Skip to main content
All CollectionsThreat IntelligenceThreat Intelligence Release Notes
Threat Intelligence Release 319
Threat Intelligence Release 319
Updated over a year ago

Release Notes โ€“ USMA R319 | Sept 2024

โ€ฏ

New Elements

AR-11278 | New Rule: Cloudflare - Log4shell attempt

AR-11277 | New Rule: Cloudflare - Shellshock attack observed

AR-11274 | New Rule: Cloudflare - API Token created

AR-11273 | New Rule: Cloudflare - Scanning tools - multiple attempts

AR-11272 | New Rule: Cloudflare - XSS attempt

AR-11271 | New Rule: Cloudflare - Path traversal attempt

AR-11270 | New Rule: Cloudflare - SQL Injection attempt

AR-11266 | New Plugin: Symantec Proxy SG

AR-11248 | New Rule: Windows - MSC File Inside Zip And *.exe.config File in \Public\

AR-11237 | New Rule: Review Mute and Aggregation of CrowdStrikeKnownMalwareHighDetection

AR-11236 | New Rule: OTX - Break Out ACSC Pulse into Separate Rules

AR-11219 | New Rule: AWS Web Application Firewall - GET Requests

AR-11218 | New Rule: DOS Detections

AR-11167 | New Rule: Detect Possible osx Keylogging Activity Via pbpaste

AR-11117 | New Rule: Kubernetes Admission Controller Modification

AR-10958 | New Rule: Uncommon File Creation by Mysql Daemon Process

Improvements

AR-11327 | Plugin Improvement: Mimecast Email Security - Parse Recipient Field to Source_Userid

AR-11325 | Plugin Improvement: AlienVault Agent Incorrect Path

AR-11319 | Plugin Improvement: IdP Audit Logs Improvements

AR-11316 | Rule Improvement: Create Correlation Lists for Mirai User-Agents

AR-11314 | Plugin Improvement: Zscaler ZPA

AR-11312 | Plugin Improvement: Office 365 Audit - Improved Parsing - Multiple Events

AR-11311 | Plugin Improvement: Proofpoint Targeted Attack Protection - Improved Parsing for Duplicate email_recipient -> Source_Process_User_ID and Parse URL fields.

AR-11310 | Rule Improvement: Anomalous RDP Configuration Change - Increase Priority from Low to High

AR-11305 | Plugin Improvement: Checkpoint Harmony Secured Entities - All the Events Are Getting Same Name

AR-11300 |Rule Improvement: Add Username Variable for Alarm Method Exchange - Suspicious Inbox Rule

AR-11297 | Plugin Improvement: Vectra Suspect Domain Activity - Request URL into Alarm Highlight Fields

AR-11294 | Rule Improvement: Improve Confidence of GappsPermissiveSharing

AR-11292 | Plugin Improvement: Cloudflare - Token Name

AR-11290 | Plugin Improvement: Google Cloud Kubernetes Engine - Map user_resource_type and apigroup

AR-11276 | Pugin Improvement: Cloudflare - User role

Fixes

AR-11296 | Plugin Improvement - File Integrity Monitoring (FIM) Using Defender for Cloud

AR-11291 | Plugin improvement: Checkpoint Harmon - The Keys with Values As "Null" Are Getting Removed at USMA Events Raw Logs

AR-11289 | Plugin Improvement: Google Cloud Kubernetes Engine - Review Event_Action Field Mapping

AR-10579 | Rule Improvement: Compression Followed by Exfiltration in A Short Period of Time - Source Canonical Field Use with Event Collectors Causing False Positives

Did this answer your question?