

  • Prof-DS-DSOC-UD-DSOC – This is the first time a user in this department performed an activity on a directory service object with this object class.

  • Fact-RegW-RootCert – A root certificate has been installed via the registry.

  • NumCP-PC-ChmodCount-U – An abnormal number of 'chmod' (Change Mode) process executions have been observed for this user.

  • Prof-PC-Sysvol-O-UD – This is the first time a SYSVOL domain group policy has been accessed by a process for users in this department.

  • Fact-FWrite-SystemCADirs – A file was written in a System CA (Certificate Authority) directory.

  • Prof-RegW-SafeBoot-O-U – This is the first time this user has modifed the safe mode boot configuration by writing to a registry value/key under the registry key HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal.

  • Prof-DS-E-U-SE – This is the first time this user performed an activity on a directory service object from this endpoint.

  • Fact-PCspctl-DisableGatekeeper – The 'spctl' command has been used to disable the Gatekeeper.

  • Prof-PC-FPermMod-Cacl-O-U – This is the first time a file or folder permissions have been modified using 'icacls.exe' or 'cacls.exe' for this user.

  • NumCP-DSOW-EC-UD – An abnormal number of directory service write events have been observed for users in this department. Directory services typically manage various types of objects to organize and administer resources within a network environment.

  • Prof-DS-E-U-SZ – This is the first time this user performed an activity on a directory service object from this network zone.

  • Fact-PCicacls-FPermMod-Everyone – The ICACLs (Integrity Control Access Control Lists) process has been used to grant global permissions on a file.

  • Prof-CA-SC-O-U – This is the first time this user has successfully created a snapshot of a compute instance.

  • Fact-PCwevtutil-EventTracingDisable – The WEvtUtil (Windows Event Utility) process has been used to disable an ETW (Event Tracing for Windows). This sigma rule is authored by @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml

  • Fact-PCbcdedit-ESP – The BCDEdit (Boot Configuration Data Edit) process has been used to enable test signing.

  • Fact-PCauditctl-DeleteRules – The 'auditctl' command has been used to delete the audit rules.

  • Fact-PCappcmd-IIS – The 'appcmd.exe' (IIS Application Command Line) process has been used to disable IIS HTTP logging .

  • Prof-CA-DA-O-U – This is the first time this user has successfully attached a volume to an instance.

  • Fact-PCjava-JavaRD – The Java process has been executed with remote debugging allowed for more than just the localhost. This sigma rule is authored by Florian Roth (Nextron Systems) and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml

  • NumCP-RuleDel-EC-U – An abnormal number of security rules deletion events have been observed for this user.

  • Prof-EW-DCShadow-SE-O-SE – This is the first time the GC (global catalog) and DRS (directory replication service) service principal names have been added to this matured endpoint. These SPNs are required for the active directory replication process, and can be added to a rogue domain controller to execute a DCShadow attack.

  • Prof-DS-E-UD-SZ – This is the first time a user in this department performed an activity on a directory service object from this network zone.

  • Fact-PCpwrshell-AMSI – The PowerShell process has been used to disable AMSI (Anti Malware Scan Interface) Scanning using AmsiInitFailed. This sigma rule is authored by Markus Neis, @Kostastsale and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml

  • Fact-RegW-EventLogDisabled – The Event Log service has been disabled via the registry.

  • Prof-Fwrite-AuditRule-O-U – This is the first time an audit rule file has been modified by this user.

  • NumCP-DSOW-EC-U – An abnormal number of directory service events have been observed for this user. Directory services typically manage various types of objects to organize and administer resources within a network environment.

  • Prof-DS-A-UDSOT-A – This is the first time this activity has been observed on this directory service object class for this user. Directory services typically manage various types of objects to organize and administer resources within a network environment.

  • Fact-RegW-CodeSigningPolicy – A code signing policy has been modified by writing to the registry key HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing.

  • Prof-DS-DSOC-O-DSOC – This is the first time a user in the organization performed an activity on a directory service object with this object class.

To remove the mapping to the obsolete Defense Evasion tactic, mitre was updated for the following pre-built analytics rule:

  • NumCP-AI-U-Guardrail-Block – An abnormal amount of AI guardrail violations have been observed for a user.

  • Prof-PC-U-O-USudo – This is the first time a process execution of a 'sudo' (Superuser Do) command has been observed for this user.

  • Fact-PC-Visudo – The /etc/sudoers file is typically edited using the visudo command, which provides a safe way to make changes to the file and prevents multiple simultaneous edits, reducing the risk of syntax errors that could lock users out of administrative access. An attacker can try to read this file to know what user he should get access to, or he can try to write to this file and give a user he have access to these privileges.

  • Fact-PC-Chmod-Setuid – An adversary may change the setuid bits set in order to get code running in a different (and possibly more privileged) user's context

  • Fact-PCwsreset-UAC – The WSReset (Windows Store Reset) process has spawned a child process that it shouldn't normally spawn. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml

  • Prof-ELNAC-E-U-SMac – This is the first a network access control login event has been observed coming from this MAC address for this user. These events may include both failed and successful logins.

  • Prof-RegW-AppPaths-O-U – This is the first time this user has modified a registry key\value under the App Paths key '[HKLM/HKCU]\Software\Microsoft\Windows\CurrentVersion\App Paths'.

  • Prof-EL-HT-U-HT – This is the first time this user has attempted to log into an endpoint of this type (server, workstation...). These events may include both failed and successful logins.

  • NumCP-PC-SudoCount-U – An abnormal number of 'sudo' (Superuser Do) process executions have been observed for this user.

  • Prof-BPM-Public-O-U – This is the first time this user has attempte to modify the IAM policy or the ACL of an AWS bucket to make it public to all users. These events may include both failed and successful modifications.

  • Fact-CPM-PCrit-AWSAdmin – A policy with critical administrative permissions has been successfully created or attached to an identity in AWS. Policies in AWS are the documents that dictates what permissions are granted to identities and resources.

  • Fact-FA-Sudoers – The /etc/sudoers file is a critical configuration file in Unix-based operating systems. It controls the access and privileges granted to users and groups to execute commands with elevated privileges (root or superuser privileges) using the sudo command. An attacker can try to read this file to know what user he should get access to, or he can try to write to this file and give a user he have access to these privileges.

  • Prof-DS-AT-DSOC-AT – This is the first time this activity has been observed for this directory service object class. Directory services typically manage various types of objects to organize and administer resources within a network environment.

  • Fact-PCfodhelper-UAC – The 'fodhelper.exe' has spawned a child process. This sigma rule is authored by E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml

  • Prof-ELF-E-U-DE – This is the first time this user has failed to log into this endpoint. The user might have logged in successfully before, but this is the first time a failed login event was observed on the endpoint.

  • Prof-EL-EDC-O-SZ – This is the first time an endpoint login event to a domain controller has been observed originating from this network zone for the organization. These events may include both failed and successful logins.

  • Fact-PCsharphound-BloodHound – The 'sharphound.exe' (a network domain enumeration tool) process has been executed.

  • Prof-DS-AT-U-AT – This is the first time this directory service activity has been observed for this user. Directory services typically manage various types of objects to organize and administer resources within a network environment.

  • Fact-Web-AIA-U-BlockedAILLM – An HTTP communication attempt involving an AI application (e.g., ChatGPT, GitHub Copilot) has been blocked. This may indicate shadow AI usage, attempted policy evasion, or early stage data leak behavior.

  • Prof-EL-AP-U-AP – This is the first time this user has attempted to perform a remote Windows login or access using this authentication package. These events may include both failed and successful logins.

  • Prof-EL-E-U-SE – This is the first time this user attempted to login from this endpoint. These events may include both failed and successful logins.

  • Fact-PC-Chmod-Setgid – An adversary may change the setgid bits set in order to get code running in a different (and possibly more privileged) user's context

  • Prof-RegW-UAC-O-U – This is the first time this user has modified or created a registry key\value under the UAC configuration key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'.

  • Prof-DS-Attr-U-Attr – This is the first time this privileged user accessed this directory service attribute.

  • Prof-EL-NTLM-O-SE – This is the first time a successful NTLM login has been observed from this endpoint.

  • Prof-EL-E-U-DE – This is the first time this user attempted to log into this endpoint. These events may include both failed and successful logins.

  • Prof-DS-AT-SE-AT – This is the first time this directory service activity has been observed from this endpoint. Directory services typically manage various types of objects to organize and administer resources within a network environment.

  • Fact-PC-Setfile-HiddenFile – The "setfile" unix process can be used to make files hidden by modifying their attributes, making sure they remain undetected by users. An attacker can create hidden file to evade detection.

  • Fact-RegW-TrustProvider – A trust provider component has been modified via the registry.

  • Prof-EL-E-UD-DE – This is the first time a user from this department attempted to log into this endpoint. These events may include both failed and successful logins.

  • Prof-BC-U-O-U – This is the first time this user has successfully created a cloud storage bucket.

To remove the mapping to the Evasion Exabeam use case, usecase was updated for the following pre-built analytics rules:

  • Fact-PC-Visudo – The /etc/sudoers file is typically edited using the visudo command, which provides a safe way to make changes to the file and prevents multiple simultaneous edits, reducing the risk of syntax errors that could lock users out of administrative access. An attacker can try to read this file to know what user he should get access to, or he can try to write to this file and give a user he have access to these privileges.

  • Fact-PC-Chmod-Setuid – An adversary may change the setuid bits set in order to get code running in a different (and possibly more privileged) user's context

  • Fact-RegW-AppInit – An AppInit DLL registry configuration has been modified or created under the registry key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' or 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows'

  • Fact-RegW-AppShim – A registry key/value has been created under the Shim database registry key 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom' or 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB

  • Prof-GA-Brwsr-O-Brwsr – This is the first time this web browser has been observed for the organization.

  • Fact-PCscrcons-WMI – The 'scrcons.exe' process (WMI script event consumer) has been executed. This sigma rule is authored by Thomas Patzke and is licensed under Detection Rule License (DRL), https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md. Reference: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml

  • Fact-RegW-RunService – Run Services registry keys have been modified.

  • Fact-RegW-Netshell – A NetShell helper DLL has been registered or modified by writing the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh'.

  • Fact-PC-Chmod-Setgid – An adversary may change the setgid bits set in order to get code running in a different (and possibly more privileged) user's context

  • Prof-RegW-UAC-O-U – This is the first time this user has modified or created a registry key\value under the UAC configuration key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'.

  • Fact-RegW-AppCert – An AppCert DLL registry configuration has been modified or created under the registry key 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager'

To map pre-built analytics rules to the OWASP Top 10 for Agentic Applications framework so you can assess your coverage in Outcomes Navigator, owasp was added to the following pre-built analytics rules:

  • Prof-PC-AIT-U-BREW-Agent – This is the first time a Brew package of an AI agent has been installed by this user.

  • Prof-PC-AIT-SE-PIP-Framework – This is the first time a Python package of an AI development framework has been installed on this endpoint.

  • Prof-PC-AIT-U-NPM-Framework – This is the first time a JavaScript named package of an AI development framework has been installed by this user.

  • Prof-PC-AIT-SE-GitClone-Agent – This is the first time a GitHub repository of an AI agent has been cloned on this endpoint.

  • Prof-PC-AIT-UD-CURL-Agent – This is the first time an AI agent has been installed using CURL by users in this department.

  • Prof-PC-AIT-UD-PIP-Framework – This is the first time a Python package of an AI development framework has been installed by users in this department.

  • NumCP-SA-TP-AC-DLP-UO – An abnormal number of of DLP violations via AI for the organization have been performed by this user.

  • Prof-PC-AIT-SE-PIP-Agent – This is the first time a Python package of an AI agent has been installed on this endpoint.

  • Prof-AI-TI-U-TN – This is the first time this AI agent tool has been invoked by this user.

  • Prof-PC-AIT-SE-CURL-Framework – This is the first time an AI development framework has been installed using CURL on this endpoint.

  • Fact-Web-AIA-LargeDownload – A large inbound byte transfer was observed from a download-related domain categorized as AI, ML, Generative AI, LLM, or equivalent by a web security vendor.

  • NumCP-AI-QC-WID – An abnormal number of successful AI requests has been observed for this workspace. AI requests may consist of one or more prompts.

  • Prof-PC-AIT-U-CURL-Framework – This is the first time an AI development framework has been installed using CURL by this user.

  • Prof-PC-AIT-UD-NPM-Framework – This is the first time a JavaScript named package of an AI development framework has been installed by users in this department.

  • Fact-AI-PI-Base64 – An AI request with a base64 string has been sent. While not inherently malicious, Base64 encoding in an AI request may indicate prompt obfuscation.

  • Fact-AI-PI-ShowSystemPrompt – An AI request attempting to display the AI system prompt has been sent.

  • Prof-PC-AIT-SE-BREW-Agent – This is the first time a Brew package of an AI agent has been installed on this endpoint.

  • Prof-PC-AIT-U-NPM-Agent – This is the first time a JavaScript named package of an AI agent has been installed by this user.

  • Prof-PC-AIT-U-CURL-Agent – This is the first time an AI agent has been installed using CURL by this user.

  • NumCP-AI-QC-UO – An abnormal number of successful AI requests for the organization have been performed by this user. AI requests may consist of one or more prompts.

  • NumCP-AI-TC-O-U – An abnormal amount of tool calls have been observed for the organization by this user.

  • Prof-PC-AIT-UD-NPM-Agent – This is the first time a JavaScript named package of an AI agent has been installed by users in this department.

  • NumCP-SA-TP-AC-DLP-U – An abnormal number of DLP violations via AI have been observed for this user.

  • Prof-AI-TI-UTN-FN – This is the first time this AI agent tool function has been invoked by this user.

  • Prof-AI-PI-O-U-Exec – This is the first time an AI request that attempts to cause the agent to execute a command or a script has been sent by this user.

  • Prof-PC-AIT-UD-PIP-Agent – This is the first time a Python package of an AI agent has been installed by users in this department.

  • Prof-PC-AIT-U-PIP-Framework – This is the first time a Python package of an AI development framework has been installed by this user.

  • Prof-PC-AIT-UD-BREW-Agent – This is the first time a Brew package of an AI agent has been installed by users in this department.

  • NumCP-AI-TC-O-SIP – An abnormal amount of tool calls have been observed for the organization by this source IP.

  • Prof-Network-OpenClawWebSocket-DE-SE – This is the first time a successful connection to port 18789 has been observed from this source endpoint to this destination endpoint. The port 18789 is the default port of OpenClaw WebSocket Gateway.

  • Prof-PC-AIT-SE-GitClone-Framework – This is the first time a GitHub repository of an AI development framework has been cloned on this endpoint.

  • Prof-PC-AIT-UD-GitClone-Framework – This is the first time a GitHub repository of an AI development framework has been cloned by users in this department.

  • Prof-PC-AIT-SE-NPM-Agent – This is the first time a JavaScript named package of an AI agent has been installed on this endpoint.

  • Prof-AI-T-U-Tokens – An abnormal number of tokens for a single successful AI request has been observed for this user. If the number of tokens is not available, tokens are estimated at one token per four letters.

  • NumSP-AI-TS-UO-Tokens – An abnormal sum of tokens in successful AI requests and responses has been observed for the organization and has been attributed to this user. If the number of tokens is not available, tokens are estimated at one token per four letters.

  • Prof-PC-AIT-U-PIP-Agent – This is the first time a Python package of an AI agent has been installed by this user.

  • Prof-PC-AIT-UD-GitClone-Agent – This is the first time a GitHub repository of an AI agent has been cloned by users in this department.

  • Prof-PC-AIT-SE-NPM-Framework – This is the first time a JavaScript named package of an AI development framework has been installed on this endpoint.

  • NumCP-AI-TC-U – An abnormal amount of tool calls have been observed for this user.

  • Prof-Fwrite-U-DE-U-OpenClaw – This is the first time this user has created or modified a file in the folder ~/.openclaw on this endpoint

  • Prof-PC-AIT-U-GitClone-Agent – This is the first time a GitHub repository of an AI agent has been cloned by this user.

  • NumSP-Web-Bytes-AIA-U-DownloadBytesIn – An abnormal inbound byte volume was observed for this user from download-related domains categorized as AI, ML, Generative AI, LLM, or equivalent by a web security vendor.

  • Prof-Network-FromExtIP-DE-DP – This is the first time a successful connection to this port has been initiated by an external IP for this target endpoint. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

  • Prof-AI-TI-O-TN – This is the first time this AI agent tool has been invoked.

  • NumCP-AI-QC-U – An abnormal number of successful AI requests have been performed by this user. AI requests consist of one or more prompts.

  • Prof-AI-T-O-Tokens – An abnormal number of tokens for a single successful AI request has been observed for the organization. If the number of tokens is not available, tokens are estimated at one token per four letters.

  • Fact-AI-PI-IgnoreInsruct – An AI request attempting to cause the agent to ignore instructions has been sent.

  • Prof-PC-AIT-SE-CURL-Agent – This is the first time an AI agent has been installed using CURL on this endpoint.

  • Prof-PC-AIT-UD-CURL-Framework – This is the first time an AI development framework has been installed using CURL by users in this department.

  • Prof-PC-AIT-U-GitClone-Framework – This is the first time a GitHub repository of an AI development framework has been cloned by this user.

To better account for ephemeral ports, windowPeriod, windowDuration, trainOnCondition, and query were updated for the following pre-built analytics rule:

  • NumDCP-Network-DPC-SEDE-DP – An abnormal number of unique target ports have been observed in internal communication that initiated by this endpoint to this destination endpoint. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator. These events may include both failed and successful communications.

To better account for ephemeral ports, featureValue, trainOnCondition, and scopeValue were updated for the following pre-built analytics rules:

  • Prof-Network-Country-DEDP-SCountry – This is the first time a successful network connection has been observed from this country, determined by geolocation lookup, to this endpoint with this port.

  • Prof-Network-Country-DP-SCountry – This is the first time a successful network connection has been observed from this country, determined by geolocation lookup, to the organization with this port.

  • Prof-Network-FromExtIP-DZ-DP – This is the first time a successful connection to this port has been initiated by an external IP for this target zone. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

To better account for ephemeral ports, trainOnCondition and query were updated for the following pre-built analytics rules:

  • NumSP-Network-BytesToExtIP-Failed-SE-Bytes – An abnormal amount of bytes have failed to be sent in communication that initiated from this endpoint to an external IP. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

  • NumSP-Network-BytesToExtIP-SE-Bytes – An abnormal amount of bytes have been sent in communication that initiated from this endpoint to an external IP. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator. These events may include both failed and successful communications.

  • NumSP-Network-BytesToExtIP-SZ-Bytes – An abnormal amount of bytes have been sent in communication that initiated in this network zone to an external IP. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator. These events may include both failed and successful communications.

To better account for ephemeral ports, trainOnCondition and featureValue were updated for the following pre-built analytics rule:

  • Prof-Network-Country-O-SCountry – This is the first time a successful network connection has been observed from this country, determined by geolocation lookup, to the organization.

  • Prof-Network-FromExtIP-DE-DP – This is the first time a successful connection to this port has been initiated by an external IP for this target endpoint. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

  • Prof-Network-FromExtIP-O-DE – This is the first time a successful connection to this endpoint has been initiated by an external IP for the organization. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

  • Prof-Network-FromExtIP-O-DP – This is the first time a successful connection to this port has been initiated by an external IP for the organization. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

  • Prof-Network-FromExtIP-O-DP – This is the first time a successful connection to this port has been initiated by an external IP for the organization. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

  • Prof-Network-FromExtIP-O-DZ – This is the first time a successful connection to an endpoint in this network zone has been initiated by an external IP for the organization. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

To better account for ephemeral ports, the following obsolete pre-built analytics rules were removed:

  • Cntx-Network-DPClass – Target port class. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

  • NumDCP-Network-DIPC-O-DIP-SE-Fail – An abnormal number of unique target IPs have been observed in failed internal communications for the organization per initiated endpoint. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

  • NumDCP-Network-DIPC-O-DIP-SIP-Fail – An abnormal number of unique target IPs have been observed in failed internal communications for the organization per initiated IP. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

  • NumDCP-Network-DIPC-O-DIP-U-Fail – An abnormal number of unique target IPs have been observed in failed internal communications for the organization per user. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

  • NumDCP-Network-DIPC-SE-DIP-Fail – An abnormal number of unique target IPs have been observed in failed internal communications that initiated by this endpoint. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

  • NumDCP-Network-DIPC-U-DIP-Fail – An abnormal number of unique target IPs have been observed in failed internal communications by this user. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator.

To better account for ephemeral ports, the following obsolete pre-built analytics rule was removed and replaced by a new early access pre-built analytics rule:

  • NumSP-Network-BytesFromExtIP-SZ-Bytes – An abnormal amount of bytes have been sent in externally initiated communication to this network zone. If the initiator cannot be determined from the event, it is inferred based on port values: the IP\endpoint communicating with the lower port is considered the initiator. These events may include both failed and successful communications.

Generally Available Pre-Built Analytics Rules

After an early access period, a selection of pre-built analytics rules are now generally available.

You can now better detect abnormal cloud application activity with the following generally available pre-built analytics rules:

  • Prof-ACG-App-Plt-App – This is the first time this application got consent in this platform.

  • Prof-ACG-Perm-Plt-Perm – This is the first time a consent granted with these permissions to applications in this platform.

  • Prof-ACG-Perm-UDPlt-Perm – This is the first time a consent granted with these permissions to applications by users in this department.

  • Prof-ACG-Perm-UPlt-Perm – This is the first time a consent granted with these permissions to applications by this user.

  • NumSP-MItemRead-NMS-U-NA – An abnormal number of emails have been read by this user.

  • Prof-MFPermMod-U-O-U – This is the first time a mailbox folder permission was modified by this user for the organization.

You can now detect when AI agents have been downloaded or installed with the following generally available pre-built analytics rules:

  • Cntx-PC-Critical-AIA – Process is a known AI agent: True\False

  • Cntx-PC-Critical-AIF – Process is a known AI development framework: True\False

  • Cntx-PC-Critical-Parent-AIA – Parent process is a known AI agent: True\False

  • Cntx-PC-Critical-Parent-AIF – Parent process is a known AI development framework: True\False

  • Fact-Web-AIA-LargeDownload – A large inbound byte transfer was observed from a download-related domain categorized as AI, ML, Generative AI, LLM, or equivalent by a web security vendor.

  • NumSP-Web-Bytes-AIA-U-DownloadBytesIn – An abnormal inbound byte volume was observed for this user from download-related domains categorized as AI, ML, Generative AI, LLM, or equivalent by a web security vendor.

  • Prof-PC-AIT-SE-BREW-Agent – This is the first time a Brew package of an AI agent has been installed on this endpoint.

  • Prof-PC-AIT-SE-CURL-Agent – This is the first time an AI agent has been installed using CURL on this endpoint.

  • Prof-PC-AIT-SE-CURL-Framework – This is the first time an AI development framework has been installed using CURL on this endpoint.

  • Prof-PC-AIT-SE-GitClone-Agent – This is the first time a GitHub repository of an AI agent has been cloned on this endpoint.

  • Prof-PC-AIT-SE-GitClone-Framework – This is the first time a GitHub repository of an AI development framework has been cloned on this endpoint.

  • Prof-PC-AIT-SE-NPM-Agent – This is the first time a JavaScript named package of an AI agent has been installed on this endpoint.

  • Prof-PC-AIT-SE-NPM-Framework – This is the first time a JavaScript named package of an AI development framework has been installed on this endpoint.

  • Prof-PC-AIT-SE-PIP-Agent – This is the first time a Python package of an AI agent has been installed on this endpoint.

  • Prof-PC-AIT-SE-PIP-Framework – This is the first time a Python package of an AI development framework has been installed on this endpoint.

  • Prof-PC-AIT-U-BREW-Agent – This is the first time a Brew package of an AI agent has been installed by this user.

  • Prof-PC-AIT-U-CURL-Agent – This is the first time an AI agent has been installed using CURL by this user.

  • Prof-PC-AIT-U-CURL-Framework – This is the first time an AI development framework has been installed using CURL by this user.

  • Prof-PC-AIT-U-GitClone-Agent – This is the first time a GitHub repository of an AI agent has been cloned by this user.

  • Prof-PC-AIT-U-GitClone-Framework – This is the first time a GitHub repository of an AI development framework has been cloned by this user.

  • Prof-PC-AIT-U-NPM-Agent – This is the first time a JavaScript named package of an AI agent has been installed by this user.

  • Prof-PC-AIT-U-NPM-Framework – This is the first time a JavaScript named package of an AI development framework has been installed by this user.

  • Prof-PC-AIT-U-PIP-Agent – This is the first time a Python package of an AI agent has been installed by this user.

  • Prof-PC-AIT-U-PIP-Framework – This is the first time a Python package of an AI development framework has been installed by this user.

  • Prof-PC-AIT-UD-BREW-Agent – This is the first time a Brew package of an AI agent has been installed by users in this department.

  • Prof-PC-AIT-UD-CURL-Agent – This is the first time an AI agent has been installed using CURL by users in this department.

  • Prof-PC-AIT-UD-CURL-Framework – This is the first time an AI development framework has been installed using CURL by users in this department.

  • Prof-PC-AIT-UD-GitClone-Agent – This is the first time a GitHub repository of an AI agent has been cloned by users in this department.

  • Prof-PC-AIT-UD-GitClone-Framework – This is the first time a GitHub repository of an AI development framework has been cloned by users in this department.

  • Prof-PC-AIT-UD-NPM-Agent – This is the first time a JavaScript named package of an AI agent has been installed by users in this department.

  • Prof-PC-AIT-UD-NPM-Framework – This is the first time a JavaScript named package of an AI development framework has been installed by users in this department.

  • Prof-PC-AIT-UD-PIP-Agent – This is the first time a Python package of an AI agent has been installed by users in this department.

  • Prof-PC-AIT-UD-PIP-Framework – This is the first time a Python package of an AI development framework has been installed by users in this department.

  • Prof-Web-AIA-O-WebDomain – This is the first outbound HTTP session to this AI, ML, Generative AI, or LLM application web domain in the organization.

You can now accurately detect abnormal AI agent activity with the following generally available pre-built analytics rules:

  • Fact-AI-Del – An AI agent has been deleted by a user.

  • NumSP-AI-TS-U-Tokens – An abnormal sum of tokens in successful AI requests and responses has been observed for this user. If the number of tokens is not available, tokens are estimated at one token per four letters.

  • NumSP-AI-TS-UO-Tokens – An abnormal sum of tokens in successful AI requests and responses has been observed for the organization and has been attributed to this user. If the number of tokens is not available, tokens are estimated at one token per four letters.

  • Prof-AI-T-O-Tokens – An abnormal number of tokens for a single successful AI request has been observed for the organization. If the number of tokens is not available, tokens are estimated at one token per four letters.

  • Prof-AI-T-U-Tokens – An abnormal number of tokens for a single successful AI request has been observed for this user. If the number of tokens is not available, tokens are estimated at one token per four letters.

You can now detect suspicious OpenClaw agent activity with the following generally available pre-built analytics rules:

  • Prof-Fwrite-U-DE-U-OpenClaw – This is the first time this user has created or modified a file in the folder ~/.openclaw on this endpoint

  • Prof-Network-OpenClawWebSocket-DE-SE – This is the first time a successful connection to port 18789 has been observed from this source endpoint to this destination endpoint. The port 18789 is the default port of OpenClaw WebSocket Gateway.

You can now detect abnormal tool calls with the following generally available pre-built analytics rules:

  • NumCP-AI-TC-O-SIP – An abnormal amount of tool calls have been observed for the organization by this source IP.

  • NumCP-AI-TC-O-U – An abnormal amount of tool calls have been observed for the organization by this user.

  • NumCP-AI-TC-U – An abnormal amount of tool calls have been observed for this user.

You can now detect third-party AI alerts with the following generally available pre-built analytics rules:

  • Fact-SA-AITPA-HR – A high-risk misuse of AI has been detected by a third-party vendor.

  • NumCP-SA-TP-AC-DLP-U – An abnormal number of DLP violations via AI have been observed for this user.

  • NumCP-SA-TP-AC-DLP-UO – An abnormal number of of DLP violations via AI for the organization have been performed by this user.

  • NumCP-SA-TP-AC-U – An abnormal number of AI third-party alerts have been observed for this user.

  • NumCP-SA-TP-AC-UO – An abnormal number of of AI third-party alerts for the organization have been performed by this user.

You can now better detect model context protocol (MCP) permission abuse and high-confidence API control-plane activity with the following generally available pre-built analytics rule:

  • Prof-Git-MCP-O-U – This is the first time this user has accessed an MCP-related GitHub repository using a token.

Resolved Issues

Attack Surface Insights Resolved Issues

ID

Description

ENG-101146

Attack Surface Insights tags were no longer available to use in other applications, including Threat Center, Dashboards, and Automation Management:

  • In Threat Center, you were unable to search for Attack Surface Insights tags using the Tags field.

  • In Dashboards, dashboards that referenced Attack Surface Insights tags weren't working as expected.

  • In Automation Management, playbooks that referenced Attack Surface Insights tags weren't working as expected.

Now, Attack Surface Insights tags are available and usable across all applications.