Security Detection Update - 2025-05-30

I know I've been slacking with the updates!! Our IDE Team has been cranking through fixes and updates to many detections, making them higher fidelity, faster, and adding even more context. I'll save the massive amount of updates they've worked on over the past months for our monthly updates, and offer you up all of our net new detections below!

New Detections

This update introduces:

Entra ID: User Access Administrator Role Granted at Root Scope

New detection to track root permission assignments in Azure.

• Status: Enabled
• Log type requirement: Azure Directory Audit

Google Workspace: Login from Outside of Canada

New operational detection for our Canadian friends.

• Status: Disabled
• Log type requirement: Google Workspace

Microsoft 365: Authentication Outside of Australia

New detection for authentications outside of the region.

• Status: Disabled
• Log type requirement: Azure Directory Audit

Microsoft 365: User Session Token Anomaly

It's the token theft one! This detection is aiming to uncover session anomalies and deviations in normal behavior for potential token theft, cookie theft, and AiTM patterns. This is when the same session ID from the cookie/token is used across multiple devices, locations, IPs, etc. We are trying to uncover the cases where a cookie or token was stolen and replayed in order to gain access that is the real end-game goal. It surfaces potential accounts that are deviating from their normal behavior mathematically. A new anomaly based detection that aims to uncover 

• Status: Disabled
• Log type requirement: onelogin

OneLogin: User Suspended

An operational detection to alert responders to when a user in OneLogin is suspended.

• Status: Disabled
• Log type requirement: onelogin

SonicWall: 5+ Login Failures in 15 Minutes Followed by Successful Authentication

Surface successful logins to Sonicwall devices after multiple repeated failures.

• Status: Enabled
• Log type requirement: Sonicwall Traffic

Suspicious Double Extension File Execution

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe. Threat actors have used this to disguise their malicious exe files as a different file type.

• Status: Enabled
• Log type requirement: Windows, Sysmon, or Blumira Agent for Windows
• More information: DarkGate Loader Malware Delivered via Microsoft Teams

Suspicious Execution of qwinsta.EXE

Monitors for suspicious execution of the qwinsta utility. Specifically for instances where it is launched via PowerShell remoting or the output is being redirected. 

• Status: Enabled
• Log type requirement: Windows, Sysmon, or Blumira Agent for Windows
• More information: QakBot technical analysis

Suspicious Double Extension Shortcut (.LNK) File

Monitors for file creation events associated with shortcut (.LNK) files with a double extension.

• Status: Disabled
• Log type requirement: Windows, Sysmon, or Blumira Agent for Windows
• More information: lnk2pwn

New Reports

Microsoft 365 - Application Consents Granted Previous 30 Days

Deprecated Detections

DFIR Report: Qbot Tier 1 Endpoint Command and Control

No longer supported by DFIR Report

SolarWinds Orion Sunburst Exploitation Attempt