In the past weeks several verified rules have been published to improve the detection capabilities on two main topics:

• Integrations to raise alerts based on the related security products

  • 3 AWS GuardDuty rules from low to high severity
  • 1 Cloudflare Gateway rule to detect file blocked
  • 5 HarfangLab rules from low to critical level
  • 4 Microsoft Defender for Office 365 rules from low to high severity
  • 1 Okta rule for phishing detection

• Threats

  • 1 correlation rule for HTML Smuggling technique used in some malware infection chains (Qakbot, IcedID)
  • 1 correlation rule to detect successful authentication Login on Linux after su brute force
  • 1 correlation rule to detect discovery of existing TCP connections on Linux
  • 1 correlation rule to detect payload downloads using command line tools on Linux
  • 1 rule to detect Venom proxy tool usage by attackers
  • 1 rule to detect Windows binary copy to another folder (used by attackers to avoid detection during execution)
  • 1 rule to detect network requests used by the Konni malware
  • 1 rule to detect IIS module installation using AppCmd command
  • 2 Linux rules to detect persistence technique using Systemd, 1 rule to detect elevation privilege using sudo feature

If you did not do this yet, please create a notification that will be triggered when new rules are created, which can be done in the Sekoia.io User Center. Also, if you need more information on rules changes, this is now listed on a dedicated documentation page: https://docs.sekoia.io/xdr/features/detect/rules_changelog/