In the past three months several verified rules have been updated (31), and new rules (36) published to improve our detection capabilities!
Integrations to raise alerts based on the related security products:
- Cisco Identity Services Engine (ISE), 1 rule to detect configuration change
- Citrix NetScaler (ADC), 1 rule to detect blocked action
- CrowdStrike Falcon Identity Protection, 5 rules to detect informational, low, medium, high and critical severity alerts
- Jumpcloud Directory Insights, 6 rules to detect policy modification, API key updated, account locked, login from multiple countries, successful brute-force attack on portal, on workstation
- Okta, 1 rule to detect the reuse of device token
- Rubycat PROVEIT, 2 rules to detect service modification, and successful login brute force
- Trend Micro Apex One, 3 rules to detect malware, intrusion detection and data loss prevention alerts
- Varonis Data Security, 1 rule to detect email alert
- WithSecure Elements, 1 rule to detect critical event
Threats:
- Linux, 3 rules: Container Credential Access, Linux Fileless Execution, Linux Binary Masquerading
- Windows, 8 rules: ACLight Discovering Privileged Accounts, Active Directory Shadow Credentials, AutoIt3 Execution From Suspicious Folder, AzureEdge in Command Line, Certify Or Certipy, HTA Infection Chains, Suspicious Windows Script Execution, Microsoft Windows Active Directory Module Commandlets, Remote Monitoring and Management Software - AnyDesk, Suspicious File Name
- Authentication related, 2 rules: Authentication Impossible Travel, Microsoft 365 Sign-in With No User Agent
Our rules changelog is available over there: https://docs.sekoia.io/xdr/features/detect/rules_changelog/