In the past three months many verified rules have been updated (148), and a lot of new rules (60) published to improve our detection capabilities!
Integrations to raise alerts based on the related security products:
- AWS CloudTrail, 13 rules to detect Config DeleteConfigurationRecorder, EC2 CreateVPC, EC2 Instance Connect SendSSHPublicKey, EC2 Instance Connect SendSerialConsoleSSHPublicKey, EC2 CreateKeyPair, EC2 DeleteKeyPair, IAM AWSCompromisedKeyQuarantineV2, IAM ChangePassword, IAM CreateSAMLProvider, IAM DeleteSAMLProvider, IAM UpdateOpenIDConnectProviderThumbprint, Persistence By Creating KeyPair And SecurityGroup, Suspicious Discovery Commands.
- Check Point Harmony Mobile, 1 rule to detect Application Forbidden.
- CrowdStrike Falcon Mobile, 5 rules to detect Critical, High, Medium, Low, and Informational Severity.
- ExtraHop Reveal(x) 360, 2 rules for Intrusion Detection Critical and High Severity.
- Google Workspace, 12 rules to detect Admin Creation, Admin Modification, Anomaly Downloads, App Script Scheduled Task, Domain Delegation, Email Forwarding, External Sharing, Login Brute-Force, User Creation, User Deletion and User Suspended, MFA changed.
- HarfangLab EDR, 4 rules to detect Critical, High, Medium, and Low Threat.
- Microsoft Entra ID (Azure AD), 1 rule to detect MFA Method Change.
- Tenable Identity Exposure / Alsid, 2 rules to detect critical and high alerts.
Threats:
- Linux, 1 rule: Linux Suspicious Nohup Exec.
- Windows, 18 rules: Active Directory Data Export Using Csvde, Anomaly New PowerShell Remote Session, Anomaly Kerberos User Enumeration, Anomaly Possible Sysvol Dump, Anomaly Secret Store Access, Component Object Model Hijacking, Compression Followed By Suppression, Enabling Restricted Admin Mode, FLTMC command usage, Kerberos Pre-Auth Disabled in UAC, Rebooting, Remote System Discovery Via Telnet, Remote Monitoring and Management Software Atera, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Suspicious Kerberos Ticket, Windows Suspicious Service Creation, Windows Suspicious Scheduled Task Creation, Wmic Suspicious Commands, ZIP LNK Infection Chain.
Our rules changelog is available over there: https://docs.sekoia.io/xdr/features/detect/rules_changelog/