I know I've been slacking with the updates!! Our IDE Team has been cranking through fixes and updates to many detections, making them higher fidelity, faster, and adding even more context. I'll save the massive amount of updates they've worked on over the past months for our monthly updates, and offer you up all of our net new detections below!
This update introduces:
Entra ID: User Access Administrator Role Granted at Root Scope
New detection to track root permission assignments in Azure.
- Status: Enabled
- Log type requirement: Azure Directory Audit
Google Workspace: Login from Outside of Canada
New operational detection for our Canadian friends.
- Status: Disabled
- Log type requirement: Google Workspace
Microsoft 365: Authentication Outside of Australia
New detection for authentications outside of the region.
- Status: Disabled
- Log type requirement: Azure Directory Audit
Microsoft 365: User Session Token Anomaly
It's the token theft one! This detection is aiming to uncover session anomalies and deviations in normal behavior for potential token theft, cookie theft, and AiTM patterns. This is when the same session ID from the cookie/token is used across multiple devices, locations, IPs, etc. We are trying to uncover the cases where a cookie or token was stolen and replayed in order to gain access that is the real end-game goal. It surfaces potential accounts that are deviating from their normal behavior mathematically. A new anomaly based detection that aims to uncover
- Status: Disabled
- Log type requirement: onelogin
OneLogin: User Suspended
An operational detection to alert responders to when a user in OneLogin is suspended.
- Status: Disabled
- Log type requirement: onelogin
SonicWall: 5+ Login Failures in 15 Minutes Followed by Successful Authentication
Surface successful logins to Sonicwall devices after multiple repeated failures.
- Status: Enabled
- Log type requirement: Sonicwall Traffic
Suspicious Double Extension File Execution
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe. Threat actors have used this to disguise their malicious exe files as a different file type.
Suspicious Execution of qwinsta.EXE
Monitors for suspicious execution of the qwinsta utility. Specifically for instances where it is launched via PowerShell remoting or the output is being redirected.
- Status: Enabled
- Log type requirement: Windows, Sysmon, or Blumira Agent for Windows
- More information: QakBot technical analysis
Suspicious Double Extension Shortcut (.LNK) File
Monitors for file creation events associated with shortcut (.LNK) files with a double extension.
- Status: Disabled
- Log type requirement: Windows, Sysmon, or Blumira Agent for Windows
- More information: lnk2pwn
Microsoft 365 - Application Consents Granted Previous 30 Days
DFIR Report: Qbot Tier 1 Endpoint Command and Control
No longer supported by DFIR Report
SolarWinds Orion Sunburst Exploitation Attempt
