v3.81.0

What's Changed

🕵️ New Detections

• GCP Compute Instance Sign-In by @ben-githubs in #1636
• GCP Tag Escalation by @akozlovets098 in #1627

🐛 Bug Fixes and Tunes

• Crowdstrike.Macos.Plutil.Usage tuning by @akozlovets098 in #1647

🏡 Miscellaneous

• Update base streaming rule cursor rule by @jacknagz in #1651
• Extract AWS account ID from unique ID by @arielkr256 in #1552
• Update naming conventions for internal GHA by @ben-githubs in #1652
• Update PAT to v1.0.1 by @ben-githubs in #1655

Full Changelog: v3.80.0...v3.81.0

v3.80.0

What's Changed

🌯 New Packs and Pack Expansion

• Anomaly detection pack by @arielkr256 in #1648

🐛 Bug Fixes and Tunes

• Tuning: false positives onCrowdstrike Unusual Parent Child Processes by @akozlovets098 in #1639
• Tuning: non-ASCII chars error in Execution of Command Line Tool with Base64 Encoded Arguments by @akozlovets098 in #1642
• Remove duplicate code by @akozlovets098 in #1640

🏡 Miscellaneous

• Update json schemas to support new optional CreatedBy field by @nskobov in #1644
• Fix GCP Workload Identity Pool rule title by @jamesejr in #1646
• Update push_security_phishable_mfa_method.py by @biancafu-panther in #1645
• Okta Rate Limit detection enhancements by @pageinsec in #1641
• Remove redundant dependencies by @ben-githubs in #1634
• build(deps): bump requests from 2.32.2 to 2.32.4 by @dependabot in #1630
• build(deps): bump urllib3 from 2.4.0 to 2.5.0 by @dependabot in #1638
• Claude.md by @arielkr256 in #1649

Full Changelog: v3.79.0...v3.80.0

v3.79.0

What's Changed

🔍️️ New Queries

• Fix peer group anomaly query to use correct time window for lookback by @ben-githubs in #1628

🐛 Bug Fixes and Tunes

• Github Repo Security Change: fix transition order by @ben-githubs in #1623

🏡 Miscellaneous

• Release 3.78 by @ben-githubs in #1620
• Made improvements to rule to catch suspicious login success events by @maxehio in #1625
• Restrict internal workflows to upstream repo only by @ben-githubs in #1626

New Contributors

• @maxehio made their first contribution in #1625

Full Changelog: v3.78.0...v3.79.0

v3.78.0

What's Changed

🐛 Bug Fixes and Tunes

• Mark policies as configuration required by @ben-githubs in #1603
• Update aws_unauthorized_api_call.py by adding p_log_type by @akozlovets098 in #1610
• Fix Snowflake queries syntax error by @akozlovets098 in #1616
• Tuning adjustments by @ben-githubs in #1618
• Okta VPN Login Title enhancement by @pageinsec in #1608
• Fiixing list conversion in AWS.CloudTrail.EventSelectorsDisabled by @th-intrusionops in #1583

🏡 Miscellaneous

• Remove set-output from Github Action by @le4ker in #1614
• Fix false positives on the deleted rule checks by @akozlovets098 in #1611
• Changes to some caching rules for time-based caching by @ben-githubs in #1619
• Add pre-commit hook by @le4ker in #1613
• Fixup: AWS get_actor_user by @pageinsec in #1600
• Add user-defined function to check the client's whitelisted IP address for impossible travel rule by @mustafa-intrusionops in #1601

New Contributors

• @th-intrusionops made their first contribution in #1583

Full Changelog: v3.77.0...v3.78.0

v3.77.0

What's Changed

🐛 Bug Fixes and Tunes

• Cloudflare.Firewall.L7DDoS: Remove deduplication by @ben-githubs in #1589
• Beta rules by @arielkr256 in #1593
• Unusual EC2 launch logic fixup by @pageinsec in #1580
• GCP.Destructive.Queries: More tuning by @ben-githubs in #1597
• Google.Workspace.ManyDocsDownloaded: Convert to Signal by @ben-githubs in #1606

🏡 Miscellaneous

• Update CONTRIBUTING.md by @le4ker in #1591
• Google.Workspace.ManyDocsDownloaded: Fix typos and move to beta status by @ben-githubs in #1595
• Fix schema by @arielkr256 in #1596
• Adjust AWS Potential Backdoor Lambda Function title by @pageinsec in #1598
• Ignore JWT mismatch in queries by @ben-githubs in #1599
• Add Dynamic Reference to Wiz Passthrough by @ben-githubs in #1585
• Update AWS rules to use new get_actor_user udm by @akozlovets098 in #1602
• Automate Airflow update process by @akozlovets098 in #1607

New Contributors

• @pageinsec made their first contribution in #1580

Full Changelog: v3.76.0...v3.77.0

v3.76.1

What's Changed

• Patch Release v3.76.0 by @ben-githubs in #1594

See v3.76.0 for full content descriptions.

Full Changelog: v3.75.0...v3.76.1

v3.76.0

What's Changed

🕵️ New Detections

• AWS Region Enabled by @akozlovets098 in #1558
• AWS VPC Endpoint Rules by @arielkr256 in #1553
• Orca Passthrough by @ben-githubs in #1540

⛅️️ New Policies

• Confused Deputy Protection for Resource Policies by @arielkr256 in #1546

🐛 Bug Fixes and Tunes

• Standard.AdminRoleAssigned: Add logic for edge cases for GitHub by @akozlovets098 in #1557
• AWS.EC2.LaunchUnusualEC2Instances: Add support for dictionary 'instanceType' values by @ben-githubs in #1561
• Github.Repo.VulnerabilityDismissed: Remove duplicate unit test by @ben-githubs in #1569
• Slack.AuditLogs.AppAccessExpanded: Fix false positives where new permissions aren't added by @mustafa-intrusionops in #1550
• AWS.EC2.MultiInstanceConnect: Only alert for distinct keys by @akozlovets098 in #1562
• AWS.Modify.Cloud.Compute.Infrastructure: General tuning by @akozlovets098 in #1567
• Tuning Snowflake.BruteForceBy* Rules: Ignore common false positives and return full events by @ben-githubs in #1559
• AWS.Lambda.UpdateFunction* Rules: Convert into signals by @le4ker in #1575
• Google.Drive.High.Download.Count: Fix line-too-long error in query, but also introduce streaming rule alternative by @ben-githubs in #1556
• Azure.Audit.RiskLevelPassthrough: Increase dedup period by @akozlovets098 in #1563
• Snowflake.DataTransferHistory: Rule was using non-existent field by @akozlovets098 in #1582
• AWS.IAM.AccessKeyCompromised: Update policy indicators by @jacknagz in #1571
• GCP.Destructive.Queries: Add dedup by @akozlovets098 in #1584
• Dedup tuning for multiple GCP rules @akozlovets098 in #1566
• Dedup tuning for two additional GCP rules by @akozlovets098 in #1568

🏡 Miscellaneous

• Make detection-coverage.json multi-line by @ben-githubs in #1564
• Introduce SECURITY.md by @le4ker in #1572
• Add mcp.json to gitignore by @ben-githubs in #1586

New Contributors

• @mustafa-intrusionops made their first contribution in #1550

Full Changelog: v3.75.0...v3.76.0

v3.75.1

What's Changed

🕵️ New Detections

• Stratus AWS SSM Detections by @ben-githubs in #1525
• Stratus AWS S3 Detections by @akozlovets098 in #1528

🔍️️ New Queries

• Add Anomaly Detection Queries by @ben-githubs in #1549

🐛 Bug Fixes and Tunes

• OnePassword.Unusual.Client Tuning by @arielkr256 in #1543
• Removed unknown login type from approved list by @arielkr256 in #1542
• Azure.Audit.RiskLevelPassthrough: dedup on just actor and not source IP by @ben-githubs in #1539
• Azure.Audit.RoleChangedPIM: Ensure Every Event is a Separate Alert by @ben-githubs in #1555

🏡 Miscellaneous

• Better VScode schemas by @arielkr256 in #1547
• Validate dedup by @arielkr256 in #1551
• Update PAT to v0.57.0 by @ben-githubs in #1554
• Enable sync to upstream Github action can change Github actions by @le4ker in #1548

Full Changelog: v3.74.0...v3.75.0

Full Changelog: v3.75.0...v3.75.1

v3.74.1

What's Changed

🕵️ New Detections

• Stratus-GCP-Exfiltration by @akozlovets098 in #1527

🐛 Bug Fixes and Tunes

• Fix Logic for Snowflake Configuration Drift Query by @arielkr256 in #1531
• Check for org ID restrictions in policies by @arielkr256 in #1533
• Fix Snowflake data exfiltration signals by @arielkr256 in #1544

🏡 Miscellaneous

• Revert "Validate on PR merge" by @arielkr256 in #1534
• Cursor Panthergen Rule by @jacknagz in #1538
• Revert Helper Backports by @ben-githubs in #1536
• Snowflake Data Exfil CR streaming by @arielkr256 in #1541

Full Changelog: v3.73.0...v3.74.0

Full Changelog: v3.74.0...v3.74.1

v3.73.1

What's Changed

🕵️ New Detections

• Add guardduty critical by @dgwhited in #1526

🐛 Bug Fixes and Tunes

• Tuning runbook for EC2 Download User Data by @arielkr256 in #1522
• Fix Unit Tests for Secrets Manager Multi-Region by @arielkr256 in #1524
• Enhanced Microsoft Exchange External Forwarding Detection by @arielkr256 in #1529

🏡 Miscellaneous

• Index stability for scheduled rules vs. scheduled queries by @mbellifa in #1520
• Sign generated indexes by @akozlovets098 in #1518
• Update TrailDiscover LUT to load from S3 by @arielkr256 in #1521
• Remove Dependabot config by @le4ker in #1523
• Remove references to p_udm by @arielkr256 in #1519

New Contributors

• @dgwhited made their first contribution in #1526

Full Changelog: v3.72.0...v3.73.0

Full Changelog: v3.73.0...v3.73.1