[FR] Recommend Latest Compatible Integration Versions #2495

Mikaayenson · 2023-01-25T18:59:22Z

Issues

Summary

Replaces find_least_compatible_version with find_latest_compatible_version to recommend the latest compatible integration versions
Updates version lock

Testing

Here's some sample logic to see the version comparisons.

from detection_rules.integrations import find_least_compatible_version, find_latest_compatible_version, load_integrations_manifests
from detection_rules import rule_loader
from detection_rules.rule import QueryRuleData
all_rules = rule_loader.RuleCollection.default()
packages_manifest = load_integrations_manifests()
current_stack_version = "8.6.0"
for rule in all_rules.rules:
    if isinstance(rule.contents.data, QueryRuleData) and rule.contents.data.language != 'lucene' and rule.contents.metadata.maturity == "production":
        package_integrations = rule.contents._get_packaged_integrations(packages_manifest)
        for package in package_integrations:
            l_comp = find_least_compatible_version(package=package["package"], integration=package["integration"], current_stack_version=current_stack_version, packages_manifest=packages_manifest)
            m_comp = find_latest_compatible_version(package=package["package"], integration=package["integration"], rule_stack_version=rule.contents.metadata.min_stack_version, packages_manifest=packages_manifest)
            print(f"{rule.name} {package['package']} {package['integration']} {l_comp} {m_comp}")

Mikaayenson · 2023-01-25T21:07:46Z

@spong We're thinking about changing the releated integrations recommended versions from least_compatible based on the latest stack to latest_compatible.

If you take a look at some sample output, you can see the version differences where the first version is the least, and the second version is the latest.

Comparing Versions

Web Application Suspicious Activity: POST Request Declined apm None ^8.0.0 8.3.3
Web Application Suspicious Activity: Unauthorized Method apm None ^8.0.0 8.3.3
Web Application Suspicious Activity: sqlmap User Agent apm None ^8.0.0 8.3.3
Potential Non-Standard Port SSH connection endpoint None ^8.2.0 8.3.0
Potential Cookies Theft via Browser Debugging endpoint None ^8.2.0 8.3.0
Potential Cookies Theft via Browser Debugging windows None ^1.5.0 1.16.0
WebServer Access Logs Deleted endpoint None ^8.2.0 8.3.0
WebServer Access Logs Deleted windows None ^1.5.0 1.16.0
Tampering of Bash Command-Line History endpoint None ^8.2.0 8.3.0
Elastic Agent Service Terminated endpoint None ^8.2.0 8.3.0
Masquerading Space After Filename endpoint None ^8.2.0 8.3.0
Timestomping using Touch Command endpoint None ^8.2.0 8.3.0
Security Software Discovery via Grep endpoint None ^8.2.0 8.3.0
Virtual Machine Fingerprinting via Grep endpoint None ^8.2.0 8.3.0
EggShell Backdoor Execution endpoint None ^8.2.0 8.3.0
Potential Reverse Shell Activity via Terminal endpoint None ^8.2.0 8.3.0
Suspicious JAVA Child Process endpoint None ^8.2.0 8.3.0
Potential JAVA/JNDI Exploitation Attempt endpoint None ^8.2.0 8.3.0
Hosts File Modified endpoint None ^8.2.0 8.3.0
Hosts File Modified windows None ^1.5.0 1.16.0
Modification of Standard Authentication Module or Configuration endpoint None ^8.2.0 8.3.0
Bash Shell Profile Modification endpoint None ^8.2.0 8.3.0
SSH Authorized Keys File Modification endpoint None ^8.2.0 8.3.0
Potential Privilege Escalation via Sudoers File Modification endpoint None ^8.2.0 8.3.0
Sudo Heap-Based Buffer Overflow Attempt endpoint None ^8.2.0 8.3.0
Sudoers File Modification endpoint None ^8.2.0 8.3.0
AWS CloudTrail Log Created aws cloudtrail ^1.5.0 1.25.3
AWS IAM Brute Force of Assume Role Policy aws cloudtrail ^1.5.0 1.25.3
AWS IAM User Addition to Group aws cloudtrail ^1.5.0 1.25.3
AWS Management Console Brute Force of Root User Identity aws cloudtrail ^1.5.0 1.25.3
AWS Access Secret in Secrets Manager aws cloudtrail ^1.5.0 1.25.3
AWS CloudTrail Log Deleted aws cloudtrail ^1.5.0 1.25.3
AWS CloudTrail Log Suspended aws cloudtrail ^1.5.0 1.25.3
AWS CloudWatch Alarm Deletion aws cloudtrail ^1.5.0 1.25.3
AWS Config Resource Deletion aws cloudtrail ^1.5.0 1.25.3
AWS Configuration Recorder Stopped aws cloudtrail ^1.5.0 1.25.3
AWS VPC Flow Logs Deletion aws cloudtrail ^1.5.0 1.25.3
AWS EC2 Network Access Control List Deletion aws cloudtrail ^1.5.0 1.25.3
AWS ElastiCache Security Group Created aws cloudtrail ^1.5.0 1.25.3
AWS ElastiCache Security Group Modified or Deleted aws cloudtrail ^1.5.0 1.25.3
AWS GuardDuty Detector Deletion aws cloudtrail ^1.5.0 1.25.3
AWS S3 Bucket Configuration Deletion aws cloudtrail ^1.5.0 1.25.3
AWS WAF Access Control List Deletion aws cloudtrail ^1.5.0 1.25.3
AWS WAF Rule or Rule Group Deletion aws cloudtrail ^1.5.0 1.25.3
AWS EC2 Full Network Packet Capture Detected aws cloudtrail ^1.5.0 1.25.3
AWS EC2 Snapshot Activity aws cloudtrail ^1.5.0 1.25.3
AWS EC2 VM Export Failure aws cloudtrail ^1.5.0 1.25.3
AWS RDS Snapshot Export aws cloudtrail ^1.5.0 1.25.3
AWS RDS Snapshot Restored aws cloudtrail ^1.5.0 1.25.3
AWS EventBridge Rule Disabled or Deleted aws cloudtrail ^1.5.0 1.25.3
AWS CloudTrail Log Updated aws cloudtrail ^1.5.0 1.25.3
AWS CloudWatch Log Group Deletion aws cloudtrail ^1.5.0 1.25.3
AWS CloudWatch Log Stream Deletion aws cloudtrail ^1.5.0 1.25.3
AWS EC2 Encryption Disabled aws cloudtrail ^1.5.0 1.25.3
AWS EFS File System or Mount Deleted aws cloudtrail ^1.5.0 1.25.3
AWS IAM Deactivation of MFA Device aws cloudtrail ^1.5.0 1.25.3
AWS IAM Group Deletion aws cloudtrail ^1.5.0 1.25.3
AWS KMS Customer Managed Key Disabled or Scheduled for Deletion aws cloudtrail ^1.5.0 1.25.3
AWS RDS Security Group Deletion aws cloudtrail ^1.5.0 1.25.3
AWS Deletion of RDS Instance or Cluster aws cloudtrail ^1.5.0 1.25.3
AWS RDS Instance/Cluster Stoppage aws cloudtrail ^1.5.0 1.25.3
AWS Management Console Root Login aws cloudtrail ^1.5.0 1.25.3
AWS IAM Password Recovery Requested aws cloudtrail ^1.5.0 1.25.3
AWS Execution via System Manager aws cloudtrail ^1.5.0 1.25.3
AWS EC2 Network Access Control List Creation aws cloudtrail ^1.5.0 1.25.3
AWS Security Group Configuration Change Detection aws cloudtrail ^1.5.0 1.25.3
AWS IAM Group Creation aws cloudtrail ^1.5.0 1.25.3
AWS RDS Cluster Creation aws cloudtrail ^1.5.0 1.25.3
AWS RDS Security Group Creation aws cloudtrail ^1.5.0 1.25.3
AWS RDS Instance Creation aws cloudtrail ^1.5.0 1.25.3
AWS Redshift Cluster Creation aws cloudtrail ^1.5.0 1.25.3
AWS Route 53 Domain Transfer Lock Disabled aws cloudtrail ^1.5.0 1.25.3
AWS Route 53 Domain Transferred to Another Account aws cloudtrail ^1.5.0 1.25.3
AWS Route53 private hosted zone associated with a VPC aws cloudtrail ^1.5.0 1.25.3
AWS Route Table Created aws cloudtrail ^1.5.0 1.25.3
AWS Route Table Modified or Deleted aws cloudtrail ^1.5.0 1.25.3
AWS SAML Activity aws cloudtrail ^1.5.0 1.25.3
AWS Root Login Without MFA aws cloudtrail ^1.5.0 1.25.3
AWS Security Token Service (STS) AssumeRole Usage aws cloudtrail ^1.5.0 1.25.3
AWS STS GetSessionToken Abuse aws cloudtrail ^1.5.0 1.25.3
AWS IAM Assume Role Policy Update aws cloudtrail ^1.5.0 1.25.3
Azure Event Hub Authorization Rule Created or Updated azure activitylogs ^1.0.0 1.5.5
Azure Full Network Packet Capture Detected azure activitylogs ^1.0.0 1.5.5
Azure Key Vault Modified azure activitylogs ^1.0.0 1.5.5
Azure Storage Account Key Regenerated azure activitylogs ^1.0.0 1.5.5
Azure Application Credential Modification azure auditlogs ^1.0.0 1.5.5
Azure Automation Runbook Deleted azure activitylogs ^1.0.0 1.5.5
Azure Blob Permissions Modification azure activitylogs ^1.0.0 1.5.5
Azure Diagnostic Settings Deletion azure activitylogs ^1.0.0 1.5.5
Azure Service Principal Addition azure auditlogs ^1.0.0 1.5.5
Azure Event Hub Deletion azure activitylogs ^1.0.0 1.5.5
Azure Firewall Policy Deletion azure activitylogs ^1.0.0 1.5.5
Azure Frontdoor Web Application Firewall (WAF) Policy Deleted azure activitylogs ^1.0.0 1.5.5
Azure Kubernetes Events Deleted azure activitylogs ^1.0.0 1.5.5
Azure Network Watcher Deletion azure activitylogs ^1.0.0 1.5.5
Azure Alert Suppression Rule Created or Modified azure activitylogs ^1.0.0 1.5.5
Azure Blob Container Access Level Modification azure activitylogs ^1.0.0 1.5.5
Azure Command Execution on Virtual Machine azure activitylogs ^1.0.0 1.5.5
Azure Service Principal Credentials Added azure auditlogs ^1.0.0 1.5.5
Azure Kubernetes Pods Deleted azure activitylogs ^1.0.0 1.5.5
Azure Resource Group Deletion azure activitylogs ^1.0.0 1.5.5
Azure Virtual Network Device Modified or Deleted azure activitylogs ^1.0.0 1.5.5
Azure Active Directory High Risk Sign-in azure signinlogs ^1.0.0 1.5.5
Azure Active Directory High Risk User Sign-in Heuristic azure signinlogs ^1.0.0 1.5.5
Azure Active Directory PowerShell Sign-in azure signinlogs ^1.0.0 1.5.5
Possible Consent Grant Attack via Azure-Registered Application azure activitylogs ^1.0.0 1.5.5
Possible Consent Grant Attack via Azure-Registered Application azure auditlogs ^1.0.0 1.5.5
Possible Consent Grant Attack via Azure-Registered Application o365 audit ^1.3.0 1.10.1
Azure External Guest User Invitation azure auditlogs ^1.0.0 1.5.5
Azure Automation Account Created azure activitylogs ^1.0.0 1.5.5
Azure Automation Runbook Created or Modified azure activitylogs ^1.0.0 1.5.5
Azure Automation Webhook Created azure activitylogs ^1.0.0 1.5.5
Azure Conditional Access Policy Modified azure activitylogs ^1.0.0 1.5.5
Azure Conditional Access Policy Modified azure auditlogs ^1.0.0 1.5.5
Azure AD Global Administrator Role Assigned azure auditlogs ^1.0.0 1.5.5
Azure Global Administrator Role Addition to PIM User azure auditlogs ^1.0.0 1.5.5
Azure Privilege Identity Management Role Modified azure auditlogs ^1.0.0 1.5.5
Multi-Factor Authentication Disabled for an Azure User azure auditlogs ^1.0.0 1.5.5
User Added as Owner for Azure Application azure auditlogs ^1.0.0 1.5.5
User Added as Owner for Azure Service Principal azure auditlogs ^1.0.0 1.5.5
Azure Kubernetes Rolebindings Created azure activitylogs ^1.0.0 1.5.5
CyberArk Privileged Access Security Error cyberarkpas audit ^2.2.0 2.9.0
CyberArk Privileged Access Security Recommended Monitor cyberarkpas audit ^2.2.0 2.9.0
Endpoint Security endpoint None ^8.2.0 8.3.0
GCP Pub/Sub Subscription Creation gcp audit ^2.0.0 2.14.0
GCP Pub/Sub Topic Creation gcp audit ^2.0.0 2.14.0
GCP Firewall Rule Creation gcp audit ^2.0.0 2.14.0
GCP Firewall Rule Deletion gcp audit ^2.0.0 2.14.0
GCP Firewall Rule Modification gcp audit ^2.0.0 2.14.0
GCP Logging Bucket Deletion gcp audit ^2.0.0 2.14.0
GCP Logging Sink Deletion gcp audit ^2.0.0 2.14.0
GCP Pub/Sub Subscription Deletion gcp audit ^2.0.0 2.14.0
GCP Pub/Sub Topic Deletion gcp audit ^2.0.0 2.14.0
GCP Storage Bucket Configuration Modification gcp audit ^2.0.0 2.14.0
GCP Storage Bucket Permissions Modification gcp audit ^2.0.0 2.14.0
GCP Virtual Private Cloud Network Deletion gcp audit ^2.0.0 2.14.0
GCP Virtual Private Cloud Route Creation gcp audit ^2.0.0 2.14.0
GCP Virtual Private Cloud Route Deletion gcp audit ^2.0.0 2.14.0
GCP Logging Sink Modification gcp audit ^2.0.0 2.14.0
GCP IAM Role Deletion gcp audit ^2.0.0 2.14.0
GCP Service Account Deletion gcp audit ^2.0.0 2.14.0
GCP Service Account Disabled gcp audit ^2.0.0 2.14.0
GCP Storage Bucket Deletion gcp audit ^2.0.0 2.14.0
GCP IAM Custom Role Creation gcp audit ^2.0.0 2.14.0
GCP IAM Service Account Key Deletion gcp audit ^2.0.0 2.14.0
GCP Service Account Key Creation gcp audit ^2.0.0 2.14.0
GCP Service Account Creation gcp audit ^2.0.0 2.14.0
Google Drive Ownership Transferred via Google Workspace google_workspace admin ^2.0.0 2.2.1
Google Workspace Custom Gmail Route Created or Modified google_workspace admin ^2.0.0 2.2.1
Application Removed from Blocklist in Google Workspace google_workspace admin ^2.0.0 2.2.1
Domain Added to Google Workspace Trusted Domains google_workspace admin ^2.0.0 2.2.1
Google Workspace Bitlocker Setting Disabled google_workspace admin ^2.0.0 2.2.1
Google Workspace Restrictions for Google Marketplace Modified to Allow Any App google_workspace admin ^2.0.0 2.2.1
Forwarded Google Workspace Security Alert google_workspace alert ^2.0.0 2.2.1
Google Workspace Admin Role Deletion google_workspace admin ^2.0.0 2.2.1
Google Workspace MFA Enforcement Disabled google_workspace admin ^2.0.0 2.2.1
Application Added to Google Workspace Domain google_workspace admin ^2.0.0 2.2.1
Google Workspace 2SV Policy Disabled google_workspace admin ^2.0.0 2.2.1
Google Workspace Admin Role Assigned to a User google_workspace admin ^2.0.0 2.2.1
Google Workspace API Access Granted via Domain-Wide Delegation of Authority google_workspace admin ^2.0.0 2.2.1
Google Workspace Custom Admin Role Created google_workspace admin ^2.0.0 2.2.1
Google Workspace Password Policy Modified google_workspace admin ^2.0.0 2.2.1
Google Workspace Role Modified google_workspace admin ^2.0.0 2.2.1
Google Workspace User Group Access Modified to Allow External Access google_workspace admin ^2.0.0 2.2.1
Google Workspace User Organizational Unit Changed google_workspace admin ^2.0.0 2.2.1
MFA Disabled for Google Workspace Organization google_workspace admin ^2.0.0 2.2.1
Kubernetes Denied Service Account Request kubernetes audit_logs ^1.4.1 1.26.0
Kubernetes Suspicious Self-Subject Review kubernetes audit_logs ^1.4.1 1.26.0
Kubernetes User Exec into Pod kubernetes audit_logs ^1.4.1 1.26.0
Kubernetes Anonymous Request Authorized kubernetes audit_logs ^1.4.1 1.26.0
Kubernetes Exposed Service Created With Type NodePort kubernetes audit_logs ^1.4.1 1.26.0
Kubernetes Container Created with Excessive Linux Capabilities kubernetes audit_logs ^1.4.1 1.26.0
Kubernetes Pod Created With HostIPC kubernetes audit_logs ^1.4.1 1.26.0
Kubernetes Pod Created With HostNetwork kubernetes audit_logs ^1.4.1 1.26.0
Kubernetes Pod Created With HostPID kubernetes audit_logs ^1.4.1 1.26.0
Kubernetes Pod created with a Sensitive hostPath Volume kubernetes audit_logs ^1.4.1 1.26.0
Kubernetes Privileged Pod Created kubernetes audit_logs ^1.4.1 1.26.0
Kubernetes Suspicious Assignment of Controller Service Account kubernetes audit_logs ^1.4.1 1.26.0
Microsoft 365 Inbox Forwarding Rule Created o365 audit ^1.3.0 1.10.1
Attempts to Brute Force a Microsoft 365 User Account o365 audit ^1.3.0 1.10.1
Potential Password Spraying of Microsoft 365 User Accounts o365 audit ^1.3.0 1.10.1
O365 Excessive Single Sign-On Logon Errors o365 audit ^1.3.0 1.10.1
Microsoft 365 Exchange DLP Policy Removed o365 audit ^1.3.0 1.10.1
Microsoft 365 Exchange Malware Filter Policy Deletion o365 audit ^1.3.0 1.10.1
Microsoft 365 Exchange Malware Filter Rule Modification o365 audit ^1.3.0 1.10.1
Microsoft 365 Exchange Safe Attachment Rule Disabled o365 audit ^1.3.0 1.10.1
O365 Mailbox Audit Logging Bypass o365 audit ^1.3.0 1.10.1
Microsoft 365 Exchange Transport Rule Creation o365 audit ^1.3.0 1.10.1
Microsoft 365 Exchange Transport Rule Modification o365 audit ^1.3.0 1.10.1
Microsoft 365 Potential ransomware activity o365 audit ^1.3.0 1.10.1
Microsoft 365 Unusual Volume of File Deletion o365 audit ^1.3.0 1.10.1
Microsoft 365 Exchange Anti-Phish Policy Deletion o365 audit ^1.3.0 1.10.1
Microsoft 365 Exchange Anti-Phish Rule Modification o365 audit ^1.3.0 1.10.1
Microsoft 365 Exchange Safe Link Policy Disabled o365 audit ^1.3.0 1.10.1
Microsoft 365 User Restricted from Sending Email o365 audit ^1.3.0 1.10.1
O365 Email Reported by User as Malware or Phish o365 audit ^1.3.0 1.10.1
OneDrive Malware File Upload o365 audit ^1.3.0 1.10.1
SharePoint Malware File Upload o365 audit ^1.3.0 1.10.1
O365 Exchange Suspicious Mailbox Right Delegation o365 audit ^1.3.0 1.10.1
Microsoft 365 Exchange DKIM Signing Configuration Disabled o365 audit ^1.3.0 1.10.1
Microsoft 365 Exchange Management Group Role Assignment o365 audit ^1.3.0 1.10.1
Microsoft 365 Global Administrator Role Assigned o365 audit ^1.3.0 1.10.1
Microsoft 365 Teams Custom Application Interaction Allowed o365 audit ^1.3.0 1.10.1
Microsoft 365 Teams External Access Enabled o365 audit ^1.3.0 1.10.1
Microsoft 365 Teams Guest Access Enabled o365 audit ^1.3.0 1.10.1
New or Modified Federation Domain o365 audit ^1.3.0 1.10.1
Attempted Bypass of Okta MFA okta system ^1.3.0 1.14.0
Attempts to Brute Force an Okta User Account okta system ^1.3.0 1.14.0
Okta Brute Force or Password Spraying Attack okta system ^1.3.0 1.14.0
Okta User Session Impersonation okta system ^1.3.0 1.14.0
Attempt to Deactivate an Okta Network Zone okta system ^1.3.0 1.14.0
Attempt to Delete an Okta Network Zone okta system ^1.3.0 1.14.0
Attempt to Deactivate an Okta Policy okta system ^1.3.0 1.14.0
Attempt to Deactivate an Okta Policy Rule okta system ^1.3.0 1.14.0
Attempt to Delete an Okta Policy okta system ^1.3.0 1.14.0
Attempt to Delete an Okta Policy Rule okta system ^1.3.0 1.14.0
Attempt to Modify an Okta Network Zone okta system ^1.3.0 1.14.0
Attempt to Modify an Okta Policy okta system ^1.3.0 1.14.0
Attempt to Modify an Okta Policy Rule okta system ^1.3.0 1.14.0
High Number of Okta User Password Reset or Unlock Attempts okta system ^1.3.0 1.14.0
Attempt to Revoke Okta API Token okta system ^1.3.0 1.14.0
Attempt to Deactivate an Okta Application okta system ^1.3.0 1.14.0
Attempt to Delete an Okta Application okta system ^1.3.0 1.14.0
Attempt to Modify an Okta Application okta system ^1.3.0 1.14.0
Possible Okta DoS Attack okta system ^1.3.0 1.14.0
Unauthorized Access to an Okta Application okta system ^1.3.0 1.14.0
Suspicious Activity Reported by Okta User okta system ^1.3.0 1.14.0
Threat Detected by Okta ThreatInsight okta system ^1.3.0 1.14.0
Administrator Privileges Assigned to an Okta Group okta system ^1.3.0 1.14.0
Administrator Role Assigned to an Okta User okta system ^1.3.0 1.14.0
Attempt to Create Okta API Token okta system ^1.3.0 1.14.0
Attempt to Deactivate MFA for an Okta User Account okta system ^1.3.0 1.14.0
Attempt to Reset MFA Factors for an Okta User Account okta system ^1.3.0 1.14.0
Modification or Removal of an Okta Application Sign-On Policy okta system ^1.3.0 1.14.0
Suspicious Network Connection Attempt by Root endpoint None ^8.2.0 8.3.0
Potential DNS Tunneling via Iodine endpoint None ^8.2.0 8.3.0
Potential Protocol Tunneling via EarthWorm endpoint None ^8.2.0 8.3.0
Sensitive Files Compression endpoint None ^8.2.0 8.3.0
Potential OpenSSH Backdoor Logging Activity endpoint None ^8.2.0 8.3.0
Attempt to Disable Syslog Service endpoint None ^8.2.0 8.3.0
Base16 or Base32 Encoding/Decoding Activity endpoint None ^8.2.0 8.3.0
File made Immutable by Chattr endpoint None ^8.2.0 8.3.0
Potential Disabling of SELinux endpoint None ^8.2.0 8.3.0
File Deletion via Shred endpoint None ^8.2.0 8.3.0
File Permission Modification in Writable Directory endpoint None ^8.2.0 8.3.0
Creation of Hidden Files and Directories via CommandLine endpoint None ^8.2.0 8.3.0
Creation of Hidden Shared Object File endpoint None ^8.2.0 8.3.0
Kernel Module Removal endpoint None ^8.2.0 8.3.0
System Log File Deletion endpoint None ^8.2.0 8.3.0
Enumeration of Kernel Modules endpoint None ^8.2.0 8.3.0
Hping Process Activity endpoint None ^8.2.0 8.3.0
Nping Process Activity endpoint None ^8.2.0 8.3.0
Virtual Machine Fingerprinting endpoint None ^8.2.0 8.3.0
Abnormal Process ID or Lock File Created endpoint None ^8.2.0 8.3.0
File Transfer or Listener Established via Netcat endpoint None ^8.2.0 8.3.0
Interactive Terminal Spawned via Perl endpoint None ^8.2.0 8.3.0
Process Started from Process ID (PID) File endpoint None ^8.2.0 8.3.0
Binary Executed from Shared Memory Directory endpoint None ^8.2.0 8.3.0
Interactive Terminal Spawned via Python endpoint None ^8.2.0 8.3.0
Reverse Shell Created via Named Pipe endpoint None ^8.2.0 8.3.0
Linux Restricted Shell Breakout via Linux Binary(s) endpoint None ^8.2.0 8.3.0
BPF filter applied using TC endpoint None ^8.2.0 8.3.0
High Number of Process Terminations endpoint None ^8.2.0 8.3.0
Connection to External Network via Telnet endpoint None ^8.2.0 8.3.0
Connection to Internal Network via Telnet endpoint None ^8.2.0 8.3.0
Chkconfig Service Add endpoint None ^8.2.0 8.3.0
Modification of OpenSSH Binaries endpoint None ^8.2.0 8.3.0
Dynamic Linker Copy endpoint None ^8.2.0 8.3.0
Suspicious File Creation in /etc for Persistence endpoint None ^8.2.0 8.3.0
Kernel module load via insmod endpoint None ^8.2.0 8.3.0
Persistence via KDE AutoStart Script or Desktop File Modification endpoint None ^8.2.0 8.3.0
Potential Shell via Web Server endpoint None ^8.2.0 8.3.0
Modification of Dynamic Linker Preload Shared Object endpoint None ^8.2.0 8.3.0
Potential Privilege Escalation via PKEXEC endpoint None ^8.2.0 8.3.0
Potential Shadow File Read via Command Line Utilities endpoint None ^8.2.0 8.3.0
Namespace Manipulation Using Unshare endpoint None ^8.2.0 8.3.0
Access of Stored Browser Credentials endpoint None ^8.2.0 8.3.0
Access to Keychain Credentials Directories endpoint None ^8.2.0 8.3.0
Dumping Account Hashes via Built-In Commands endpoint None ^8.2.0 8.3.0
Dumping of Keychain Content via Security Command endpoint None ^8.2.0 8.3.0
Kerberos Cached Credentials Dumping endpoint None ^8.2.0 8.3.0
Keychain Password Retrieval via Command Line endpoint None ^8.2.0 8.3.0
WebProxy Settings Modification endpoint None ^8.2.0 8.3.0
Potential macOS SSH Brute Force Detected endpoint None ^8.2.0 8.3.0
Prompt for Credentials with OSASCRIPT endpoint None ^8.2.0 8.3.0
SystemKey Access via Command Line endpoint None ^8.2.0 8.3.0
SoftwareUpdate Preferences Modification endpoint None ^8.2.0 8.3.0
Attempt to Remove File Quarantine Attribute endpoint None ^8.2.0 8.3.0
Attempt to Disable Gatekeeper endpoint None ^8.2.0 8.3.0
Attempt to Install Root Certificate endpoint None ^8.2.0 8.3.0
Modification of Environment Variable via Launchctl endpoint None ^8.2.0 8.3.0
Potential Privacy Control Bypass via TCCDB Modification endpoint None ^8.2.0 8.3.0
Potential Privacy Control Bypass via Localhost Secure Copy endpoint None ^8.2.0 8.3.0
Modification of Safari Settings via Defaults Command endpoint None ^8.2.0 8.3.0
Potential Microsoft Office Sandbox Evasion endpoint None ^8.2.0 8.3.0
TCC Bypass via Mounted APFS Snapshot Access endpoint None ^8.2.0 8.3.0
Attempt to Unload Elastic Endpoint Security Kernel Extension endpoint None ^8.2.0 8.3.0
Enumeration of Users or Groups via Built-in Commands endpoint None ^8.2.0 8.3.0
Execution via Electron Child Process Node.js Module endpoint None ^8.2.0 8.3.0
Suspicious Browser Child Process endpoint None ^8.2.0 8.3.0
MacOS Installer Package Spawns Network Event endpoint None ^8.2.0 8.3.0
Suspicious Automator Workflows Execution endpoint None ^8.2.0 8.3.0
Apple Script Execution followed by Network Connection endpoint None ^8.2.0 8.3.0
Shell Execution via Apple Scripting endpoint None ^8.2.0 8.3.0
Suspicious macOS MS Office Child Process endpoint None ^8.2.0 8.3.0
Potential Kerberos Attack via Bifrost endpoint None ^8.2.0 8.3.0
Attempt to Mount SMB Share via Command Line endpoint None ^8.2.0 8.3.0
Remote SSH Login Enabled via systemsetup Command endpoint None ^8.2.0 8.3.0
Virtual Private Network Connection Attempt endpoint None ^8.2.0 8.3.0
Potential Hidden Local User Account Creation endpoint None ^8.2.0 8.3.0
Launch Agent Creation or Modification and Immediate Loading endpoint None ^8.2.0 8.3.0
Creation of Hidden Login Item via Apple Script endpoint None ^8.2.0 8.3.0
LaunchDaemon Creation or Modification and Immediate Loading endpoint None ^8.2.0 8.3.0
Authorization Plugin Modification endpoint None ^8.2.0 8.3.0
Suspicious CronTab Creation or Modification endpoint None ^8.2.0 8.3.0
Suspicious Hidden Child Process of Launchd endpoint None ^8.2.0 8.3.0
Persistence via DirectoryService Plugin Modification endpoint None ^8.2.0 8.3.0
Persistence via Docker Shortcut Modification endpoint None ^8.2.0 8.3.0
Emond Rules Creation or Modification endpoint None ^8.2.0 8.3.0
Suspicious Emond Child Process endpoint None ^8.2.0 8.3.0
Attempt to Enable the Root Account endpoint None ^8.2.0 8.3.0
Creation of Hidden Launch Agent or Daemon endpoint None ^8.2.0 8.3.0
Finder Sync Plugin Registered and Enabled endpoint None ^8.2.0 8.3.0
Persistence via Folder Action Script endpoint None ^8.2.0 8.3.0
Persistence via Login or Logout Hook endpoint None ^8.2.0 8.3.0
Potential Persistence via Login Hook endpoint None ^8.2.0 8.3.0
Sublime Plugin or Application Script Modification endpoint None ^8.2.0 8.3.0
Potential Persistence via Periodic Tasks endpoint None ^8.2.0 8.3.0
Unexpected Child Process of macOS Screensaver Engine endpoint None ^8.2.0 8.3.0
Screensaver Plist File Modified by Unexpected Process endpoint None ^8.2.0 8.3.0
Suspicious Calendar File Modification endpoint None ^8.2.0 8.3.0
Potential Persistence via Atom Init Script Modification endpoint None ^8.2.0 8.3.0
Apple Scripting Execution with Administrator Privileges endpoint None ^8.2.0 8.3.0
Execution with Explicit Credentials via Scripting endpoint None ^8.2.0 8.3.0
Suspicious Child Process of Adobe Acrobat Reader Update Service endpoint None ^8.2.0 8.3.0
Potential Admin Group Account Addition endpoint None ^8.2.0 8.3.0
Privilege Escalation via Root Crontab File Modification endpoint None ^8.2.0 8.3.0
Accepted Default Telnet Port Connection endpoint None ^8.2.0 8.3.0
Default Cobalt Strike Team Server Certificate endpoint None ^8.2.0 8.3.0
Roshal Archive (RAR) or PowerShell File Downloaded from the Internet endpoint None ^8.2.0 8.3.0
IPSEC NAT Traversal Port Activity endpoint None ^8.2.0 8.3.0
VNC (Virtual Network Computing) from the Internet endpoint None ^8.2.0 8.3.0
VNC (Virtual Network Computing) to the Internet endpoint None ^8.2.0 8.3.0
Suspicious Inter-Process Communication via Outlook windows None ^1.5.0 1.16.0
Exporting Exchange Mailbox via PowerShell endpoint None ^8.2.0 8.3.0
Exporting Exchange Mailbox via PowerShell windows None ^1.5.0 1.16.0
Exchange Mailbox Export via PowerShell windows None ^1.5.0 1.16.0
PowerShell Suspicious Script with Audio Capture Capabilities windows None ^1.5.0 1.16.0
PowerShell Suspicious Script with Clipboard Retrieval Capabilities windows None ^1.5.0 1.16.0
PowerShell Keylogging Script windows None ^1.5.0 1.16.0
PowerShell Mailbox Collection Script windows None ^1.5.0 1.16.0
PowerShell Suspicious Script with Screenshot Capabilities windows None ^1.5.0 1.16.0
Encrypting Files with WinRar or 7z endpoint None ^8.2.0 8.3.0
Encrypting Files with WinRar or 7z windows None ^1.5.0 1.16.0
Network Connection via Certutil endpoint None ^8.2.0 8.3.0
Network Connection via Certutil windows None ^1.5.0 1.16.0
Connection to Commonly Abused Web Services endpoint None ^8.2.0 8.3.0
Potential DNS Tunneling via NsLookup endpoint None ^8.2.0 8.3.0
Potential DNS Tunneling via NsLookup windows None ^1.5.0 1.16.0
Connection to Commonly Abused Free SSL Certificate Providers endpoint None ^8.2.0 8.3.0
Connection to Commonly Abused Free SSL Certificate Providers windows None ^1.5.0 1.16.0
Potential Command and Control via Internet Explorer endpoint None ^8.2.0 8.3.0
Potential Command and Control via Internet Explorer windows None ^1.5.0 1.16.0
Port Forwarding Rule Addition endpoint None ^8.2.0 8.3.0
Port Forwarding Rule Addition windows None ^1.5.0 1.16.0
Potential Remote Desktop Tunneling Detected endpoint None ^8.2.0 8.3.0
Potential Remote Desktop Tunneling Detected windows None ^1.5.0 1.16.0
Remote File Download via Desktopimgdownldr Utility endpoint None ^8.2.0 8.3.0
Remote File Download via Desktopimgdownldr Utility windows None ^1.5.0 1.16.0
Remote File Download via MpCmdRun endpoint None ^8.2.0 8.3.0
Remote File Download via MpCmdRun windows None ^1.5.0 1.16.0
Remote File Download via PowerShell endpoint None ^8.2.0 8.3.0
Remote File Download via PowerShell windows None ^1.5.0 1.16.0
Remote File Download via Script Interpreter endpoint None ^8.2.0 8.3.0
Remote File Download via Script Interpreter windows None ^1.5.0 1.16.0
SUNBURST Command and Control Activity endpoint None ^8.2.0 8.3.0
Remote File Copy via TeamViewer endpoint None ^8.2.0 8.3.0
Remote File Copy via TeamViewer windows None ^1.5.0 1.16.0
Privileged Account Brute Force windows None ^1.5.0 1.16.0
Multiple Logon Failure Followed by Logon Success windows None ^1.5.0 1.16.0
Multiple Logon Failure from the same Source Address windows None ^1.5.0 1.16.0
Potential Credential Access via Windows Utilities endpoint None ^8.2.0 8.3.0
Potential Credential Access via Windows Utilities windows None ^1.5.0 1.16.0
NTDS or SAM Database File Copied endpoint None ^8.2.0 8.3.0
NTDS or SAM Database File Copied windows None ^1.5.0 1.16.0
Potential Credential Access via Trusted Developer Utility endpoint None ^8.2.0 8.3.0
Potential Credential Access via Trusted Developer Utility windows None ^1.5.0 1.16.0
Potential Credential Access via DCSync windows None ^1.5.0 1.16.0
Kerberos Pre-authentication Disabled for User windows None ^1.5.0 1.16.0
Creation or Modification of Domain Backup DPAPI private key endpoint None ^8.2.0 8.3.0
Creation or Modification of Domain Backup DPAPI private key windows None ^1.5.0 1.16.0
Credential Acquisition via Registry Hive Dumping endpoint None ^8.2.0 8.3.0
Credential Acquisition via Registry Hive Dumping windows None ^1.5.0 1.16.0
Full User-Mode Dumps Enabled System-Wide endpoint None ^8.2.0 8.3.0
Full User-Mode Dumps Enabled System-Wide windows None ^1.5.0 1.16.0
Microsoft IIS Service Account Password Dumped endpoint None ^8.2.0 8.3.0
Microsoft IIS Service Account Password Dumped windows None ^1.5.0 1.16.0
Microsoft IIS Connection Strings Decryption endpoint None ^8.2.0 8.3.0
Microsoft IIS Connection Strings Decryption windows None ^1.5.0 1.16.0
Kerberos Traffic from Unusual Process endpoint None ^8.2.0 8.3.0
Kerberos Traffic from Unusual Process windows None ^1.5.0 1.16.0
Access to a Sensitive LDAP Attribute windows None ^1.5.0 1.16.0
Suspicious LSASS Access via MalSecLogon windows None ^1.5.0 1.16.0
Suspicious Module Loaded by LSASS endpoint None ^8.2.0 8.3.0
LSASS Memory Dump Creation endpoint None ^8.2.0 8.3.0
LSASS Memory Dump Creation windows None ^1.5.0 1.16.0
LSASS Memory Dump Handle Access windows None ^1.5.0 1.16.0
Mimikatz Memssp Log File Detected endpoint None ^8.2.0 8.3.0
Mimikatz Memssp Log File Detected windows None ^1.5.0 1.16.0
Potential Invoke-Mimikatz PowerShell Script windows None ^1.5.0 1.16.0
Modification of WDigest Security Provider endpoint None ^8.2.0 8.3.0
Modification of WDigest Security Provider windows None ^1.5.0 1.16.0
Windows Registry File Creation in SMB Share endpoint None ^8.2.0 8.3.0
Network Logon Provider Registry Modification endpoint None ^8.2.0 8.3.0
PowerShell Invoke-NinjaCopy script windows None ^1.5.0 1.16.0
PowerShell MiniDump Script windows None ^1.5.0 1.16.0
PowerShell Kerberos Ticket Request windows None ^1.5.0 1.16.0
Potential Credential Access via DuplicateHandle in LSASS windows None ^1.5.0 1.16.0
Potential Local NTLM Relay via HTTP endpoint None ^8.2.0 8.3.0
Potential Local NTLM Relay via HTTP windows None ^1.5.0 1.16.0
Potential Remote Credential Access via Registry endpoint None ^8.2.0 8.3.0
Potential Remote Credential Access via Registry windows None ^1.5.0 1.16.0
Multiple Vault Web Credentials Read windows None ^1.5.0 1.16.0
Searching for Saved Credentials via VaultCmd endpoint None ^8.2.0 8.3.0
Searching for Saved Credentials via VaultCmd windows None ^1.5.0 1.16.0
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User windows None ^1.5.0 1.16.0
Potential Shadow Credentials added to AD Object windows None ^1.5.0 1.16.0
User account exposed to Kerberoasting windows None ^1.5.0 1.16.0
Potential Credential Access via Renamed COM+ Services DLL windows None ^1.5.0 1.16.0
Suspicious Lsass Process Access windows None ^1.5.0 1.16.0
Potential Credential Access via LSASS Memory Dump windows None ^1.5.0 1.16.0
Potential LSASS Memory Dump via PssCaptureSnapShot windows None ^1.5.0 1.16.0
Suspicious Remote Registry Access via SeBackupPrivilege windows None ^1.5.0 1.16.0
Symbolic Link to Shadow Copy Created endpoint None ^8.2.0 8.3.0
Symbolic Link to Shadow Copy Created windows None ^1.5.0 1.16.0
Potential LSASS Clone Creation via PssCaptureSnapShot windows None ^1.5.0 1.16.0
Wireless Credential Dumping using Netsh Command endpoint None ^8.2.0 8.3.0
Wireless Credential Dumping using Netsh Command windows None ^1.5.0 1.16.0
Adding Hidden File Attribute via Attrib endpoint None ^8.2.0 8.3.0
Adding Hidden File Attribute via Attrib windows None ^1.5.0 1.16.0
Modification of AmsiEnable Registry Key endpoint None ^8.2.0 8.3.0
Modification of AmsiEnable Registry Key windows None ^1.5.0 1.16.0
Clearing Windows Console History endpoint None ^8.2.0 8.3.0
Clearing Windows Console History windows None ^1.5.0 1.16.0
Clearing Windows Event Logs endpoint None ^8.2.0 8.3.0
Clearing Windows Event Logs windows None ^1.5.0 1.16.0
Windows Event Logs Cleared windows None ^1.5.0 1.16.0
Creation or Modification of Root Certificate endpoint None ^8.2.0 8.3.0
Creation or Modification of Root Certificate windows None ^1.5.0 1.16.0
Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall) windows None ^1.5.0 1.16.0
Windows Defender Disabled via Registry Modification endpoint None ^8.2.0 8.3.0
Windows Defender Disabled via Registry Modification windows None ^1.5.0 1.16.0
Windows Defender Exclusions Added via PowerShell endpoint None ^8.2.0 8.3.0
Windows Defender Exclusions Added via PowerShell windows None ^1.5.0 1.16.0
Delete Volume USN Journal with Fsutil endpoint None ^8.2.0 8.3.0
Delete Volume USN Journal with Fsutil windows None ^1.5.0 1.16.0
PowerShell Script Block Logging Disabled endpoint None ^8.2.0 8.3.0
PowerShell Script Block Logging Disabled windows None ^1.5.0 1.16.0
Disable Windows Firewall Rules via Netsh endpoint None ^8.2.0 8.3.0
Disable Windows Firewall Rules via Netsh windows None ^1.5.0 1.16.0
Disabling Windows Defender Security Settings via PowerShell endpoint None ^8.2.0 8.3.0
Disabling Windows Defender Security Settings via PowerShell windows None ^1.5.0 1.16.0
Disable Windows Event and Security Logs Using Built-in Tools endpoint None ^8.2.0 8.3.0
Disable Windows Event and Security Logs Using Built-in Tools windows None ^1.5.0 1.16.0
DNS-over-HTTPS Enabled via Registry endpoint None ^8.2.0 8.3.0
DNS-over-HTTPS Enabled via Registry windows None ^1.5.0 1.16.0
Suspicious .NET Code Compilation endpoint None ^8.2.0 8.3.0
Suspicious .NET Code Compilation windows None ^1.5.0 1.16.0
Remote Desktop Enabled in Windows Firewall by Netsh endpoint None ^8.2.0 8.3.0
Remote Desktop Enabled in Windows Firewall by Netsh windows None ^1.5.0 1.16.0
Enable Host Network Discovery via Netsh endpoint None ^8.2.0 8.3.0
Enable Host Network Discovery via Netsh windows None ^1.5.0 1.16.0
Control Panel Process with Unusual Arguments endpoint None ^8.2.0 8.3.0
Control Panel Process with Unusual Arguments windows None ^1.5.0 1.16.0
ImageLoad via Windows Update Auto Update Client endpoint None ^8.2.0 8.3.0
ImageLoad via Windows Update Auto Update Client windows None ^1.5.0 1.16.0
Microsoft Build Engine Started by an Office Application endpoint None ^8.2.0 8.3.0
Microsoft Build Engine Started by an Office Application windows None ^1.5.0 1.16.0
Microsoft Build Engine Started by a Script Process endpoint None ^8.2.0 8.3.0
Microsoft Build Engine Started by a Script Process windows None ^1.5.0 1.16.0
Microsoft Build Engine Started by a System Process endpoint None ^8.2.0 8.3.0
Microsoft Build Engine Started by a System Process windows None ^1.5.0 1.16.0
Microsoft Build Engine Using an Alternate Name endpoint None ^8.2.0 8.3.0
Microsoft Build Engine Using an Alternate Name windows None ^1.5.0 1.16.0
Microsoft Build Engine Started an Unusual Process endpoint None ^8.2.0 8.3.0
Microsoft Build Engine Started an Unusual Process windows None ^1.5.0 1.16.0
Potential DLL SideLoading via Trusted Microsoft Programs endpoint None ^8.2.0 8.3.0
Potential DLL SideLoading via Trusted Microsoft Programs windows None ^1.5.0 1.16.0
Potential DLL Side-Loading via Microsoft Antimalware Service Executable endpoint None ^8.2.0 8.3.0
Potential DLL Side-Loading via Microsoft Antimalware Service Executable windows None ^1.5.0 1.16.0
Executable File Creation with Multiple Extensions endpoint None ^8.2.0 8.3.0
Executable File Creation with Multiple Extensions windows None ^1.5.0 1.16.0
Process Execution from an Unusual Directory endpoint None ^8.2.0 8.3.0
Process Execution from an Unusual Directory windows None ^1.5.0 1.16.0
Encoded Executable Stored in the Registry endpoint None ^8.2.0 8.3.0
IIS HTTP Logging Disabled endpoint None ^8.2.0 8.3.0
IIS HTTP Logging Disabled windows None ^1.5.0 1.16.0
Process Injection by the Microsoft Build Engine windows None ^1.5.0 1.16.0
InstallUtil Process Making Network Connections endpoint None ^8.2.0 8.3.0
InstallUtil Process Making Network Connections windows None ^1.5.0 1.16.0
Suspicious Endpoint Security Parent Process endpoint None ^8.2.0 8.3.0
Suspicious Endpoint Security Parent Process windows None ^1.5.0 1.16.0
Renamed AutoIt Scripts Interpreter endpoint None ^8.2.0 8.3.0
Renamed AutoIt Scripts Interpreter windows None ^1.5.0 1.16.0
Suspicious WerFault Child Process endpoint None ^8.2.0 8.3.0
Suspicious WerFault Child Process windows None ^1.5.0 1.16.0
Program Files Directory Masquerading endpoint None ^8.2.0 8.3.0
Program Files Directory Masquerading windows None ^1.5.0 1.16.0
Potential Windows Error Manager Masquerading endpoint None ^8.2.0 8.3.0
Potential Windows Error Manager Masquerading windows None ^1.5.0 1.16.0
Microsoft Windows Defender Tampering endpoint None ^8.2.0 8.3.0
Microsoft Windows Defender Tampering windows None ^1.5.0 1.16.0
Network Connection via Signed Binary endpoint None ^8.2.0 8.3.0
Network Connection via Signed Binary windows None ^1.5.0 1.16.0
MS Office Macro Security Registry Modifications windows None ^1.5.0 1.16.0
MsBuild Making Network Connections endpoint None ^8.2.0 8.3.0
MsBuild Making Network Connections windows None ^1.5.0 1.16.0
Mshta Making Network Connections endpoint None ^8.2.0 8.3.0
Mshta Making Network Connections windows None ^1.5.0 1.16.0
Network Connection via MsXsl endpoint None ^8.2.0 8.3.0
Network Connection via MsXsl windows None ^1.5.0 1.16.0
Unusual Network Activity from a Windows System Binary endpoint None ^8.2.0 8.3.0
Unusual Network Activity from a Windows System Binary windows None ^1.5.0 1.16.0
Parent Process PID Spoofing endpoint None ^8.2.0 8.3.0
Local Account TokenFilter Policy Disabled endpoint None ^8.2.0 8.3.0
Local Account TokenFilter Policy Disabled windows None ^1.5.0 1.16.0
Suspicious .NET Reflection via PowerShell windows None ^1.5.0 1.16.0
PowerShell Suspicious Payload Encoded and Compressed windows None ^1.5.0 1.16.0
PowerShell Script with Encryption/Decryption Capabilities windows None ^1.5.0 1.16.0
Potential Process Injection via PowerShell windows None ^1.5.0 1.16.0
Potential Process Herpaderping Attempt endpoint None ^8.2.0 8.3.0
Potential Process Herpaderping Attempt windows None ^1.5.0 1.16.0
Windows Firewall Disabled via PowerShell endpoint None ^8.2.0 8.3.0
Windows Firewall Disabled via PowerShell windows None ^1.5.0 1.16.0
Process Termination followed by Deletion endpoint None ^8.2.0 8.3.0
Suspicious Microsoft Diagnostics Wizard Execution endpoint None ^8.2.0 8.3.0
Suspicious Microsoft Diagnostics Wizard Execution windows None ^1.5.0 1.16.0
Unusual Child Processes of RunDLL32 endpoint None ^8.2.0 8.3.0
Unusual Child Processes of RunDLL32 windows None ^1.5.0 1.16.0
Scheduled Tasks AT Command Enabled endpoint None ^8.2.0 8.3.0
Scheduled Tasks AT Command Enabled windows None ^1.5.0 1.16.0
Potential Secure File Deletion via SDelete Utility endpoint None ^8.2.0 8.3.0
Potential Secure File Deletion via SDelete Utility windows None ^1.5.0 1.16.0
SIP Provider Modification endpoint None ^8.2.0 8.3.0
SolarWinds Process Disabling Services via Registry endpoint None ^8.2.0 8.3.0
SolarWinds Process Disabling Services via Registry windows None ^1.5.0 1.16.0
Suspicious CertUtil Commands endpoint None ^8.2.0 8.3.0
Suspicious CertUtil Commands windows None ^1.5.0 1.16.0
Suspicious Execution from a Mounted Device endpoint None ^8.2.0 8.3.0
Suspicious Execution from a Mounted Device windows None ^1.5.0 1.16.0
Suspicious Managed Code Hosting Process endpoint None ^8.2.0 8.3.0
Suspicious Managed Code Hosting Process windows None ^1.5.0 1.16.0
Suspicious Process Access via Direct System Call windows None ^1.5.0 1.16.0
Suspicious Process Creation CallTrace windows None ^1.5.0 1.16.0
Suspicious Script Object Execution endpoint None ^8.2.0 8.3.0
Suspicious Execution - Short Program Name endpoint None ^8.2.0 8.3.0
Suspicious Execution - Short Program Name windows None ^1.5.0 1.16.0
Suspicious WMIC XSL Script Execution endpoint None ^8.2.0 8.3.0
Suspicious WMIC XSL Script Execution windows None ^1.5.0 1.16.0
Suspicious Zoom Child Process endpoint None ^8.2.0 8.3.0
Suspicious Zoom Child Process windows None ^1.5.0 1.16.0
Unusual Executable File Creation by a System Critical Process endpoint None ^8.2.0 8.3.0
Unusual Executable File Creation by a System Critical Process windows None ^1.5.0 1.16.0
Unsigned DLL Side-Loading from a Suspicious Folder endpoint None ^8.2.0 8.4.1
Unusual File Creation - Alternate Data Stream endpoint None ^8.2.0 8.3.0
Unusual File Creation - Alternate Data Stream windows None ^1.5.0 1.16.0
Unusual Process Execution Path - Alternate Data Stream endpoint None ^8.2.0 8.3.0
Unusual Process Execution Path - Alternate Data Stream windows None ^1.5.0 1.16.0
Unusual Network Connection via DllHost endpoint None ^8.2.0 8.3.0
Unusual Network Connection via DllHost windows None ^1.5.0 1.16.0
Unusual Network Connection via RunDLL32 endpoint None ^8.2.0 8.3.0
Unusual Network Connection via RunDLL32 windows None ^1.5.0 1.16.0
Unusual Process Network Connection endpoint None ^8.2.0 8.3.0
Unusual Process Network Connection windows None ^1.5.0 1.16.0
Unusual Child Process from a System Virtual Process endpoint None ^8.2.0 8.3.0
Unusual Child Process from a System Virtual Process windows None ^1.5.0 1.16.0
Potential Evasion via Filter Manager endpoint None ^8.2.0 8.3.0
Potential Evasion via Filter Manager windows None ^1.5.0 1.16.0
Signed Proxy Execution via MS Work Folders windows None ^1.5.0 1.16.0
AdFind Command Activity endpoint None ^8.2.0 8.3.0
AdFind Command Activity windows None ^1.5.0 1.16.0
Enumeration of Administrator Accounts endpoint None ^8.2.0 8.3.0
Enumeration of Administrator Accounts windows None ^1.5.0 1.16.0
Account Discovery Command via SYSTEM Account endpoint None ^8.2.0 8.3.0
Account Discovery Command via SYSTEM Account windows None ^1.5.0 1.16.0
Enumerating Domain Trusts via NLTEST.EXE endpoint None ^8.2.0 8.3.0
Enumerating Domain Trusts via NLTEST.EXE windows None ^1.5.0 1.16.0
System Information Discovery via Windows Command Shell endpoint None ^8.2.0 8.3.0
System Information Discovery via Windows Command Shell windows None ^1.5.0 1.16.0
Group Policy Discovery via Microsoft GPResult Utility windows None ^1.5.0 1.16.0
Group Policy Discovery via Microsoft GPResult Utility endpoint None ^8.2.0 8.3.0
Windows Network Enumeration endpoint None ^8.2.0 8.3.0
Windows Network Enumeration windows None ^1.5.0 1.16.0
Peripheral Device Discovery endpoint None ^8.2.0 8.3.0
Peripheral Device Discovery windows None ^1.5.0 1.16.0
PowerShell Share Enumeration Script windows None ^1.5.0 1.16.0
PowerShell Suspicious Discovery Related Windows API Functions windows None ^1.5.0 1.16.0
External IP Lookup from Non-Browser Process endpoint None ^8.2.0 8.3.0
Enumeration of Privileged Local Groups Membership windows None ^1.5.0 1.16.0
Remote System Discovery Commands endpoint None ^8.2.0 8.3.0
Remote System Discovery Commands windows None ^1.5.0 1.16.0
Security Software Discovery using WMIC endpoint None ^8.2.0 8.3.0
Security Software Discovery using WMIC windows None ^1.5.0 1.16.0
System Time Discovery windows None ^1.5.0 1.16.0
System Time Discovery endpoint None ^8.2.0 8.3.0
Whoami Process Activity endpoint None ^8.2.0 8.3.0
Whoami Process Activity windows None ^1.5.0 1.16.0
Command Execution via SolarWinds Process endpoint None ^8.2.0 8.3.0
Command Execution via SolarWinds Process windows None ^1.5.0 1.16.0
Suspicious SolarWinds Child Process endpoint None ^8.2.0 8.3.0
Suspicious SolarWinds Child Process windows None ^1.5.0 1.16.0
Execution of COM object via Xwizard endpoint None ^8.2.0 8.3.0
Execution of COM object via Xwizard windows None ^1.5.0 1.16.0
Command Prompt Network Connection endpoint None ^8.2.0 8.3.0
Command Prompt Network Connection windows None ^1.5.0 1.16.0
Svchost spawning Cmd endpoint None ^8.2.0 8.3.0
Svchost spawning Cmd windows None ^1.5.0 1.16.0
Unusual Parent Process for cmd.exe endpoint None ^8.2.0 8.3.0
Unusual Parent Process for cmd.exe windows None ^1.5.0 1.16.0
Command Shell Activity Started via RunDLL32 endpoint None ^8.2.0 8.3.0
Command Shell Activity Started via RunDLL32 windows None ^1.5.0 1.16.0
Enumeration Command Spawned via WMIPrvSE endpoint None ^8.2.0 8.3.0
Enumeration Command Spawned via WMIPrvSE windows None ^1.5.0 1.16.0
Execution from Unusual Directory - Command Line endpoint None ^8.2.0 8.3.0
Execution from Unusual Directory - Command Line windows None ^1.5.0 1.16.0
Network Connection via Compiled HTML File endpoint None ^8.2.0 8.3.0
Network Connection via Compiled HTML File windows None ^1.5.0 1.16.0
Execution of File Written or Modified by Microsoft Office endpoint None ^8.2.0 8.3.0
Execution of File Written or Modified by Microsoft Office windows None ^1.5.0 1.16.0
Execution of File Written or Modified by PDF Reader endpoint None ^8.2.0 8.3.0
Execution of File Written or Modified by PDF Reader windows None ^1.5.0 1.16.0
Suspicious Portable Executable Encoded in Powershell Script windows None ^1.5.0 1.16.0
PowerShell PSReflect Script windows None ^1.5.0 1.16.0
PsExec Network Connection endpoint None ^8.2.0 8.3.0
PsExec Network Connection windows None ^1.5.0 1.16.0
Network Connection via Registration Utility endpoint None ^8.2.0 8.3.0
Network Connection via Registration Utility windows None ^1.5.0 1.16.0
Outbound Scheduled Task Activity via PowerShell endpoint None ^8.2.0 8.3.0
Outbound Scheduled Task Activity via PowerShell windows None ^1.5.0 1.16.0
Execution via local SxS Shared Module endpoint None ^8.2.0 8.3.0
Execution via local SxS Shared Module windows None ^1.5.0 1.16.0
Suspicious Cmd Execution via WMI endpoint None ^8.2.0 8.3.0
Suspicious Cmd Execution via WMI windows None ^1.5.0 1.16.0
Suspicious WMI Image Load from MS Office endpoint None ^8.2.0 8.3.0
Suspicious WMI Image Load from MS Office windows None ^1.5.0 1.16.0
Suspicious PDF Reader Child Process endpoint None ^8.2.0 8.3.0
Suspicious PDF Reader Child Process windows None ^1.5.0 1.16.0
Suspicious PowerShell Engine ImageLoad endpoint None ^8.2.0 8.3.0
Suspicious PowerShell Engine ImageLoad windows None ^1.5.0 1.16.0
Suspicious Process Execution via Renamed PsExec Executable endpoint None ^8.2.0 8.3.0
Suspicious Process Execution via Renamed PsExec Executable windows None ^1.5.0 1.16.0
Process Activity via Compiled HTML File endpoint None ^8.2.0 8.3.0
Process Activity via Compiled HTML File windows None ^1.5.0 1.16.0
Conhost Spawned By Suspicious Parent Process endpoint None ^8.2.0 8.3.0
Conhost Spawned By Suspicious Parent Process windows None ^1.5.0 1.16.0
Execution via MSSQL xp_cmdshell Stored Procedure endpoint None ^8.2.0 8.3.0
Execution via MSSQL xp_cmdshell Stored Procedure windows None ^1.5.0 1.16.0
Third-party Backup Files Deleted via Unexpected Process endpoint None ^8.2.0 8.3.0
Third-party Backup Files Deleted via Unexpected Process windows None ^1.5.0 1.16.0
Deleting Backup Catalogs with Wbadmin endpoint None ^8.2.0 8.3.0
Deleting Backup Catalogs with Wbadmin windows None ^1.5.0 1.16.0
Modification of Boot Configuration endpoint None ^8.2.0 8.3.0
Modification of Boot Configuration windows None ^1.5.0 1.16.0
High Number of Process and/or Service Terminations endpoint None ^8.2.0 8.3.0
High Number of Process and/or Service Terminations windows None ^1.5.0 1.16.0
Volume Shadow Copy Deleted or Resized via VssAdmin endpoint None ^8.2.0 8.3.0
Volume Shadow Copy Deleted or Resized via VssAdmin windows None ^1.5.0 1.16.0
Volume Shadow Copy Deletion via PowerShell endpoint None ^8.2.0 8.3.0
Volume Shadow Copy Deletion via PowerShell windows None ^1.5.0 1.16.0
Volume Shadow Copy Deletion via WMIC endpoint None ^8.2.0 8.3.0
Volume Shadow Copy Deletion via WMIC windows None ^1.5.0 1.16.0
Suspicious HTML File Creation endpoint None ^8.2.0 8.3.0
Windows Script Executing PowerShell endpoint None ^8.2.0 8.3.0
Windows Script Executing PowerShell windows None ^1.5.0 1.16.0
Windows Script Interpreter Executing Process via WMI endpoint None ^8.2.0 8.3.0
Windows Script Interpreter Executing Process via WMI windows None ^1.5.0 1.16.0
Microsoft Exchange Server UM Writing Suspicious Files endpoint None ^8.2.0 8.3.0
Microsoft Exchange Server UM Writing Suspicious Files windows None ^1.5.0 1.16.0
Microsoft Exchange Server UM Spawning Suspicious Processes endpoint None ^8.2.0 8.3.0
Microsoft Exchange Server UM Spawning Suspicious Processes windows None ^1.5.0 1.16.0
Microsoft Exchange Worker Spawning Suspicious Processes endpoint None ^8.2.0 8.3.0
Microsoft Exchange Worker Spawning Suspicious Processes windows None ^1.5.0 1.16.0
Suspicious MS Office Child Process endpoint None ^8.2.0 8.3.0
Suspicious MS Office Child Process windows None ^1.5.0 1.16.0
Suspicious MS Outlook Child Process endpoint None ^8.2.0 8.3.0
Suspicious MS Outlook Child Process windows None ^1.5.0 1.16.0
Unusual Child Process of dns.exe endpoint None ^8.2.0 8.3.0
Unusual Child Process of dns.exe windows None ^1.5.0 1.16.0
Unusual File Modification by dns.exe endpoint None ^8.2.0 8.3.0
Unusual File Modification by dns.exe windows None ^1.5.0 1.16.0
Suspicious Explorer Child Process endpoint None ^8.2.0 8.3.0
Suspicious Explorer Child Process windows None ^1.5.0 1.16.0
Service Command Lateral Movement endpoint None ^8.2.0 8.3.0
Service Command Lateral Movement windows None ^1.5.0 1.16.0
Incoming DCOM Lateral Movement via MSHTA endpoint None ^8.2.0 8.3.0
Incoming DCOM Lateral Movement via MSHTA windows None ^1.5.0 1.16.0
Incoming DCOM Lateral Movement with MMC endpoint None ^8.2.0 8.3.0
Incoming DCOM Lateral Movement with MMC windows None ^1.5.0 1.16.0
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows endpoint None ^8.2.0 8.3.0
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows windows None ^1.5.0 1.16.0
NullSessionPipe Registry Modification endpoint None ^8.2.0 8.3.0
Direct Outbound SMB Connection endpoint None ^8.2.0 8.3.0
Direct Outbound SMB Connection windows None ^1.5.0 1.16.0
Potential Remote Desktop Shadowing Activity endpoint None ^8.2.0 8.3.0
Potential Remote Desktop Shadowing Activity windows None ^1.5.0 1.16.0
Potential Lateral Tool Transfer via SMB Share endpoint None ^8.2.0 8.3.0
Potential Lateral Tool Transfer via SMB Share windows None ^1.5.0 1.16.0
Execution via TSClient Mountpoint endpoint None ^8.2.0 8.3.0
Execution via TSClient Mountpoint windows None ^1.5.0 1.16.0
Remote Execution via File Shares endpoint None ^8.2.0 8.3.0
Remote Execution via File Shares windows None ^1.5.0 1.16.0
Incoming Execution via WinRM Remote Shell endpoint None ^8.2.0 8.3.0
Incoming Execution via WinRM Remote Shell windows None ^1.5.0 1.16.0
WMI Incoming Lateral Movement endpoint None ^8.2.0 8.3.0
WMI Incoming Lateral Movement windows None ^1.5.0 1.16.0
Mounting Hidden or WebDav Remote Shares endpoint None ^8.2.0 8.3.0
Mounting Hidden or WebDav Remote Shares windows None ^1.5.0 1.16.0
Incoming Execution via PowerShell Remoting endpoint None ^8.2.0 8.3.0
Incoming Execution via PowerShell Remoting windows None ^1.5.0 1.16.0
RDP Enabled via Registry endpoint None ^8.2.0 8.3.0
RDP Enabled via Registry windows None ^1.5.0 1.16.0
Potential SharpRDP Behavior endpoint None ^8.2.0 8.3.0
Remote File Copy to a Hidden Share endpoint None ^8.2.0 8.3.0
Remote File Copy to a Hidden Share windows None ^1.5.0 1.16.0
Remote Windows Service Installed windows None ^1.5.0 1.16.0
Remotely Started Services via RPC endpoint None ^8.2.0 8.3.0
Remotely Started Services via RPC windows None ^1.5.0 1.16.0
Remote Logon followed by Scheduled Task Creation windows None ^1.5.0 1.16.0
Remote Scheduled Task Creation endpoint None ^8.2.0 8.3.0
Remote Scheduled Task Creation windows None ^1.5.0 1.16.0
Service Control Spawned via Script Interpreter endpoint None ^8.2.0 8.3.0
Service Control Spawned via Script Interpreter windows None ^1.5.0 1.16.0
Suspicious RDP ActiveX Client Loaded endpoint None ^8.2.0 8.3.0
Suspicious RDP ActiveX Client Loaded windows None ^1.5.0 1.16.0
Lateral Movement via Startup Folder endpoint None ^8.2.0 8.3.0
Lateral Movement via Startup Folder windows None ^1.5.0 1.16.0
AdminSDHolder Backdoor windows None ^1.5.0 1.16.0
Adobe Hijack Persistence endpoint None ^8.2.0 8.3.0
Adobe Hijack Persistence windows None ^1.5.0 1.16.0
Installation of Custom Shim Databases endpoint None ^8.2.0 8.3.0
Installation of Custom Shim Databases windows None ^1.5.0 1.16.0
Registry Persistence via AppCert DLL endpoint None ^8.2.0 8.3.0
Registry Persistence via AppCert DLL windows None ^1.5.0 1.16.0
Registry Persistence via AppInit DLL endpoint None ^8.2.0 8.3.0
Registry Persistence via AppInit DLL windows None ^1.5.0 1.16.0
Account Configured with Never-Expiring Password windows None ^1.5.0 1.16.0
First Time Seen Driver Loaded endpoint None ^8.2.0 8.6.1
Creation of a Hidden Local User Account endpoint None ^8.2.0 8.3.0
Creation of a Hidden Local User Account windows None ^1.5.0 1.16.0
Image File Execution Options Injection endpoint None ^8.2.0 8.3.0
Suspicious Startup Shell Folder Modification endpoint None ^8.2.0 8.3.0
Creation or Modification of a new GPO Scheduled Task or Service endpoint None ^8.2.0 8.3.0
Creation or Modification of a new GPO Scheduled Task or Service windows None ^1.5.0 1.16.0
Persistence via Scheduled Job Creation endpoint None ^8.2.0 8.3.0
Persistence via Scheduled Job Creation windows None ^1.5.0 1.16.0
Local Scheduled Task Creation endpoint None ^8.2.0 8.3.0
Local Scheduled Task Creation windows None ^1.5.0 1.16.0
Scheduled Task Created by a Windows Script endpoint None ^8.2.0 8.3.0
Scheduled Task Created by a Windows Script windows None ^1.5.0 1.16.0
Persistence via Microsoft Office AddIns endpoint None ^8.2.0 8.3.0
Persistence via Microsoft Office AddIns windows None ^1.5.0 1.16.0
Persistence via Microsoft Outlook VBA endpoint None ^8.2.0 8.3.0
Persistence via Microsoft Outlook VBA windows None ^1.5.0 1.16.0
KRBTGT Delegation Backdoor windows None ^1.5.0 1.16.0
New ActiveSyncAllowedDeviceID Added via PowerShell endpoint None ^8.2.0 8.3.0
New ActiveSyncAllowedDeviceID Added via PowerShell windows None ^1.5.0 1.16.0
Persistence via PowerShell profile endpoint None ^8.2.0 8.3.0
Persistence via PowerShell profile windows None ^1.5.0 1.16.0
Potential Modification of Accessibility Binaries endpoint None ^8.2.0 8.3.0
Potential Modification of Accessibility Binaries windows None ^1.5.0 1.16.0
Uncommon Registry Persistence Change endpoint None ^8.2.0 8.3.0
Account Password Reset Remotely windows None ^1.5.0 1.16.0
Startup or Run Key Registry Modification endpoint None ^8.2.0 8.3.0
Execution of Persistent Suspicious Program endpoint None ^8.2.0 8.3.0
Execution of Persistent Suspicious Program windows None ^1.5.0 1.16.0
A scheduled task was created windows None ^1.5.0 1.16.0
A scheduled task was updated windows None ^1.5.0 1.16.0
AdminSDHolder SDProp Exclusion Added windows None ^1.5.0 1.16.0
Unsigned DLL Loaded by Svchost endpoint None ^8.2.0 8.4.1
Suspicious service was installed in the system windows None ^1.5.0 1.16.0
Unusual Persistence via Services Registry endpoint None ^8.2.0 8.3.0
Startup Persistence by a Suspicious Process endpoint None ^8.2.0 8.3.0
Startup Persistence by a Suspicious Process windows None ^1.5.0 1.16.0
Startup Folder Persistence via Unsigned Process endpoint None ^8.2.0 8.3.0
Persistent Scripts in the Startup Directory endpoint None ^8.2.0 8.3.0
Persistent Scripts in the Startup Directory windows None ^1.5.0 1.16.0
Component Object Model Hijacking endpoint None ^8.2.0 8.3.0
Suspicious Image Load (taskschd.dll) from MS Office endpoint None ^8.2.0 8.3.0
Suspicious Image Load (taskschd.dll) from MS Office windows None ^1.5.0 1.16.0
Suspicious Execution via Scheduled Task endpoint None ^8.2.0 8.3.0
Suspicious Execution via Scheduled Task windows None ^1.5.0 1.16.0
Suspicious ImagePath Service Creation endpoint None ^8.2.0 8.3.0
System Shells via Services endpoint None ^8.2.0 8.3.0
System Shells via Services windows None ^1.5.0 1.16.0
Temporarily Scheduled Task Creation windows None ^1.5.0 1.16.0
Potential Persistence via Time Provider Modification endpoint None ^8.2.0 8.3.0
User Added to Privileged Group windows None ^1.5.0 1.16.0
User Account Creation endpoint None ^8.2.0 8.3.0
User Account Creation windows None ^1.5.0 1.16.0
Potential Application Shimming via Sdbinst endpoint None ^8.2.0 8.3.0
Potential Application Shimming via Sdbinst windows None ^1.5.0 1.16.0
Persistence via BITS Job Notify Cmdline endpoint None ^8.2.0 8.3.0
Persistence via BITS Job Notify Cmdline windows None ^1.5.0 1.16.0
Persistence via Hidden Run Key Detected endpoint None ^8.2.0 8.3.0
Persistence via Hidden Run Key Detected windows None ^1.5.0 1.16.0
Installation of Security Support Provider endpoint None ^8.2.0 8.3.0
Installation of Security Support Provider windows None ^1.5.0 1.16.0
Persistence via TelemetryController Scheduled Task Hijack endpoint None ^8.2.0 8.3.0
Persistence via TelemetryController Scheduled Task Hijack windows None ^1.5.0 1.16.0
Persistence via Update Orchestrator Service Hijack endpoint None ^8.2.0 8.3.0
Persistence via Update Orchestrator Service Hijack windows None ^1.5.0 1.16.0
Persistence via WMI Event Subscription endpoint None ^8.2.0 8.3.0
Persistence via WMI Event Subscription windows None ^1.5.0 1.16.0
Persistence via WMI Standard Registry Provider endpoint None ^8.2.0 8.3.0
Web Shell Detection: Script Process Child of Common Web Processes endpoint None ^8.2.0 8.3.0
Web Shell Detection: Script Process Child of Common Web Processes windows None ^1.5.0 1.16.0
Process Creation via Secondary Logon windows None ^1.5.0 1.16.0
Modification of the msPKIAccountCredentials windows None ^1.5.0 1.16.0
Disabling User Account Control via Registry Modification endpoint None ^8.2.0 8.3.0
Disabling User Account Control via Registry Modification windows None ^1.5.0 1.16.0
Startup/Logon Script added to Group Policy Object windows None ^1.5.0 1.16.0
Group Policy Abuse for Privilege Addition windows None ^1.5.0 1.16.0
Scheduled Task Execution at Scale via GPO windows None ^1.5.0 1.16.0
Potential Privilege Escalation via InstallerFileTakeOver endpoint None ^8.2.0 8.3.0
Potential Privilege Escalation via InstallerFileTakeOver windows None ^1.5.0 1.16.0
Service Creation via Local Kerberos Authentication windows None ^1.5.0 1.16.0
Potential LSA Authentication Package Abuse endpoint None ^8.2.0 8.3.0
Privilege Escalation via Named Pipe Impersonation endpoint None ^8.2.0 8.3.0
Privilege Escalation via Named Pipe Impersonation windows None ^1.5.0 1.16.0
Suspicious DLL Loaded for Persistence or Privilege Escalation endpoint None ^8.2.0 8.3.0
Suspicious DLL Loaded for Persistence or Privilege Escalation windows None ^1.5.0 1.16.0
Potential Port Monitor or Print Processor Registration Abuse endpoint None ^8.2.0 8.3.0
PowerShell Script with Token Impersonation Capabilities windows None ^1.5.0 1.16.0
Suspicious Print Spooler Point and Print DLL endpoint None ^8.2.0 8.3.0
Suspicious PrintSpooler Service Executable File Creation endpoint None ^8.2.0 8.3.0
Suspicious PrintSpooler Service Executable File Creation windows None ^1.5.0 1.16.0
Suspicious Print Spooler File Deletion endpoint None ^8.2.0 8.3.0
Suspicious Print Spooler File Deletion windows None ^1.5.0 1.16.0
Suspicious Print Spooler SPL File Created endpoint None ^8.2.0 8.3.0
Suspicious Print Spooler SPL File Created windows None ^1.5.0 1.16.0
Privilege Escalation via Windir Environment Variable endpoint None ^8.2.0 8.3.0
Potential Privileged Escalation via SamAccountName Spoofing windows None ^1.5.0 1.16.0
Remote Computer Account DnsHostName Update windows None ^1.5.0 1.16.0
SeDebugPrivilege Enabled by a Suspicious Process windows None ^1.5.0 1.16.0
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface endpoint None ^8.2.0 8.3.0
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface windows None ^1.5.0 1.16.0
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer endpoint None ^8.2.0 8.3.0
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer windows None ^1.5.0 1.16.0
UAC Bypass via ICMLuaUtil Elevated COM Interface endpoint None ^8.2.0 8.3.0
UAC Bypass via ICMLuaUtil Elevated COM Interface windows None ^1.5.0 1.16.0
UAC Bypass via DiskCleanup Scheduled Task Hijack endpoint None ^8.2.0 8.3.0
UAC Bypass via DiskCleanup Scheduled Task Hijack windows None ^1.5.0 1.16.0
UAC Bypass Attempt via Privileged IFileOperation COM Interface endpoint None ^8.2.0 8.3.0
UAC Bypass Attempt via Privileged IFileOperation COM Interface windows None ^1.5.0 1.16.0
Bypass UAC via Event Viewer endpoint None ^8.2.0 8.3.0
Bypass UAC via Event Viewer windows None ^1.5.0 1.16.0
UAC Bypass Attempt via Windows Directory Masquerading endpoint None ^8.2.0 8.3.0
UAC Bypass Attempt via Windows Directory Masquerading windows None ^1.5.0 1.16.0
UAC Bypass via Windows Firewall Snap-In Hijack endpoint None ^8.2.0 8.3.0
UAC Bypass via Windows Firewall Snap-In Hijack windows None ^1.5.0 1.16.0
Unusual Parent-Child Relationship endpoint None ^8.2.0 8.3.0
Unusual Parent-Child Relationship windows None ^1.5.0 1.16.0
Unusual Print Spooler Child Process endpoint None ^8.2.0 8.3.0
Unusual Print Spooler Child Process windows None ^1.5.0 1.16.0
Unusual Service Host Child Process - Childless Service endpoint None ^8.2.0 8.3.0
Unusual Service Host Child Process - Childless Service windows None ^1.5.0 1.16.0
Privileges Elevation via Parent Process PID Spoofing endpoint None ^8.2.0 8.3.0
Privilege Escalation via Rogue Named Pipe Impersonation windows None ^1.5.0 1.16.0
Process Created with an Elevated Token endpoint None ^8.2.0 8.4.1
Windows Service Installed via an Unusual Client windows None ^1.5.0 1.16.0

Do you anticipate and issues on the kibana side with us recommending the latest integration that's compatible to the rule, similar to how fleet recommends the latest?
Does it matter if the ^ is present or not in the version?

terrancedejesus

LGTM pending review from Garrett.

spong · 2023-01-26T01:07:16Z

@spong We're thinking about changing the releated integrations recommended versions from least_compatible based on the latest stack to latest_compatible.

If you take a look at some sample output, you can see the version differences where the first version is the least, and the second version is the latest.

Comparing Versions

Do you anticipate and issues on the kibana side with us recommending the latest integration that's compatible to the rule, similar to how fleet recommends the latest?

Does it matter if the ^ is present or not in the version?

Hmmmm, so this might cause some issue actually, or at least would require changes on the Kibana side to fully support. We're currently checking to see if the installed version is satisfied by the version the rule provides, as this is nice for the user since if the they already have the package installed, we just verify that their version is supported and we're good to go. If the rule starts providing only the concrete max version (as shown in the examples above), the user could have an older (still compatible) version installed, but now we're not going to be able to tell them that, just that they're not on the suggested version.

This would also become an issue when we stop publishing updates to older stack versions, but say a packages keeps releasing compatible upgrades -- we'd then not know if the new update is compatible if specifying the concrete max-supported (this could be avoided by continuing to provide the max compatible version in semver notation though).

The ^ from semver notation is just a way to specify that compatible versions must match the major, but that the minor and patch can be flexible. So while you mention the version as least_compatible based on the latest stack, it's really the full compatibility range, e.g.

For version: ^8.2.3
Supported versions: >=8.2.3, <9.0.0

and so if there's a more recent version of the package available between [8.2.3, 9`), it'll be recommended to the user.

Can we discuss this further in tomorrow's protections sync? Will be good to see the full picture here and also get @banderror's thoughts.

Mikaayenson · 2023-01-26T03:13:21Z

Can we discuss this further in tomorrow's protections sync? Will be good to see the full picture here and also get @banderror's thoughts.

Sounds good @spong. FYI we can easily add the ^. We're more concerned about if there will be any issues with recommending the latest compatible version at the time of releasing vs least compatible on the latest stack major.

Mikaayenson · 2023-01-26T16:01:09Z

Based on today's simplified protections wg discussion, we can close this PR in favor of the Kibana side PR that will recommend the latest version in the UI. This way we don't have to update existing logic that may hit unintended edge cases.

e.g Rule is deprecated and no longer receives an update for a later available integration version

spong · 2023-01-26T16:02:28Z

Here's the Kibana Issue for updating this logic: elastic/kibana#149606

add find_latest_compatible_version from #2470

1817c9d

Mikaayenson added python Internal python for the repository v8.7.0 labels Jan 25, 2023

Mikaayenson self-assigned this Jan 25, 2023

Mikaayenson requested a review from brokensound77 as a code owner January 25, 2023 18:59

Mikaayenson linked an issue Jan 25, 2023 that may be closed by this pull request

[FR] Recommend Latest Compatible Integration Versions #2494

Closed

Mikaayenson requested a review from terrancedejesus as a code owner January 25, 2023 18:59

github-actions bot added the backport: auto label Jan 25, 2023

Mikaayenson mentioned this pull request Jan 25, 2023

[FR] Add Integration Schema Query Validation #2470

Merged

3 tasks

least to latest

8f2c3e0

Mikaayenson requested a review from eric-forte-elastic January 25, 2023 21:13

terrancedejesus approved these changes Jan 25, 2023

View reviewed changes

meta -> metadata typo

b4a3988

Mikaayenson added 2 commits January 25, 2023 22:28

only get latest on prod rules.

3e0ef30

recommend latest and above

8ed526e

Mikaayenson closed this Jan 26, 2023

spong mentioned this pull request Jan 26, 2023

[Security Solution] Update Detections Related Integrations logic to install most recent compatible version elastic/kibana#149606

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FR] Recommend Latest Compatible Integration Versions #2495

[FR] Recommend Latest Compatible Integration Versions #2495

Mikaayenson commented Jan 25, 2023 •

edited

Loading

Mikaayenson commented Jan 25, 2023

terrancedejesus left a comment

spong commented Jan 26, 2023

Mikaayenson commented Jan 26, 2023

Mikaayenson commented Jan 26, 2023

spong commented Jan 26, 2023

[FR] Recommend Latest Compatible Integration Versions #2495

[FR] Recommend Latest Compatible Integration Versions #2495

Conversation

Mikaayenson commented Jan 25, 2023 • edited Loading

Issues

Summary

Testing

Mikaayenson commented Jan 25, 2023

terrancedejesus left a comment

Choose a reason for hiding this comment

spong commented Jan 26, 2023

Mikaayenson commented Jan 26, 2023

Mikaayenson commented Jan 26, 2023

spong commented Jan 26, 2023

Mikaayenson commented Jan 25, 2023 •

edited

Loading