This release includes bug fixes for several rules using match lists using the "column" field in the rule expression.
Rules
- [New] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address; External connections over the internet to port 445 could be indictative of hash leak attempts, including exploitation attempts for vulnerabilities such as CVE-2023-2397. This alert looks at a source IP address making a connection to a new external destination IP address since the baseline period.
- [Updated] FIRST-S00029 First Seen Successful Authentication From Unexpected Country; Added additional logic to help reduce false positives
- [Updated] THRESHOLD-S00096 Brute Force Attempt
- [Updated] MATCH-S00565 Direct Outbound DNS Traffic
- [Updated] THRESHOLD-S00103 Domain Brute Force Attempt
- [Updated] THRESHOLD-S00102 Domain Password Attack
- [Updated] THRESHOLD-S00095 Password Attack
- [Updated] CHAIN-S00008 Successful Brute Force
Log Mappers
- [New] OpenVPN Logon Attempt
- [New] OpenVPN Network Event
- [New] Snowflake Catch All
- [New] Snowflake Login
- [New] Windows Defender ATP Alert
- [Updated] Netskope - Audit Authentication Events - Logoff; Made eventID match more permissive
Parsers
- [New] /Parsers/System/Snowflake/Snowflake
- [New] /Parsers/System/Microsoft/Windows Defender ATP Alert JSON
- [Updated] /Parsers/System/Cisco/Cisco ASA; Build/Teardown parsing bug fix
- [Updated] /Parsers/System/OpenVPN/OpenVPN Syslog; Added support for additional format