1 Release published by 1 person

• dev-v1.1.0

  published Apr 24, 2025

21 Pull requests merged by 9 people

• fix: Cleaning up the hashable content for the rule

  #4621 merged Apr 24, 2025

• [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation

  #4648 merged Apr 24, 2025

• Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md

  #4649 merged Apr 24, 2025

• Fix versions for changes in required_fileds

  #4640 merged Apr 24, 2025

• [Rule Tuning] User Added to Privileged Group in Active Directory

  #4646 merged Apr 24, 2025

• [Rule Tuning] Replace legacy winlog.api usage

  #4647 merged Apr 24, 2025

• Add 8.18 and 9.0 beats schemas

  #4641 merged Apr 24, 2025

• [New Hunt] New Hunting Queries for DPRK ByBit

  #4644 merged Apr 23, 2025

• [New] Suspicious Azure Sign-in via Visual Studio Code

  #4639 merged Apr 23, 2025

• [New] RemoteMonologue Attack rules

  #4604 merged Apr 22, 2025

• [New Rule] Potential Malicious PowerShell Based on Alert Correlation

  #4635 merged Apr 22, 2025

• [Deprecate] LaunchDaemon Creation or Modification and Immediate Loading

  #4547 merged Apr 22, 2025

• [New Rule] Potential PowerShell Obfuscation via String Reordering

  #4595 merged Apr 22, 2025

• [New Rule] Threat Intel Email Indicator Match

  #4598 merged Apr 22, 2025

• [Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs

  #4627 merged Apr 22, 2025

• [New Rule] Dynamic IEX Reconstruction via Method String Access

  #4634 merged Apr 22, 2025

• [Tuning] MacOS DR Tuning PR

  #4546 merged Apr 21, 2025

• [New Rule] Adding Coverage for AWS CLI with Kali Linux Fingerprint Identified

  #4625 merged Apr 21, 2025

• [New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration

  #4626 merged Apr 21, 2025

• [New Rule] Adding Coverage for AWS Temporary User Session Token Used from Multiple Addresses

  #4624 merged Apr 17, 2025

• [Bug] Update Schema Prompt to include new_terms_fields

  #4567 merged Apr 17, 2025

6 Pull requests opened by 6 people

• [Rule Tuning] Reduce Severity from Critical to High

  #4637 opened Apr 22, 2025

• [New Rule] MSFT Tenant OAuth Phishing via First-Party VSCode Client

  #4642 opened Apr 23, 2025

• Mark extensions

  #4643 opened Apr 23, 2025

• [Tuning] Update DPRK ByBit Hunting Queries

  #4645 opened Apr 23, 2025

• [FR] Add check-version-lock dev command

  #4650 opened Apr 24, 2025

• Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0

  #4652 opened Apr 24, 2025

3 Issues closed by 2 people

• [New Rule] Create Threat Intel Indicator Match Rule for Emails

  #2890 closed Apr 22, 2025

• [Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs

  #4611 closed Apr 22, 2025

• [Bug] Creating New Terms via CLI

  #4566 closed Apr 17, 2025

2 Issues opened by 2 people

• [Rule Tuning] Google Workspace Admin Role Assigned to a User

  #4651 opened Apr 24, 2025

• Rule suggestion process

  #4636 opened Apr 21, 2025

15 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• [New Rule] Adding Coverage for `AWS IAM or STS API Calls via Temporary Session Tokens`

  #4628 commented on Apr 23, 2025 • 4 new comments

• [New Rule] Adding Coverage for `AWS S3 Static Site JavaScript File Uploaded`

  #4617 commented on Apr 22, 2025 • 2 new comments

• [New Rule] Potential PowerShell Obfuscation via Special Character Overuse

  #4632 commented on Apr 17, 2025 • 1 new comment

• [FR] CLI function to check a cluster for Deprecated Rules

  #4553 commented on Apr 21, 2025 • 0 new comments

• [FR] Tag Deprecated rules as deprecated

  #2327 commented on Apr 21, 2025 • 0 new comments

• [Rule Tuning] Suspicious Execution from a Mounted Device

  #4603 commented on Apr 22, 2025 • 0 new comments

• [Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce

  #4405 commented on Apr 22, 2025 • 0 new comments

• [enhancement] In esql validation, allow any order of metadata

  #4579 commented on Apr 23, 2025 • 0 new comments

• [New] Windows Sandbox with Sensitive Configuration

  #4606 commented on Apr 17, 2025 • 0 new comments

• [New Rule] Potential PowerShell Obfuscation via String Concatenation

  #4607 commented on Apr 17, 2025 • 0 new comments

• [New Rule] Potential PowerShell Obfuscation via Character Array Reconstruction

  #4608 commented on Apr 17, 2025 • 0 new comments

• [New Rule][BBR] Potential PowerShell Obfuscation via High Special Character Proportion

  #4629 commented on Apr 17, 2025 • 0 new comments

• [New Rule] Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion

  #4630 commented on Apr 17, 2025 • 0 new comments

• [New Rule] Potential PowerShell Obfuscation via High Numeric Character Proportion

  #4631 commented on Apr 17, 2025 • 0 new comments

• [New Rule] Potential Dynamic IEX Reconstruction via Environment Variables

  #4633 commented on Apr 17, 2025 • 0 new comments