Detections (2 new, multiple updated)
New VMware ESXi SSH Brute Force Detection
- Primary addition: ESXiMultipleFailedSSHLogin detection for VMware ESXi infrastructure
- Targets brute force attacks against ESXi management interfaces via SSH
- MITRE T1078 (Valid Accounts) technique coverage for ESXi hypervisor authentication
New Acronis Cyber Protect Cloud Solution
Complete new solution package with 4 detection rules and 13 hunting queries:
- Detection coverage: Abnormal IP logins, malicious URL access, ransomware infections, phishing attacks
- MITRE mapping: T1078 (Valid Accounts), T1204.001 (User Execution), T1486 (Data Encrypted for Impact), T1566 (Phishing)
- Data source: CommonSecurityLog events from Acronis audit and security platforms
Updated Solutions (13 solutions)
- Azure Firewall: Enhanced threat intelligence destination analysis
- Box: Query optimization across 5 detection rules and 10 hunting queries
- Microsoft Defender XDR: Attack Simulator training playbook improvements
- MongoDB Atlas: Updated Function App connector and documentation
- OneTrust: New CCF connector with DCR configuration for privacy platform logs
- SAP S4 Cloud Public Edition: Connector definition refinements
- Multiple others: Version bumps and packaging updates for Cisco Umbrella, ExtraHop, Tenable, VMRay, Wiz, Obsidian Datasharing
Affected Files
Primary new detections:
Solutions/VMWareESXi/Analytic Rules/ESXiMultipleFailedSSHLogin.yaml
Solutions/Acronis Cyber Protect Cloud/Analytic Rules/ (4 new detection rules)
Solutions/Acronis Cyber Protect Cloud/Hunting queries/ (13 new hunting queries)
Solutions/OneTrust/Data Connectors/OneTrustLogs_CCF/ (new CCF connector)
(packaging artefacts across 15+ solutions: various mainTemplate.json, createUiDefinition.json, zip packages)