The following changes are coming soon and may impact your orchestration rules, filter rules, or other rules.

AR-10607 | Plugin Improvement: Mimecast

AR-10670 | New Rule: CrowdStrike - Event Category Attacker_Methodology

AR-10669 | New Rule: CrowdStrike - Event Category Ransomware

AR-10663 | New Rule: CrowdStrike - Event Category Suspicious_Activity

AR-10647 | New Rule: CrowdStrike - Event Category Intel_Detection

AR-10645 | New Rule: CrowdStrike – Event Category Known_Malware

AR-10641 | New Rule: CrowdStrike - Event Category NGAV

AR-10640 | New Rule: Recon Activity Via Nltest.EXE

AR-10634 | New Plugin: SentinelOne - CVE

AR-10612 | New Rule: Windows - User Added To Highly Privileged Group

AR-10588 | New Rule: Check Point R80 - Smartdefense Low, Medium and High Severity Events

AR-10587 | New Rule: Cisco Lanscope - Remove Highlighted Fields "Custom Field 4" and "Custom Field 5"

AR-10585 | New Plugin: Barracuda WAF

AR-10571 | New Rule: Winlogon Shell Persistence - Potential KamiKakaBot Activity

AR-10567 | New Rule: CrowdStrike - Event Type DetectionSummaryEvent

AR-10556 | New Rule: BitDefender GravityZone - Antiphishing Events

AR-10480 | New Rule: Windows - Created Windows Shell from Critical Windows Process

AR-10456 | New Rule: Firepower Threat Defense - Malware Multiple Downloads Detection

AR-10455 | New Rule: Windows - Service Creation or Modification via PowerShell

AR-10357 | New Rule: Carbon Black Cloud - Known Malware Detection

AR-10711 | New Rule: UEBA - Anomalous RDP

AR-10675 | Plugin Improvement: Additional Highlighted Fields for "Unusual Script Executed from Webserver"

AR-10531 | Rule Improvement: Detect Suspicious Execution of NirCmd.exe

AR-10530 | Rule Improvement: Windows - Adding cmdlline Arguments for Raspberry Robin TTPs for WindowsDllSuspiciousLaunch

AR-10501 | Rule Improvement: Windows - Activity Related to PetitPotam.py

AR-10500 | Rule Improvement: Windows - Activity Related to smbexec.py

AR-10499 | Rule Improvement: Windows - Activity Related to getTGT and gets4uticket

AR-10498 | Rule Improvement: Windows - Activity Related to secretsdump

AR-10497 | Rule Improvement: Windows - Activity Related to RumCMPivot URL

AR-10496 | Rule Improvement: Windows - Activity Related to pyldapsearch, mSMSManagementPoint

AR-10495 | Rule Improvement: Windows - Activity Related to SQLRecon, sccmdecryptpoc

AR-10494 | Rule Improvement: Windows - Activity Related to SharpDPAPI, CCM_NetworkAccessAccount

AR-10493 | Rule Improvement: Windows - Activity Related to Powermad, SCCMWTF, addcomputer

AR-10491 | Rule Improvement: Windows - Activity Related to pxethief/pxethiefy

AR-10489 | Rule Improvement: Windows - Activity Related to certipy

AR-10488 | Rule Improvement: Windows - Activity Related to SCCMHunter

AR-10487 | Rule Improvement: Windows - Activity Related to SharpSCCM

AR-10481 | Rule Improvement: Windows - WindowsMemoryDumpTools

AR-10417 | Plugin Improvement: IBM AS400

AR-10406 | Rule Improvement: CrowdStrike Identity Protection - Break out Correlation Rules into More Severities

AR-10578 | Rule Improvement: UEBA - USM Keys Replacement

AR-10563 | Rule Improvement: UEBA - Updates Threshold Values and Remove Silent

AR-10632 | Rule Improvement: Fix Failing Test for UserAddedToHighlyPrivilegedGroup

AR-10631 | Rule Improvement: SentinelOne - SentinelOneHighRiskIndicatorDetected

AR-10629 | Rule Improvement: Vectra - Remove Duplicated Lateral Movement

AR-10610 | Plugin Improvement: FatPipe SD-WAN

AR-10604 | Plugin Improvement: Fortinet FortiGate

AR-10603 | Plugin Improvement - Network Box

AR-10572 | Rule Improvement: VMware

AR-10517 | Rule Improvement: CrowdStrike – Update Alarm Priority

AR-10370 | Plugin Improvement: Window - Parsing AccessMask

AR-10325 | Rule Improvement: Microsoft - Suspicious Process Created by Microsoft Office Application and Windows Unusual Office Child Process