Update v8.3.4

edit

This section lists all updates associated with version 8.3.4 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

Exchange Mailbox Export via PowerShell

Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.

new

1

Multiple Alerts in Different ATT&CK Tactics on a Single Host

This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

update

3

Multiple Alerts Involving a User

This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.

update

2

Exporting Exchange Mailbox via PowerShell

Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.

update

104

Suspicious WerFault Child Process

A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.

update

104