What Changed
iboss Solution v3.1.3 adds two net-new Scheduled Analytic Rules targeting ibossUrlEvent table data ingested via the ibossAma connector. The legacy OMS connector references previously removed in 3.1.2 are not re-introduced. A CI config update adds ibossAma to ValidConnectorIds.json.
Detection Logic
iboss - Command-and-Control Detected
- Source table: ibossUrlEvent
- Core logic: Filters rows where CNCDetected == 1 – a flag set by the iboss gateway when traffic to a known or suspected C2 destination is observed. Projects EventTime, SrcUsername, Url, Domain, source/dest IP, port, action, category, and user-agent.
- Entity mappings: Account (SrcUsername), IP (SrcIpAddr), URL (Url)
- Frequency: 1h / 1h window, fires on any match
- Severity: High
iboss - Malware Detected
- Source table: ibossUrlEvent
- Core logic: Filters rows where MalwareDetected == 1, extends with FileHashAlgorithm = “SHA256”, and projects FileSHA256 alongside connection metadata.
- Entity mappings: Account (SrcUsername), IP (SrcIpAddr), URL (Url), FileHash (FileSHA256)
- Frequency: 1h / 1h window, fires on any match
- Severity: High
MITRE Mapping
| Rule | Tactic | Technique |
|---|---|---|
| iboss - Command-and-Control Detected | Command and Control | T1071 - Application Layer Protocol |
| iboss - Malware Detected | Execution | T1204 - User Execution |
Notes
PR review flagged a literal single-quote issue in the YAML block-scalar description fields of both rules – the quotes will render verbatim in the Sentinel UI. This is cosmetic but may affect rule readability in the portal. Monitor for a follow-up patch.
Affected Files
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Solutions/iboss/Analytic Rules/ibossCommandAndControlDetected.yaml
Solutions/iboss/Analytic Rules/ibossMalwareDetected.yaml
(packaging artefacts: 3.1.3.zip, ReleaseNotes.md, Solution_iboss.json, createUiDefinition.json, mainTemplate.json)