Okta SSO Detection Suite: Richer Alert Context, Configurable Thresholds, and Corrected Entity Mappings Across 9 Rules and 10 Hunting Queries

Nine Analytic Rules and ten Hunting Queries for Okta SSO have been overhauled with configurable thresholds, allowlist variables, improved JSON parsing, and corrected entity mappings, closing fidelity gaps that degraded Sentinel entity behaviour and alert context. Read More →

New Netskope Alerts and Events Solution: DLP, Shadow IT, and Malware Threat Visibility via CCF Blob Storage Connector

A new Microsoft Sentinel solution delivers full-stack Netskope Security Cloud visibility including DLP incidents, malware detections, policy enforcement, and Shadow IT via a CCF Blob Storage connector ingesting gzip-compressed positional CSV into a 254-column custom table. Read More →

New Gambit Security Solution: Cloud Security Posture Issues Now Ingestible via CCF Push Connector

Gambit Security new Microsoft Sentinel solution adds a CCF Push connector that ingests cloud security posture policy issues into a custom table, with a bundled parser and analytic rule for incident creation on High-severity active findings. Read More →

Azure WAF Log4j Detection Restored: Field Reference Errors Silenced the Rule Since v1.0.5

A broken column_ifexists reference caused the Azure WAF Log4j detection rule to silently miss exploit traffic in details_message and details_msg fields – any deployment running v1.0.5 had a gap in Log4Shell (CVE-2021-44228) coverage via WAF logs. Read More →

Azure WAF Log4j Detection: Schema Gap Closed for details_message_s and details_msg_s Fields

The AzureWAFmatching_log4j_vuln Analytic Rule was silently missing CVE-2021-44228 exploit attempts in WAF logs that surfaced details_message_s via AdditionalFields or used the details_msg_s column variant, leaving a schema-dependent blind spot in Log4Shell detection. Read More →

Recorded Future: Defender Portal Migration Breaks Incident Creation -- Playbooks Redesigned Around Analytic Rules

Recorded Future v3.2.20 removes direct incident creation from four playbooks (now incompatible with the unified Microsoft Defender portal) and introduces new Analytic Rules to restore incident generation from custom log tables. Read More →

Entra ID Brute-Force Detection: Sort Order Fix Corrects Anomaly Decomposition Input

The BruteForceAgainstanEntraAuthenticatedWindowsDevice Analytic Rule was building unsorted time-series arrays for series_decompose_anomalies, meaning anomaly detection results could be incorrect or inconsistent across executions – this fix enforces chronological ordering and stable serialization before make_list. Read More →

Abnormal Security Solution: Full Detection Coverage Added for CCF Push Connector (v3.1.0)

The Abnormal Security solution now ships four scheduled Analytic Rules, four Hunting Queries, four parsers, a workbook, and a Playbook — closing a complete detection gap that existed since the CCF Push connector was introduced in v3.0.0 with no bundled detections. Read More →

New Solution: Vaikora for O365 Brings CTASD-Powered Phishing Quarantine Telemetry into Microsoft Sentinel

A brand-new Sentinel solution for Vaikora for O365 (by Data443) adds three Analytic Rules over the VaikoraO365_Quarantine_CL custom table – covering high-confidence phishing/suspected quarantine events, abnormal quarantine volume spikes, and engine-offline detection – plus an incident-response Playbook and a quarantine dashboard Workbook. Read More →

Darktrace CCF Connector: Account Entity Mapping Added to Analytic Rules, Closing SaaS Identity Correlation Gap

Two Darktrace Analytic Rules now map user account names as Account entities for SaaS/identity-based incidents, and the DarktraceIncidents_CL table gains a modelBreaches field exposing the full chain of associated model alerts – data that was previously absent from incident context. Read More →

iboss Solution 3.1.3: New Malware and C2 Analytic Rules for Web Gateway Telemetry

iboss Solution 3.1.3 ships two new Scheduled Analytic Rules that surface malware detections and C2 communications flagged by the iboss gateway, closing a detection gap for organizations relying solely on raw CommonSecurityLog ingestion. Read More →

Trend Micro Cloud App Security: CCF Connector Added with Dual-Schema Parser for Legacy and Modern Ingestion Paths

A new CCF-based Data Connector (TrendMicroCASConnector) is added alongside the existing Azure Functions connector, with the TrendMicroCAS parser updated to union both ingestion paths so all existing detections, hunting queries, and workbooks continue to work without modification. Read More →

Threat Intelligence (NEW): Broken Connector Mappings and Case-Sensitive Rule Names Fixed Across 36 Analytic Rules

Two customer-reported issues are resolved: EmailEvents and EmailUrlInfo rules were mapped to the wrong connectors (Office365 instead of MicrosoftThreatProtection), and inconsistent capitalisation in rule names was silently breaking customer Playbook automations. Read More →

SilkTyphoon Child Process Detection: Duplicate Connector Mapping Removed

The SilkTyphoonNewUMServiceChildProcess Analytic Rule carried a duplicate and mistyped connector entry (SecurityEvents instead of SecurityEvent) that could cause connector validation errors or unexpected behaviour in environments relying on connector dependency resolution. Read More →

Google Threat Intelligence: New GTI Relevance System Alerts Connector and Six Bundled Detections

A new Function App-based data connector ingests Google Threat Intelligence Relevance System Alerts into Sentinel, unlocking six new Analytic Rules that fire on high-severity, data-leak, initial access broker, and insider threat alert categories surfaced by the GTI platform. Read More →

Vaikora-AzureSecurityCenter: Three Analytic Rules and Playbook Completely Non-Functional Since Initial Deployment

The v3.0.0 solution was built against a fabricated alert API schema – the playbook crashed on ingestion, all three Analytic Rules queried a table that was never populated, and two install paths wrote to divergent tables, meaning zero Vaikora AI agent threat data reached Microsoft Sentinel from day one. Read More →

CiscoSEG and Infoblox NIOS Package Template Sync — Metadata and Version Normalisation

Package template refresh for CiscoSEG (3.0.5), Infoblox NIOS (3.0.5), and Windows Server DNS (3.0.1) solutions with no changes to detection logic, parser content, or connector ingestion configuration. Read More →

Microsoft Defender XDR: OAuth and Device-Code Phishing Hunting Queries Unblocked After ARM-TTK Pipeline Failure

Two Defender XDR hunting queries targeting OAuth consent and device-code phishing were blocked from pipeline validation due to ARM-TTK hardcoded URI false positives; KQL refactored to construct URLs via strcat(), restoring deployment and preserving detection semantics. Read More →

New eDCRule Solution: 10 Entra ID and Azure Subscription Analytic Rules for Privilege Escalation and Identity Abuse Detection

A new community solution adds 10 scheduled Analytic Rules (plus Chinese-localized counterparts) targeting Microsoft Entra ID privilege escalation, OAuth token abuse, federation trust tampering, and Azure VM Run Command abuse correlated with UEBA signals. Read More →

Darktrace CCF Migration: New ActiveAI Security Platform Connector Replaces Legacy REST API

New CCF-based Darktrace connector with enhanced visibility across six data streams and modernized detection logic. Read More →