Skip to main content

February 22, 2023 - Content Release

Rules

  • [New] FIRST-S00001 First Seen Administrative Privileges Granted for User
  • [New] FIRST-S00003 First Seen AWS Secrets Manager API Call from User
  • [New] FIRST-S00004 First Seen Local Group Addition by User
  • [New] FIRST-S00005 First Seen User Creation From User
  • [New] FIRST-S00006 First Seen Weak Kerberos Encryption from User
  • [New] FIRST-S00007 First Seen DynamoDB Enumeration from User
  • [New] FIRST-S00008 First Seen whoami command From User
  • [New] FIRST-S00009 First Seen RDP From User
  • [New] FIRST-S00010 First Seen PowerShell Execution from Computer
  • [New] FIRST-S00011 First Seen Sysmon IMPHASH - Global
  • [New] FIRST-S00012 First Seen Sysmon IMPHASH - Host
  • [New] FIRST-S00013 First Seen Driver Load - Global
  • [New] FIRST-S00014 First Seen Driver Load - Host
  • [New] FIRST-S00015 First Seen Macro Execution from User
  • [New] FIRST-S00016 First Seen Non-Network Logon from User
  • [New] FIRST-S00017 First Seen Kerberoasting Attempt from User - Global
  • [New] FIRST-S00018 First Seen Kerberoasting Attempt from User - Host
  • [New] FIRST-S00019 First Seen Azure Member Addition to Group from User
  • [New] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
  • [New] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
  • [New] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
  • [New] FIRST-S00023 First Seen AWS API Gateway Enumeration By User
  • [New] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
  • [New] FIRST-S00025 First Seen SMB Allowed Traffic From IP
  • [New] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
  • [New] FIRST-S00027 First Seen InstallUtil Allow List Bypass From User
  • [New] FIRST-S00028 First Seen Common Windows Recon Commands From User
  • [Updated] MATCH-S00534 MacOS - Re-Opened Applications

Log Mappers

  • [New] CloudTrail - ecs.amazonaws.com - AwsApiCall-ExecuteCommand
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.