Overall improvements to OOTB First Seen rules include minor baseline tweaks and severity adjustments for the following rules. For corrections involving logic adjustment, additional context is included within the individual rule. This update also adds Alternative Values for ProofPoint TAP Mappers.
Rules
- [Updated] FIRST-S00002 First Seen AWS API Call from User; General logic improvement to filter on valid Identity type
- [Updated] FIRST-S00023 First Seen AWS API Gateway Enumeration by User; General logic improvement to filter on valid application
- [Updated] FIRST-S00024 First Seen AWS SSM RunShellScript SendCommand From User
- [Updated] FIRST-S00026 First Seen Anonymous Logon Change Activity to Domain Controller
- [Updated] FIRST-S00007 First Seen DynamoDB Enumeration from User
- [Updated] FIRST-S00004 First Seen Local Group Addition by User
- [Updated] FIRST-S00009 First Seen RDP Logon From User
- [Updated] FIRST-S00022 First Seen S3 Bucket ACL Enumeration by User
- [Updated] FIRST-S00025 First Seen SMB Allowed Traffic From IP
- [Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country
- [Updated] FIRST-S00011 First Seen Sysmon IMPHASH - Global; Reconfigured to be disabled by default
- [Updated] FIRST-S00012 First Seen Sysmon IMPHASH - Host; Reconfigured to be disabled by default
- [Updated] FIRST-S00005 First Seen User Creation From User
- [Updated] FIRST-S00008 First Seen whoami command From User
Log Mappers
- [Updated] Proofpoint Targeted Attack Protection C2C - Click Blocked
- [Updated] Proofpoint Targeted Attack Protection C2C - Click Permitted
- [Updated] Proofpoint Targeted Attack Protection C2C - Message Blocked
- [Updated] Proofpoint Targeted Attack Protection C2C - Message Delivered
- [Updated] Proofpoint Targeted Attack Protection C2C - Message Permitted