Security Detection Update - 2025-05-30

Written by Amanda Berlin | May 30, 2025 5:03:34 PM

Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.

Introduction and Overview

I know I've been slacking with the updates!! Our IDE Team has been cranking through fixes and updates to many detections, making them higher fidelity, faster, and adding even more context. I'll save the massive amount of updates they've worked on over the past months for our monthly updates, and offer you up all of our net new detections below!

New Detections

This update introduces:

Entra ID: User Access Administrator Role Granted at Root Scope

New detection to track root permission assignments in Azure.

Status: Enabled
Log type requirement: Azure Directory Audit

Google Workspace: Login from Outside of Canada

New operational detection for our Canadian friends.

Status: Disabled
Log type requirement: Google Workspace

Microsoft 365: Authentication Outside of Australia

New detection for authentications outside of the region.

Status: Disabled
Log type requirement: Azure Directory Audit

Microsoft 365: User Session Token Anomaly

It's the token theft one! This detection is aiming to uncover session anomalies and deviations in normal behavior for potential token theft, cookie theft, and AiTM patterns. This is when the same session ID from the cookie/token is used across multiple devices, locations, IPs, etc. We are trying to uncover the cases where a cookie or token was stolen and replayed in order to gain access that is the real end-game goal. It surfaces potential accounts that are deviating from their normal behavior mathematically. A new anomaly based detection that aims to uncover

Status: Disabled
Log type requirement: onelogin

OneLogin: User Suspended

An operational detection to alert responders to when a user in OneLogin is suspended.

Status: Disabled
Log type requirement: onelogin

SonicWall: 5+ Login Failures in 15 Minutes Followed by Successful Authentication

Surface successful logins to Sonicwall devices after multiple repeated failures.

Status: Enabled
Log type requirement: Sonicwall Traffic

Suspicious Double Extension File Execution

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe. Threat actors have used this to disguise their malicious exe files as a different file type.

Status: Enabled
Log type requirement: Windows, Sysmon, or Blumira Agent for Windows
More information: DarkGate Loader Malware Delivered via Microsoft Teams

Suspicious Execution of qwinsta.EXE

Monitors for suspicious execution of the qwinsta utility. Specifically for instances where it is launched via PowerShell remoting or the output is being redirected.

Status: Enabled
Log type requirement: Windows, Sysmon, or Blumira Agent for Windows
More information: QakBot technical analysis

Suspicious Double Extension Shortcut (.LNK) File

Monitors for file creation events associated with shortcut (.LNK) files with a double extension.