Rules
- [New] MATCH-S00838 Azure Active Directory Authentication Method Changed
- [New] MATCH-S00836 Azure Conditional Access Policy Disabled
- [New] MATCH-S00839 Azure Virtual Machine RunCommand Issued
- [New] MATCH-S00837 Kubernetes Secrets Enumeration via Kubectl
- [New] MATCH-S00835 Possible Dynamic URL Domain
- [New] CHAIN-S00012 Potential Azure Persistence via Automation Accounts
- [New] MATCH-S00841 Suspicious AWS CLI Keys Access on Linux Host
- [New] MATCH-S00840 Suspicious Lambda Function - IAM Policy Attached
- [Updated] THRESHOLD-S00074 Excessive Firewall Denies
- [Updated] LEGACY-S00008 Possible Dynamic DNS Domain
- [Updated] LEGACY-S00108 Threat Intel - Matched File Hash
Log Mappers
- [New] Airtable Audit C2C
- [New] Cisco Meraki Catch All - Custom Parser
- [Updated] Linux OS Syslog - Process fw - iptables Events
- [Updated] Proofpoint Targeted Attack Protection C2C - Message Blocked
- [Updated] Proofpoint Targeted Attack Protection C2C - Message Delivered
- [Updated] Proofpoint Targeted Attack Protection C2C - Message Permitted
- [Updated] Windows - Security - 4624
Parsers
- [New] /Parsers/System/Airtable/Airtable Audit C2C
- [Updated] /Parsers/System/Cisco/Cisco ASA
- [Updated] /Parsers/System/Cisco/Cisco Meraki
- [Updated] /Parsers/System/Google/G Suite Audit
- [Updated] /Parsers/System/Linux/Linux OS Syslog
- [Updated] /Parsers/System/Linux/Shared/Linux Shared Syslog Headers
- [Updated] /Parsers/System/Okta/Okta