Update v8.8.6edit
This section lists all updates associated with version 8.8.6 of the Fleet integration Prebuilt Security Detection Rules.
| Rule | Description | Status | Version |
|---|---|---|---|
This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event. |
new |
1 |
|
This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. |
new |
1 |
|
This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data. |
new |
1 |
|
This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc. |
new |
1 |
|
Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match |
This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations. This rule was deprecated. See the Setup section for more information and alternative rules. |
update |
204 |
This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations. This rule was deprecated. See the Setup section for more information and alternative rules. |
update |
204 |
|
Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. |
update |
103 |
|
PowerShell Suspicious Script with Clipboard Retrieval Capabilities |
Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc. |
update |
4 |
Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data. |
update |
107 |
|
Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information. |
update |
4 |
|
Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection. |
update |
5 |
|
Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions. |
update |
4 |