| Azure Signin |
NEW - Microsoft 365: Device Code Authentication Activity
Detects when a user authenticates via the device code flow. While this flow is used legitimately for devices without browsers, it is increasingly abused in phishing campaigns where attackers trick users into entering a device code on a legitimate Microsoft login page, granting the attacker access to the victim’s account.
Default state: Disabled |
FortiGate IPS
|
NEW - FortiGate: Allowed Low/Info IPS Event
Detects low and informational severity IPS events on FortiGate devices that were allowed through rather than blocked. These events may indicate network reconnaissance or an IPS policy misconfiguration that should be reviewed.
Default state: Disabled
|
| macOS |
NEW - MacOS: Possible Masquerading Malicious Code
Detects macOS masquerading behaviors, including processes impersonating Apple system binaries, AppleScript-based process renaming, and suspicious codesign --entitlements usage. This detection covers techniques used by TinyFUD-style malware to evade security tools on macOS endpoints.
Default state: Enabled
|
Microsoft Defender
|
NEW - Microsoft Defender: Mail Bombing Activity
Surfaces Microsoft Defender alerts for email bombing activity. Attackers use inbox flooding as a distraction tactic before launching vishing (i.e., voice phishing) attacks or to bury legitimate security notification emails in a flood of messages.
Default state: Enabled
|
Windows
|
NEW - Diskshadow Script Mode Execution
Detects diskshadow.exe executed in script mode (/s flag). While DiskShadow is a legitimate Windows utility for managing volume shadow copies, script mode is frequently abused by attackers to create shadow copies of system drives and extract credential databases such as SAM, SECURITY, or NTDS.dit.
Default state: Enabled
|
Windows
|
NEW - IPsec NAT Traversal Port Activity
Detects IPsec NAT-T traffic (port 4500/UDP) originating from processes other than authorized VPN clients such as FortiClient, which may indicate tunneling or covert communication channels.
Default state: Disabled
|
Windows
|
NEW - Remote Access Tool: Microsoft Quick Assist
Detects Microsoft Quick Assist process execution. Quick Assist is a built-in Windows remote support tool that threat actors have been observed abusing as a command-and-control channel during social engineering attacks.
Default state: Disabled
|
Windows
|
NEW - Remote Access Tool: PDQ Remote Desktop Agent
Detects PDQ Remote Desktop Agent process execution. While commonly used for legitimate IT administration, attackers have been observed leveraging PDQ for remote access, lateral movement, and command-and-control activity.
Default state: Enabled
|
Windows
|
NEW - Renamed Cloudflared.EXE Execution
Detects Cloudflare Tunnel (cloudflared) execution when the process has been renamed from its expected filename. Renaming cloudflared.exe is a common evasion technique used by attackers to disguise tunneling activity for command and control.
Default state: Enabled
|
Windows
|
NEW - Suspicious Child Process of Notepad++ Updater (gup.EXE)
Detects suspicious child processes spawned by the Notepad++ updater (gup.exe), such as cmd.exe, PowerShell, cscript, certutil, bitsadmin, or curl. This pattern matches supply-chain abuse scenarios where gup.exe is hijacked to download and execute second-stage payloads.
Default state: Enabled
|
Windows
|
NEW - Suspicious Notepad++ Updater (gup.EXE) Execution Path
Detects gup.exe running from non-standard file paths outside of its expected Program Files or AppData locations. This behavior may indicate DLL side-loading, where gup.exe has been copied to an attacker-controlled directory alongside malicious DLLs.
Default state: Enabled
|
Windows
|
NEW - Wireless Credential Dump via Netsh
Detects execution of netsh wlan export profile key=clear, which exports saved WiFi credentials in plaintext. Attackers use this technique to harvest wireless credentials for lateral movement or persistence.
Default state: Enabled
|
Azure Signin
|
UPDATE - Azure: Entra ID Anomalous Agent Sign-In Activity
We added additional fields and improved exclusion logic to reduce false positives.
|
| Cisco Umbrella |
UPDATE - Cisco Umbrella Detections (8 detections)
We added the hostname field to all Cisco Umbrella detections so that findings now display which host generated the traffic, making investigation faster.
|
Fortigate Virus
|
UPDATE - Fortigate: Allowed Virus Event
We refined the rule’s detection logic to focus specifically on events with a passthrough status, improving signal quality by surfacing only virus events that were actively allowed through rather than blocked.
|
| Microsoft 365 |
UPDATE - Multiple M365 Login Detections
We excluded SAS:EndAuth request type events from all login-based M365 detections. These events were causing findings to display user GUIDs instead of email addresses, making it difficult to identify the affected user.
|
| SentinelOne |
UPDATE - SentinelOne: Unresolved Malicious Threat
We updated finding priority classification to better reflect the severity of unmitigated malicious threats.
|
| Traffic |
UPDATE - Anomalous Server Path Access
We added fields to help identify the log source generating the finding and modernized the analysis text for clearer investigation guidance.
|
| Windows |
UPDATE - Clearing of Windows Event Log
We clarified the channel_name field in the finding analysis to make it easier to identify which specific event log was cleared.
|
| Windows |
UPDATE - Process Running from Public Folder
We fixed the rule’s detection logic to match only the processes running from the Windows Public folder, preventing false positive findings that were being caused by other folder paths containing the word "public."
|
| Windows |
UPDATE - Registry Dump of SAM
We added an exclusion for Rapid7 Insight Agent activity, which was generating false positive findings during normal agent operations.
|
