Cloudflare CCF Workbook: Fixed Field Mapping for New CCF Schema
Corrected workbook queries to use normalized ASIM fields from Cloudflare CCF connector, resolving visualization errors from legacy field references. Read More →
Hunting Query: Ephemeral Code Signing Certificates for Malware-Signing-as-a-Service Detection
New hunting query identifies short-lived code signing certificates (≤14 days) on non-developer endpoints to detect Fox Tempest MSaaS operations. Read More →
Hunting Query: Rootkit Network Evasion Detection via Firewall-EDR Telemetry Delta
New hunting query detects kernel-level rootkits bypassing EDR network telemetry by comparing perimeter firewall logs against Microsoft Defender for Endpoint data streams. Read More →
Google Threat Intelligence Solution: Custom Connector Deployment Prerequisites Clarified
Solution metadata updated to warn customers that Playbooks require manual deployment of the GTI custom Logic Apps connector before use. Read More →
GitHub Actions Security: npm Scripts Disabled and Workflow Permissions Tightened
CI hardening prevents npm lifecycle script execution and restricts slash-command dispatch to authorized repository members only. Read More →
Defender for Endpoint: Cryptographic Identity Baselining Hunting Query for Process Network Anomalies
New hunting query detects first-time network connections by processes using cryptographic signer baselining to defeat DLL sideloading and BYOTA attacks. Read More →
ASIM AssetEntity Schema: Three New Fields Added in v1.0.0 Release
ASIM AssetEntity schema upgraded to v1.0.0 with three new fields for enhanced entity correlation and snapshot tracking. Read More →
Entra ID Attack Chain Correlation: Three New Hunting Queries for Sequential Compromise Patterns
Three hunting queries detect multi-event attack chains in Entra ID—privileged role grants followed by SP credential additions and MFA disabling followed by sign-ins from unknown IPs. Read More →
Phishing Detection: Raw IP URLs in Delivered Email
New hunting query identifies delivered emails using raw IPv4 addresses as URL domains to detect phishing campaigns bypassing domain reputation systems. Read More →
Entra ID Hunting Pack: Defense Weakening and Privilege Abuse Detection
Three hunting queries targeting silent defense weakening techniques and off-hours privilege escalation in Entra ID environments. Read More →
LSASS Credential Dumping: Resilient Behavioral Detection Pack Added
Three new hunting queries detect LSASS memory dumping using behavioral physics rather than brittle timing or tool names. Read More →
BloodHound Enterprise: Logo Update Aligns Solution Branding
Updated BloodHound Enterprise solution logo to current SpecterOps branding. Read More →
Fortinet FortiGate Playbook: Function App Authentication Security Hardening
Playbook Function App authentication level upgraded from anonymous to function-level to close security exposure. Read More →
Cyren Defender Threat Intelligence: New IP and Malware URL Ingestion for Microsoft Sentinel
Content Hub solution adds Cyren threat intelligence feeds for IP reputation and malware URL indicators via automated Logic App playbook. Read More →
Entra ID Workload Identity and Privileged Role Hunting Pack: Three New Detection Queries
New hunting pack targeting workload identity abuse and privileged role assignment anomalies with coverage gaps for service principal credential theft and PIM bypass techniques. Read More →
ETW-Resistant .NET Fileless Injection Detection via Kernel-Level CLR Loading
New hunting query detects fileless .NET execution even when attackers patch ETW by monitoring kernel-level .NET runtime DLL loading in native processes and untrusted paths. Read More →
CrowdStrike Content Doctor Enhancement: Improved Detection Logic and Alert Customization
Content Doctor improvements to CrowdStrike Falcon detection rules enhancing KQL logic, MITRE mappings, and alert presentation for critical/high severity detections. Read More →
Microsoft Defender XDR: New Hunting Query for Delegate Mailbox Phish Reporting Analysis
New hunting query helps identify the actual user who reported a phishing message when recipients and actors differ in delegate or shared mailbox scenarios. Read More →
OpenAI Connector: Migration to ASIM Standard Improves AI Monitoring Normalization
OpenAI chat completions data now ingests to ASimAgentEventLogs standard table, enabling standardized AI usage monitoring and cross-product correlation. Read More →
SailPoint IdentityNow: Publisher Migration to Microsoft Public Preview
SailPoint IdentityNow solution metadata updated for Microsoft-published Public Preview release with no functional changes to identity monitoring capabilities. Read More →