v1.50.1

What's Changed

🏠 Pack & Rule changes by @nkulig in #618
🐛 Onepass filename fix by @andrea-youwakim in #629

Full Changelog: v1.50.0...v1.50.1

v1.50.0

What's Changed

🕵️‍♂️ Unmanaged Auth Detections for AWS, 1Password, Okta by @calkim-panther in #622

Full Changelog: v1.49.0...v1.50.0

v1.49.0

What's Changed

🕵️‍♂️ Crowdstrike queries: large zip creation, macos browser credential access by @calkim-panther in #579
🐛 fix: we should ignore iam:CreateAccessKey when errorCode is present by @edyesed in #614
🕵️‍♂️ Newly Written Rule: monitors and alerts on AWS IAM Group Read Only Events by @andrea-youwakim in #612
🏠 chore: update actions to use latest releases to get out of node12 by @edyesed in #616
🌯 IPInfo pack for detection engine by @debugmiller in #617

New Contributors

• @debugmiller made their first contribution in #617

Full Changelog: v1.48.0...v1.49.0

v1.48.0

New Detections

🕵️‍♂️ New Duo Rule: Duo Admin Bypass Code Viewed by @andrea-youwakim in #607
🕵️ New Rule: Duo Admin Lockout by @andrea-youwakim in #609
🕵️ zoom user to admin detection by @calkim-panther in #603
🌯 Duo pack updated from #607 and #609

Bug Fixes

🐛 fix: msft365 spells INFO severity as informational by @edyesed in #611
🐛 fix: gsuite activityevents can sometimes get a parameters key with a null value by @edyesed in #613

Miscellaneous

Full Changelog: v1.47.1...v1.48.0

v1.47.1

New Detections

Bug Fixes

🐛 some of the keys subordinate to the parameters top level key in google workspace logs can mutate the shape of their values between string and list of strings by @edyesed in #610

Miscellaneous

Full Changelog: v1.47.0...v1.47.1

v1.47.0

New Detections

DUO

🕵️‍♂️ New Rule: DUO: User marked action as fraudulent by @jpl5280 in #582
🕵️ Add DUO rule: Auth denied due to anomalous push by @doyleish in #589
🕵️ New rule: Duo Admin App Integration Secret Key Viewed by @andrea-youwakim in #604
🕵️ New Duo Rule: Admin created a MFA bypass token for an application by @andrea-youwakim in #605
🕵️ New Duo Rules - Authentication and Administration by @doyleish in #606

GSuite/Google Workspace

🕵️‍♂️ Detection for Gsuite admin changing the workspace's calendar sharing setting to share outside of domain by @edyesed in #585
🕵️ Detection for a user making a GSuite calendar public by @edyesed in #591
🕵️ GSuite detections for admins modifying the trusted domains list and for admins executing a data export by @edyesed in #592
🕵️ gsuite detections around securitysandbox and password settings by @edyesed in #596
🕵️ New Google Workspace Rule to Monitor When Admin Provisions Custom Role by @andrea-youwakim in #595
🕵️ feat: Gsuite Gmail detections for when admins modify DefaultRoutingRules and Disable Pre-Delivery Scanning by @edyesed in #594
🕵️ Newly Written Rule: Google Workspace Apps Marketplace Allowlist by @andrea-youwakim in #599
🕵️ Newly Written Rule to monitor and alert on new domain applications being enabled from the google workspace apps marketplace by @andrea-youwakim in #600
🕵️ Newly Written Detection - Google Workspace Advanced Protection Program by @andrea-youwakim in #597
🕵️ New Rule to monitor and alert on new mobile apps added to an org's mobile app whitelist in google workspace apps by @andrea-youwakim in #601

GitHub

🕵️ New Github Organization Application Installation Rule by @andrea-youwakim in #584
🕵️ New Github Public Repo Creation Rule by @andrea-youwakim in #587
🕵️ Newly Created Github Rule to Monitor Repository Transfers by @andrea-youwakim in #598

Microsoft365

🕵️ Msf365 detections by @calkim-panther in #583

Okta

🕵️ Okta detections pt1 by @calkim-panther in #586
🕵️ Okta detections pt2 by @calkim-panther in #593

AWS

🕵️ CloudTrail based unsuccessful MFA login detection by @hbenac10 in #570

CloudStrike

🕵️ crowdstrike rtr session by @miotke in #590

Atlassian

🕵️ Atlassian user logged in as user by @miotke in #602

Packs

🌯 Atlassian Pack from #602
🌯 Crowdstrike pack updated
🌯 Duo pack updated
🌯 GitHub pack updated
🌯 GSuite pack updated

Bug Fixes

🐛 Fix Spelling Errors by @jpl5280 in #580
🐛 AWS SAML provisioning should be permitted by the service role for AWSSSO by @edyesed in #581
🐛 Key fix in yml for newly merged Github App Installation for Organization Rule by @andrea-youwakim in #588
🐛 fix: yaml lines are not allowed to have \t as the first character by @edyesed in #608

Miscellaneous

New Contributors

• @hbenac10 made their first contribution in #570
• @miotke made their first contribution in #590
• @doyleish made their first contribution in #589

Full Changelog: v1.46.0...v1.47.0

v1.46.0

What's Changed

🕵️‍♂️ Nkulig mitre attack ta0007 t1087 by @nkulig in #567
🕵️‍♂️ Added new rule to alert on traffic mirroring events in AWS cloudtrail; tests included and pack updated by @andrea-youwakim in #555
🕵️‍♂️ sentinelone passthrough by @calkim-panther in #576
🕵️‍♂️ adding existing enabled s3 rules to prod after QA by @andrea-youwakim in #577
🌯 Add back Tor Exit Nodes LUT now that 1.45 is released by @rleighton in #539
🕵️‍♂️ adding qa'ed vpc flow rules to aws pack to make available to our customers by @andrea-youwakim in #578

New Contributors

• @nkulig made their first contribution in #567

Full Changelog: v1.45.0...v1.46.0

v1.45.0

New Detections

🕵️‍♂️ Github: New Secret Scanning Rule & Update Pack by @jpl5280 in #574
🕵️‍♂️ Adding qa tested aws guardduty rules to aws pack by @andrea-youwakim in #575

Full Changelog: v1.44.0...v1.45.0

v1.44.0

New Detections

🕵️ Initial Detections for EKS Audit logs in #571

Bug Fixes

Miscellaneous

🌯 MS Graph Pack: Better description in #572
🌯 update AWS pack description, add EKS detections in #573

Full Changelog: v1.43.0...v1.44.0

v1.43.0

New Detections

🕵️‍♂️ adding the final batch of qa tested already existing aws cloudtrail rules to prod by @andrea-youwakim in #569

Full Changelog: v1.42.0...v1.43.0