Update v8.7.8

edit

This section lists all updates associated with version 8.7.8 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

Threat Intel IP Address Indicator Match

This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.

new

1

Threat Intel Hash Indicator Match

This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.

new

1

Threat Intel Windows Registry Indicator Match

This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.

new

1

Threat Intel URL Indicator Match

This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.

new

1

Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match

This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations. This rule was deprecated. See the Setup section for more information and alternative rules.

update

204

Deprecated - Threat Intel Indicator Match

This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations. This rule was deprecated. See the Setup section for more information and alternative rules.

update

204

Azure Full Network Packet Capture Detected

Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.

update

103

PowerShell Suspicious Script with Clipboard Retrieval Capabilities

Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.

update

4

PowerShell Keylogging Script

Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.

update

107

PowerShell Mailbox Collection Script

Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.

update

4

Potential Antimalware Scan Interface Bypass via PowerShell

Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.

update

5

PowerShell Script with Encryption/Decryption Capabilities

Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.

update

4