This release includes small modifications to First Seen rule type baseline and retention periods, and switches rule status from Prototype state, allowing more of these rules to contribute to CSE Insights. The Microsoft Office 365 Audit parser now formulates key value pairs from the 'OperationProperties' array included in some messages.
Rules
- [Updated] FIRST-S00002 First Seen AWS API Call from User
- [Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User
- [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
- [Updated] FIRST-S00003 First Seen AWS Secrets Manager API Call from User
- [Updated] FIRST-S00001 First Seen Administrative Privileges Granted for User
- [Updated] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
- [Updated] FIRST-S00019 First Seen Azure Member Addition to Group from User
- [Updated] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
- [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
- [Updated] FIRST-S00028 First Seen Common Windows Recon Commands From User
- [Updated] FIRST-S00013 First Seen Driver Load - Global
- [Updated] FIRST-S00014 First Seen Driver Load - Host
- [Updated] FIRST-S00007 First Seen DynamoDB Enumeration from User
- [Updated] FIRST-S00027 First Seen InstallUtil Allow List Bypass From User
- [Updated] FIRST-S00017 First Seen Kerberoasting Attempt from User - Global
- [Updated] FIRST-S00018 First Seen Kerberoasting Attempt from User - Host
- [Updated] FIRST-S00004 First Seen Local Group Addition by User
- [Updated] FIRST-S00015 First Seen Macro Execution from User
- [Updated] FIRST-S00016 First Seen Non-Network Logon from User
- [Updated] FIRST-S00010 First Seen PowerShell Execution from Computer
- [Updated] FIRST-S00009 First Seen RDP Logon From User
- [Updated] FIRST-S00025 First Seen SMB Allowed Traffic From IP
- [Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
- [Updated] FIRST-S00011 First Seen Sysmon IMPHASH - Global
- [Updated] FIRST-S00012 First Seen Sysmon IMPHASH - Host
Parsers
- [Updated] /Parsers/System/Microsoft/Office 365