v4.31.0

New Analytic Story

Updated Analytic Story

New Analytics

• Windows Process Writing File to World Writable Path

Updated Analytics

• AWS Create Policy Version to allow all resources
• Detect Outbound SMB Traffic
• Detect Rare Executables
• Prohibited Network Traffic Allowed
• Remote Desktop Network Traffic
• Windows Masquerading Explorer As Child Process
• Recon AVProduct Through Pwh or WMI
• Detect Outbound SMB Traffic
• MSHTML Module Load in Office Product
• Office Document Creating Schedule Task
• Office Document Executing Macro Code
• Windows InstallUtil Credential Theft

Deprecated Analytics

• Windows DLL Search Order Hijacking Hunt with Sysmon

Other Updates

• Updated risk and threat related configurations for several detections
• Added Victims to missing detections to create correct risk_objects
• Converted the following Windows detections to leverage the XML log format:
  • kerberos_user_enumeration.yml
  • known_services_killed_by_ransomware.yml
  • malicious_powershell_executed_as_a_service.yml
  • non_chrome_process_accessing_chrome_default_dir.yml
  • non_firefox_process_access_firefox_profile_dir.yml
  • print_processor_registry_autostart.yml
  • suspicious_computer_account_name_change.yml
  • suspicious_event_log_service_behavior.yml
  • suspicious_kerberos_service_ticket_request.yml
  • suspicious_ticket_granting_ticket_request.yml
  • svchost_lolbas_execution_process_spawn.yml
  • windows_computer_account_requesting_kerberos_ticket.yml
  • windows_event_for_service_disabled.yml
  • windows_excessive_disabled_services_event.yml
  • windows_get_adcomputer_unconstrained_delegation_discovery.yml
  • windows_kerberos_local_successful_logon.yml
  • windows_krbrelayup_service_creation.yml
  • windows_powerview_constrained_delegation_discovery.yml
  • windows_powerview_unconstrained_delegation_discovery.yml
  • windows_rdp_connection_successful.yml
  • windows_service_created_with_suspicious_service_path.yml
  • windows_service_created_within_public_path.yml
  • winevent_scheduled_task_created_to_spawn_shell.yml
  • winevent_scheduled_task_created_within_public_path.yml
  • winevent_windows_task_scheduler_event_action_started.yml

Upcoming Changes

IMPORTANT NOTE : In the upcoming v4.34.0 release, changes will be made to the security_content_summariesonly macro. Its current definition will change to wrap the existing values into another set of macros. This will allow each environment to customize each setting without changing the base macro. If this macro has already been modified in your environment, it will not be affected.