Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

This document describes new and enhanced features for the FortiSIEM 6.2.0 (build) release.

New Features

MITRE ATT&CK Framework Support

The MITRE ATT&CK framework is defined as a comprehensive matrix of tactics and techniques used by threat hunters, red teamers, and defenders to better classify attacks and assess an organization's risk. This release adds comprehensive support for the MITRE ATT&CK framework. The currently supported version is 0.8. This release provides the following features:

  • Ability to associate a MITRE technique to a FortiSIEM (built in or custom) rule

  • Over 950 built in rules to detect a wide variety of MITRE techniques

  • Ability to assign techniques and tactics to Rules and search incidents by techniques and tactics

  • ATT&CK Rule Coverage Dashboard that displays rules associated with a tactic or technique

  • ATT&CK Incident Coverage Dashboard that displays incidents associated with a tactic or technique

  • Enhanced ATT&CK Incident Explorer Dashboard that provides a host centric view of hosts triggering various techniques and tactics.

For information on defining a technique to a rule, see Technique in Step 3: Define Actions in Creating a Rule.

For information on searching incidents by technique or tactic, see Searching for MITRE ATT&CK Incidents.

For Rule Coverage Dashboard information, see Rule Coverage View.

For Incident Coverage Dashboard information, see Incident Coverage View.

Note: Attack View in 6.1.x, is now the MITRE ATT&CK Incident Explorer View in 6.2.x.

Pre-computed Queries

Aggregated searches with large time windows can be expensive, specially in a high EPS environment. This release enables you to set up pre-computation schedules. FortiSIEM will pre-compute search results at user specified intervals, enabling users to run faster searches against pre-computed results.

This feature was introduced for FortiSIEM EventDB in Release 5.3.3 and has been ported over to this release. In addition, pre-computation using Elasticsearch is also supported in this release using Elasticsearch Rollup functionality. For details, see here.

There are two limitations for Elasticsearch based pre-computation:

  1. Pre-computation is available only from the time the schdule is defined. Unlike FortiSIEM EventDB, the system does not pre-compute historial results. This limitation is a results of the Elasticsearch APIs.

  2. Because Elasticsearch does roll up in a different index, pre-computation based search results may differ significantly from regular search results if the number of events matching the filter condition for the specified pre-computation interval exceeds 100K. Fortinet recommends users to first run the pre-computation query over the interval and make sure that the number of results is less than 100K.

For details on setting up pre-computed searches, see Setting Up Pre-computation.

Incident Remediation Workflow

Currently, any FortiSIEM user with Write permission to the Incident page can remediate an incident by running remediation scripts. In this release, a role permission is introduced to provide finer control over a user who can remediate an incident immediately and a user who requires approval to remediate an incident. The general workflow follows:

  • Full Admin users set up Incident remediation roles and users

    • Role and users who can remediate an incident, and role and users who must get approval to remediate an incident

    • Role and users who can approve incident remediation approval requests.

  • A user that cannot remediate an incident can request permission to remediate.

  • Once an approver approves the request, the user can then remediate the incident.

For details on setting up remediation roles, see steps 6 and 7 in Adding a New Role.

For details on remediating incidents using workflow, see Creating a Remediation action.

For details on approver handling requests, see Approving a de-anonymization request.

An example setup workflow is provided here.

External Authentication via SAML

Currently, FortiSIEM users can be authenticated as (a) local authentication, (b) external authentication via Active Directory or LDAP, and (c) Single Sign On via OKTA. This release generalizes OKTA based authenication to external authentication via Security Association Markup Language (SAML).

A user must first create an External Authentication entry via SAML in FortiSIEM. If the SAML Identity Provide provides Role information, the user has to map the SAML Role to the FortiSIEM Role. Otherwise, the user has to manually define the FortiSIEM Role for SAML users. A role is required for a user to be able to log in to FortiSIEM.

For details, see Configuring FortiSIEM for SAML Overview.

Scale Out UEBA and State Persistence

This release adds two enhancements.

  • Scale out design - The AI module now runs on Super and Worker nodes. All Agent activity is routed to one node in a sticky manner. If a Worker is down, Agent events are routed to another Worker. If a Worker is added, then new Agents are routed to that Worker.

  • Persistence – AI models are now persisted across AI module restarts.

For information on setting up UEBA, see here.

Key Enhancements

Elasticsearch Enhancements

This release adds the following enhancements to FortiSIEM Elasticsearch support.

  • Support for Elastic Cloud

  • Support for Elasticsearch version 7.8. - See the Elasticsearch table for version support in each deployment.

  • Support for Cold Data Node – in this node, indices are frozen and saved to disk, thereby saving heap memory. Data can be moved from Hot to Warm to Cold data nodes, either based on disk space, or time duration using the Elasticsearch index lifecycle management (ILM) feature. This allows more event storage in Cold Data Nodes since the heap memory constraint is eliminated. Regardless of the node type, events can be queried wherever they reside. When a query hits Cold nodes, further queries run a bit slower since the indices have to be loaded to memory. This feature is not available on AWS Elasticsearch Service and Elastic Cloud. General workflow information is available here.

  • Age based Retention/Index Lifecycle Management (ILM) – in earlier releases, disk thresholds could be specified to determine when data would move from Hot to Cold node. In this release, the number of days can be specified for each data node type. FortiSIEM will move data from Hot to Warm to Cold based on space thresholds or time duration limit, whichever occurs first. This feature is not available on AWS Elasticsearch Service and Elastic Cloud. Retention configuration details are available here. Default setting information is available here.

  • Queries with multi-field term aggregation is now sorted. For example, when the Group By and Display Fields option is used for "Reporting IP" and "Reporting Device" using "COUNT(Matched Events)" in descending (DESC) order, the count appears in descending order.

  • Support for Java Transport Client API is removed.

  • With Elasticsearch 7.x, the index refresh rate is reduced to 15 seconds. This enables users to search all data, except for the last 15 seconds. Choosing an even lower index refresh rate may lower the event indexing speed.

There are 3 distinct Elasticsearch deployments. This table shows the versions and features supported for each deployment type. Please also see the list of Elasticsearch related known issues in Known Issues and in the Appendix.

Elasticsearch Deployment

Supported Versions

API (Insertion and Search)

Supported Data Node Types

Disk Space based Retention

Age based retention (ILM)

Self-Managed (On-Prem or Hosted) 5.6, 6.4, 6.8, 7.8 REST Hot, Warm, Cold Yes Yes (6.8 and above)
AWS Elasticsearch Service 6.8, 7.8 REST N/A Yes No
Elastic Cloud 6.8 REST N/A Yes No

 

Real Time Archive for Elasticsearch

For Elasticsearch deployments, users can choose NFS or HDFS as Archive. Currently, when Elasticsearch disk space capacity is close to full, events are read from Elasticsearch and then archived to NFS or HDFS. For high EPS scenarios, this can be a very expensive operation and may impact Elasticsearch cluster performance.

In this release, users can choose to store events to both Elasticsearch and Archive (NFS or HDFS) in parallel, when the event arrives to FortiSIEM. Events are stored in two stores at the same time, but this reduces the need to archive when Elasticsearch disk space is full or Index Life-cycle Management (ILM) policies kick in. At that time, data is simply purged from Elasticsearch, which is an inexpensive operation.

For details on how to set up Real time Archive for Elasticsearch, see Setting Up the Database (NFS) or Setting Up the Database (HDFS).

SVN-lite for Storing Monitored Files

FortiSIEM can detect file changes in network devices and servers. In earlier releases, these files were stored in SVN. Since SVN stores incremental changes, older files could not be deleted, even when the device is deleted.

In this release, a new SVN-lite service is introduced to manage files. From a user perspective, there is no change except that a user is able to delete files from the GUI. Files are also automatically deleted when a device is deleted. When upgrading from earlier releases to 6.2.0, older files are migrated from SVN to SNV-lite format.

For details on where you can delete files, see the table in Viewing Device Information.

A few implementation notes:

  • Files are stored in /svn/repos. Files are organized by ordId and then deviceId. deviceId is teh PostgreSQL Device Id. To conserve disk space, a limited number of file revisions are kept based on the following threholds defined in /opt/phoenix/config/svnlite.properties on the Supervisor node.

    svnlite.store.dir = /svn/repos
    svnlite.revisions.keep = 100
    svnlite.revisions .purge = 5

     

    svnlite.revisions.keep defines how many revisions are kept for each file. Older revisions are automatically deleted. svnlite.revisions.purge defines how many files are deleted at a time when the upper limit of svnlite.revisions.keep is reached.

     

  • During a 6.2.0 upgrade, up to 100 revisions of each file are migrated to SVN-lite.

Windows Agent 4.1 Enhancements

This release adds the following enhancements for Windows Agent.

  • Agent will restart automatically after 1 minute if it is killed. See here.

  • Service protection – A user cannot Stop/Restart/Pause the agent from Service Manager. See here.

  • Users can change the logging level without restarting service by changing the registry key. See here for more information. Registry key instructions follow:

    • Open HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent key

    • To update with trace logging, modify “LogLevel” value to “2” from “1”.

    • To update with debug logging, modify “LogLevel” value to “1” from “2”.

  • The Agent Database is used to store Agent configuration parameters and to store events when connectivity to collectors is lost. The default size for your Agent Database is 1GB. This can be changed by modifying the MaxDBSizeInMB entry in your Registry Editor. See here for more information.

Details are documented in Configuring Windows Agent.

Event Forwarding from Super/Worker

FortiSIEM can forward the events it receives to a third party system. Normally, events are forwarded by the node (Worker, Collector, Super) that parsed the event. This release allows you to force events to only be forwarded by Workers (and Super). Users can choose this as part of their Event Forwarding policy, see here.

Super Global Dashboard

This release adds the concept of a Super Global dashboard that is only available for Super Global users in service provider installations. All regular dashboards are now only available as Organization level. Super Global users can define their own dashboards that are only visible for Super Global users.

Windows and Linux Agent Health Dashboard

This release provides a separate health dashboard for FortiSIEM agents. See ADMIN > Health > Agent Health. For details, see here.

Note: If you've upgraded your FortiSIEM to 6.2.0 from an older version, the dashboard will show an inaccurate agent version, or no version. You will need to re-install your agents with a new version after upgrading FortiSIEM to 6.2.0 to resolve this issue. If an old version is installed for an agent, the dashboard will still show no version or an inaccurate version for that agent. See Linux and/or Windows Agent guides for uninstall and installation steps. Upgrading your collectors to 6.2.0 is recommended (please see the FortiSIEM Version Compatibility Matrix for details).

Ability to Activate or Deactivate Multiple Rules with One Click

Users often need to activate or deactivate all rules in one folder, and could only perform this action on individual rules. This release enables users to activate or deactivate multiple rules in one click.

For details, see Activating/Deactivating Multiple Rules.

System Upgrade

This release includes several third party software upgrades - CentOS 8.3, PostgreSQL 13.2, Glassfish 5.0, JDK 1.8.0_272, php 7.4, nodejs 14.15.0, Hibernate 5, and Apache 2.4.37 (patched by Redhat).

Upgrade Overview

For software installations, the upgrade path is pre-5.3.0->5.4.0->6.1.1->6.2.0.
Specifically:

  • From pre-5.3.0 releases, first upgrade to 5.4.0, then migrate to 6.1.1, and then upgrade to 6.2.0.

  • From 5.4.0, migrate to 6.1.1, and then upgrade to 6.2.0.

  • If you are running 6.1.0, 6.1.1, or 6.1.2, then upgrade to 6.2.0.

For hardware installations, 6.1.1 is not available, so the migration path is pre-5.3.0->5.4.0->6.1.2->6.2.0.
Specifically:

  • From pre-5.3.0 releases, first upgrade to 5.4.0, then migrate to 6.1.2, and then upgrade to 6.2.0.

  • From 5.4.0, migrate to 6.1.2, and then upgrade to 6.2.0.

  • If you are running 6.1.2, then upgrade to 6.2.0.

These steps are documented in detail in the Upgrade Guide.

Points to consider before upgrade:

  1. For your Supervisor and Worker, do not use the upgrade menu item in configFSM.sh to upgrade from 6.1.x to 6.2.0. This is deprecated, so it will not work. Use the new method as instructed in the Upgrade Guide.
  2. The 6.2.0 upgrade will attempt to migrate existing SVN files (stored in /svn) from the old svn format to the new svn-lite format. During this process, it will first export /svn to /opt and then import them back to /svn in the new svn-lite format. If your /svn uses a large amount of disk space, and /opt does not have enough disk space left, then migration will fail. Fortinet recommends doing the following steps before upgrading:
    • Check /svn usage
    • Check if there is enough disk space left in /opt to accommodate /svn
    • Expand /opt by the size of /svn
    • Begin upgrade

    Steps for expanding /opt disk:

    1. Go to the Hypervisor and increase the /opt disk by the size of /svn disk

    2. # ssh into the supervisor as root

    3. # lsblk

      NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
      ...
      sdb           8:16   0  100G  0 disk            << old size
      ├─sdb1        8:17   0 22.4G  0 part [SWAP]
      └─sdb2        8:18   0 68.9G  0 part /opt
            ...
      
    4. # yum -y install cloud-utils-growpart gdisk

    5. # growpart /dev/sdb 2
      CHANGED: partition=2 start=50782208 old: size=144529408 end=195311616 new: size=473505759 end=524287967

    6. # lsblk

      Changed the size to 250GB for example:
      #lsblk
      NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
      ...
      sdb           8:16   0  250G  0 disk            <<< NOTE the new size for the disk in /opt
      ├─sdb1        8:17   0 22.4G  0 part [SWAP]
      └─sdb2        8:18   0 68.9G  0 part /opt
      ...
      

       

    7. # xfs_growfs /dev/sdb2

      meta-data=/dev/sdb2              isize=512    agcount=4, agsize=4516544 blks
               =                       sectsz=512   attr=2, projid32bit=1
               =                       crc=1        finobt=1, sparse=1, rmapbt=0
               =                       reflink=1
      data     =                       bsize=4096   blocks=18066176, imaxpct=25
               =                       sunit=0      swidth=0 blks
      naming   =version 2              bsize=4096   ascii-ci=0, ftype=1
      log      =internal log           bsize=4096   blocks=8821, version=2
               =                       sectsz=512   sunit=0 blks, lazy-count=1
      realtime =none                   extsz=4096   blocks=0, rtextents=0
      data blocks changed from 18066176 to 59188219
      
    8. # df -hz

      Filesystem           Size  Used Avail Use% Mounted on
      ...
      /dev/sdb2            226G  6.1G  220G   3% /  << NOTE the new disk size
      
  3. If you are using AWS Elasticsearch, then after upgrading to 6.2.0, take the following steps:
    1. Go to ADMIN > Setup > Storage> Online.
    2. Select "ES-type" and re-enter the credential.
  4. In 6.1.x releases, new 5.x collectors could not register to the Supervisor. This restriction has been removed in 6.2.0 so long as the Supervisor is running in non-FIPS mode. However, 5.x collectors are not recommended since CentOS 6 has been declared End of Life.
  5. If you have more than 5 Workers, Fortinet recommends using at least 16 vCPU for the Supervisor and to increase the number of notification threads for RuleMaster. To do this, SSH to the Supervisor and take the following steps:
    1. Modify the phoenix_config.txt file, located at /opt/phoenix/config/ with

      #notification will open threads to accept connections
      #FSM upgrade preserves customer changes to the parameter value
      #notification_server_thread_num=50

      Note: The default notification_server_thread_num is 20.
    2. Restart phRuleMaster.
  6. Upgrading Elasticsearch Transport Client usage - The Transport Client option has been removed as Elasticsearch no longer supports that client. If you are using Transport Client in pre-6.2.0, you will need to modify the existing URL by adding "http://" or "https://" in front of the URL field after upgrading, as displayed in ADMIN > Setup > Storage > Online > with Elasticsearch selected, as shown here.
    1. Before Upgrade, Elasticsearch appears as:

    2. After Upgrade: Elasticsearch appears as:

    3. In the URL field, add "http://" or "https://" to your IP address. Next, select Test to confirm functionality, and select Save to save the updated settings.

     

  7. Prior to upgrading, ensure that hot node and warm node counts are both greater than the number of replicas. Failure to do so will result in Test and Save operation failure after an upgrade. This basic requirement check has been added for version 6.2.0 and later.
  8. Remember to remove the browser cache after logging on to the 6.2.0 GUI and before doing any operations.

New Data Work

  • Added OT/IoT Rules, Reports and Dashboard.

  • Added New Compliance Report - Center for Internet Security (CIS) Controls.

  • Added 615 new rules and 206 new reports to cover MITRE ATT&CK Tactics and Techniques. Many of the rules are adopted from public domain SIGMA Rules. See here for details.

  • Existing rules mapped to MITRE ATT&CK Tactics and Techniques where applicable.

  • Added Rules and Reports for Hafnium Exchange Server attack and Solarwinds Sunburst attack.

New Device Support

The following device support has been added.

  • Malwarebytes Breach Detection

  • Dragos OT Platform

  • Oracle CASB

  • Claroty

  • Corero Smartwall Threat Defense System (TDS)

  • Proofpoint

Device Support Enhancements

  • CrowdStrike integration using OAuth2 API

  • The following parsers have been updated.
    Windows: Security, Sysmon and DNS, FortiGate, FortiEDR, FortiMail, FortiDeceptor, FortiADC, FortiWeb, AWS security Hub, Sourcefire, Office365, F5BigIP, Sentinel One, Tipping Point NMS, AWS Kinesis, CiscoFTDParser, Sophos XG, Bluecoat Proxy SG Device, and Tigera Calico.

 

Bug Fixes and Minor Enhancements

The current release includes the following bug fixes and minor enhancements:

Bug ID Severity Module Description

656383

Major

App Server

Malware Hash import from a CSV file fails when the CSV file contains 75,000 or more Malware Hash entries.

684128

Major

App Server

Scheduled bundle reports fail after migration.

655781

Major

App Server

Update Malware Hash via API does not work as expected, producing "duplicate" errors.

624133

Major

App Server

Cisco Meraki log discovery does not add devices to CMDB.

695082

Major

GUI

FortiSIEM does not recognize a UEBA perpetual license, so users with a UEBA perpetual license are unable to add UEBA for their devices.

694897

Major

Inline Report Engine

For Elasticsearch cases with inline report mode set to 2, the ReportMaster memory may grow quickly.

701383

Major

Java Query Server

The Java Query Server has a file descriptor leak which may cause a loss of connection to the Elasticsearch Coordinating node.

682751

Major

Query Engine

Malware IP, Domain, and URL Group lookup performance slower than expected.

670053

Major

Rule Engine

Security incidents always indicate "System Cleared" after 24 hours, even if auto_clear_security_incidents=0 is set.

676614

Major

Rule Engine

SSL communication sockets between rule worker and rule master are not always closed properly, leading to rules not triggering.

589656

Major

Rule Engine

Rules with a pattern-based clearing condition do not always clear even if the condition is met. This is because the clear rule’s time window is sometimes read incorrectly.

645987

Minor

App Server

Scheduled CSV formatted report finishes, but is never received by a user if the "do not send scheduled email if report is empty" flag is set.

679164

Minor

App Server

Incident subcategory names are incorrectly displayed in PDF export.

668989

Minor

App Server

STIX/Taxii Integration does not work for certain websites.

671564

Minor

App Server

An empty value of Source Interface SNMP Index in Report Result causes App Server to throw NullPointerException when parsing it.

683528

Minor

App Server

After Java starts up, rule exceptions with watchlists do not take effect.

685100

Minor

App Server

Logs are unnecessarily pulled from unmanaged devices, and then dropped. This sometimes causes event pulling to lag behind.

658886

Minor

App Server

Identity and Location Tables show data from a different organization when enriched (no collector environment).

678695

Minor

App Server

An error is thrown when a user navigates to CMDB > Business Services > IT Srvc > Select the Service > Edit > Device/Application > User App.

658755

Minor

App Server

Rule exceptions do not work for Source User in LDAP group.

682184

Minor

App Server

In rare circumstances, different incidents with identical incident IDs are created.

661353

Minor

App Server

The rule test function does not work. Note: This was due to an issue when updating a rule definition or conditions.

672285

Minor

App Server

After configuring important interfaces, if the device's hostname is changed, the modification for the name change /merge does not trickle down into the important interface table.

671376

Minor

App Server

From incident notification emails, links to a specific FortiSIEM incident in the FortiSIEM GUI do not work.

674077

Minor

App Server

Sophos Central Credential Configuration shows orgs with collectors in drop-down list.

639827

Minor

App Server

The event PH_DEV_MON_LOG_DEVICE_DELAY_HIGH is not generated correctly in accordance with the thresholds defined.

670750

Minor

App Server

Data leak issue occurs on rule exceptions in Analytic Search Results against CMDB Rules. When running a query using CMDB Attributes and choosing a target RULE, the user can see the exception condition from the query result from org 1 while running a report at a different org (org 2).

662400

Minor

App Server

Excessive PH_APPSERVER_INCIDENT_UPDATE_FAILED errors occur for user names longer than 255 characters.

676038

Minor

App Server

Initial load of Redis had performance issues. This required a check against loading active inline reports with missing query ID to resolve the issue.

648730

Minor

App Server

Remediation pop up populates the "Enforce on" field with incorrect values.

672934

Minor

App Server

Cloning a rule does not copy the Watchlist Entry from the original rule.

611553

Minor

App Server

Accounts that cannot edit rules can see rule definitions in the Incidents page.

609289

Minor

App Server

API query for monitor/critical interfaces does not give correct information.

602340

Minor

App Server

LDAP/AD discovery causes a user to be removed from custom user groups.

639397

Minor

App Server

The GUI shows a negative unused device count in org if device provisioning is changed after an initial provisioning.

597456

Minor

App Server

For orgs without collectors, virtual IP entries do not prevent devices from merging.

608133

Minor

App Server

In CMDB Report Results, the "App Group Name" appears empty, even if an application is defined against a device.

659853

Minor

App Server

FortiSIEM SNMP TRAP output has a duplicate field (iso.3.6.1.4.1.35409.101.5.0).

659028

Minor

App Server

When importing a CSV file with Malware Hash, a "Full" data update does not work as expected.

630329

Minor

App Server

Radius External Authentication fails due to shared secret not getting updated in the database.

645660

Minor

App Server

From the Identity and Location Dashboard, when exporting a PDF report, the filter parameters are ignored while the report is generated.

618475

Minor

App Server

The Incident Group (e.g. Security, Availability, etc.) is missing in the exported rule XML file.

653427

Minor

App Server

Exporting a custom watchlist to CSV format fails. Note: Exporting a custom watchlist to PDF works fine.

696873

Minor

App Server

Clean up of expired watch list entries occur at 2:00 am of each day. Clean up must occur hourly.

670247

Minor

Data

Syslog from Meraki AP are miscategorized as Meraki Firewall.

672320

Minor

Data

The Incident Title is incorrect for some rules.

673177

Minor

Data

Many built-in AWS Security Hub Events reports are missing Group BY attributes.

661691

Minor

Data

"Excessive End User Mail" and "Excessive End User Mail To Unauthorized Mail Gateways" rules are generating false positive for UDP protocol. Fixed with AddTCP restriction to the two rules.

645659

Minor

Data

The Netflow/Sflow Parser does not parse Link Aggregation Control Protocol (LACP) counter sample.

658760

Minor

Data

The Windows Agent DNS Parser parses incorrectly in a few scenarios.

658990

Minor

Data

PAN OS VPN LOGIN Events are categorized under DEVICE Logon success / failed when they should be classified as VPN Logon success / failure events.

670672

Minor

Data

Tenable integration (vulnerability scanning) needs to parse more attributes, specifically CVSS Score, OS, SCSS3 Base Score, and Vulnerability Priority Rating (VPR).

686051

Minor

Discovery

When attempting to import over 200 users using a CVS file for Okta integration, the operation fails, and no errors appear in the log.

660690

Minor

GUI

When trying to display interfaces on a dashboard, the dashboard freezes when there are more than 10K interfaces for a device.

671868

Minor

GUI

In an Incident Notification policy, sometimes selected a rule or affected items are not saved.

669876

Minor

GUI

In ADMIN > Health > Collector Health > Tunnels, the “Close Tunnel” button is always inaccessible (grayed out).

617943

Minor

GUI

Removing a value from a customize device property does not reset the property to "Undefined".

663653

Minor

GUI

The Parser test fails when a regex pattern and regex tags are on different lines.

645657

Minor

GUI

Unable to sort incidents when multiple categories are selected.

655536

Minor

GUI

Email subject and rawEvents tag does not appear in the email preview pop up.

647709

Minor

GUI

In Incident Search, filter by category "Security" does not capture new Incidents without a refresh.

659851

Minor

GUI

After saving discovery entries, the list reloads and resets to the first discovery page.

604148

Minor

GUI

Integration Policy > Org Mapping , located by navigating to ADMIN > Settings > External Integration clicking New and Organization Mapping, does not handle special characters.

624771

Minor

GUI

When editing an Event Organization (ADMIN > Settings > Event Handling > Event Org Mapping), two save and two cancel buttons appear.

653753

Minor

GUI

The Identity & Location Dashboard does not refresh with the correct information.

592961

Minor

GUI

The Dashboard single line widget shows a needle below the chart graphic if stretched too long.

637722

Minor

GUI

Importing a watchlist while in Organization fails.

607810

Minor

GUI

Editing an interface forces the user to enter an IP address, even if the interface did not have one originally.

647105

Minor

GUI

In Notification Policy, the seconds and time zone region are not saved.

644186

Minor

GUI

If the user goes to the INCIDENTS > List by Time view, selects an incident, navigates to another page, and returns to the Incidents page, the selected incident position is lost.

626043

Minor

GUI

The user is logged out before the log off expiration time period elapses.

683801

Minor

Java Query Server

Elastic Search Cluster disconnects from FortiSIEM once a week.

661333

Minor

Java Query Server

Analytic search fails to retrieve the Destination and Source TCP/IP Port value from Elastic search index.

659018

Minor

Java Query Server

Elasticsearch insert sometimes fails when a raw message contains non UTF-8 characters.

698147

Minor

Java Query Server (Elasticsearch)

The Java Query Server does not properly close sockets in all cases, which can lead to its inability to communicate with the App Server.

592607

Minor

Parser

EPS Usage per node is higher than the global Used EPS.

676294

Minor

Parser

Office365 GCC High Authentication does not work due to hard coded URLs.

669837

Minor

Parser

Event Type comparison in Drop Rule needs to be case insensitive.

659180

Minor

Parser

Sometimes, excessive collector time skew is generated when the App Server is busy. This occurs when phMonitor on Collector mistakenly caches a timestamp when failing to communicate with the App Server.

670324

Minor

Parser

For Service Provider Install, the Org name in Events is not the same as the Org Association in the Credential page.

648732

Minor

Parser

AD/LDAP user details metadata is not always added to incidents.

662899

Minor

Parser

The Test Parser function with resolveDNSName does not work when DNS lookup is enabled.

635113

Minor

Parser

The Windows Parser sometimes adds reporting device metadata from DNS lookup instead of reporting it from another event.

637631

Minor

Query Engine

When you export (CSV format) from a date before a Daylight Saving Time change when Daylight Saving Time has occurred, a difference of one hour is observed.

670060

Minor

Rule Engine

Incident Exceptions do not work when time period exceptions are set for Monday and Friday.

657601

Minor

System

In phoenix_config.txt, the setting http_client_verify_peer=no changes to yes upon upgrade.

658491

Minor

System

After an Archive configuration has been set up (NFS/HDFS), ADMIN > Setup > Storage > Archive, the user is unable to clear and remove the archive from the GUI.

577821

Minor

System

In Cloud Health, workers and super always incorrectly report 100% CPU utilization.

696873

Minor

Windows Agent

After Windows Agent 4.0.0 installation, an unnecessary system reboot may occur.

607443

Enhancement

App Server

LAST (Event Receive Time) is shown in Epoch Time format for PDF export in Elastic Storage setup.

627546

Enhancement

App Server

The Incident Notification Email link needs to have Super FQDN in addition to IP.

609102

Enhancement

App Server

The PDF Report does not display Incident category name.

649588

Enhancement

App Server

Custom Device Properties cannot be queried via CMDB Report.

580110

Enhancement

App Server

In CMDB > CMDB Report, add a scope attribute to display whether a property is either system or user defined.

611929

Enhancement

Data

Enhance the Cisco Meraki Parser to handle Air Marshall events.

670414

Enhancement

Data

The CloudTrail Parser does not parse the User and User Type for event type = AWS-CloudTrail-SIGNIN-ConsoleLogin-Success.

661692

Enhancement

Data

Event Type Categorization is inconsistent for ipsec/VPN log off.

669102

Enhancement

Data

The Unix Parser doesn't handle the user attribute when the rhost field is a hostname, and not an IP.

653421

Enhancement

Data

The "Multiple admin Login Failure" rule name should be renamed as there is no indicator of admin role usage.

530467

Enhancement

Data

FortiSIEM does not detect certain event SSH/Audit events using the Unix Parser.

660734

Enhancement

Data

The Aruba Parser does not parse Event Name and causes high CPU usage.

625194

Enhancement

Data

Enhance the Windows OS Parser update to pass terminal services logs.

652184

Enhancement

Data

Support the Unix Parser with a new timestamp format.

649496

Enhancement

Data

Enhance the Windows Parser fix for Alternate UPN domain suffix support.

624070

Enhancement

Data

Parse the Cisco ASA-722051 event ID.

650998

Enhancement

Discovery

Enhance AD discovery to import Manager field if it is populated in AD.

663218

Enhancement

GUI

User input for the Report Design Cover Page is not clear. This should be improved.

673543

Enhancement

GUI

There is no user input validation in Rule Exception definition. Input validation should be implemented for Rule Exceptions.

515571

Enhancement

GUI

HourOfDay(Event Receive Time) BETWEEN / NOT BETWEEN should be supported.

611518

Enhancement

GUI

For Rule Exception, the user cannot define more than 7 time period schedules. The user should be able to define more than 7 time period schedules.

670230

Enhancement

Parser

The Event Forwarder needs to retry forwarding events if it encounters a network connection.

642389

Enhancement

Parser

Parser: compare function needs to be extended to support >= and <= operators.

586569

Enhancement

System

Monitor Raid Health should be added for 3500F and 2000F HW appliances.

 

Known Issues

Remediation Steps for CVE-2021-44228

Three FortiSIEM modules (SVNLite, phFortiInsightAI and 3rd party ThreatConnect SDK) use Apache log4j version 2.14, 2.13 and 2.8 respectively for logging purposes, and hence are vulnerable to the recently discovered Remote Code Execution vulnerability (CVE-2021-44228).

These instructions specify the steps needed to mitigate this vulnerability without upgrading Apache log4j to the latest stable version 2.16 or higher. Actions need to be taken on the Supervisor and Worker nodes only.

On Supervisor Node

  1. Logon via SSH as root.

  2. Mitigating SVNLite module:

    1. Run the script fix-svnlite-log4j2.sh (here). It will restart SVNlite module with Dlog4j2.formatMsgNoLookups=true option and print the success/failed status.

  3. Mitigating 3rd party ThreatConnect SDK module:

    1. Delete these log4j jar files under /opt/glassfish/domains/domain1/applications/phoenix/lib

      1. log4j-core-2.8.2.jar

      2. log4j-api-2.8.2.jar

      3. log4j-slf4j-impl-2.6.1.jar

  4. Mitigating phFortiInsightAI module:

    1. Delete these log4j jar files under /opt/fortiinsight-ai/lib/

      1. log4j-core-2.13.0.jar

      2. log4j-api-2.13.0.jar

  5. Restart all Java Processes by running: “killall -9 java”

On Worker Node

  1. Logon via SSH as root.

  2. Mitigating phFortiInsightAI module:

    1. Delete these log4j jar files under /opt/fortiinsight-ai/lib/

      1. log4j-core-2.13.0.jar

      2. log4j-api-2.13.0.jar

  3. Restart all Java Processes by running: “killall -9 java”

Elasticsearch

  1. With pre-compute queries via Rollup, sorting on AVG() is not supported by Elasticsearch. See here.
  2. Elasticsearch pre-compute is done using the Elasticsearch Rollup API, which requires raw events matching the pre-compute search condition be populated into a separate Elasticsearch index. This operation can become expensive if a large number of events match the pre-compute search filter condition. Fortinet recommends that the user set up a report for pre-compute only if the search filter conditions for the pre-compute interval result in less than 100K entries. This allows the pre-computed result to exactly match the adhoc report for faster operation. Specifically, follow these steps:
    1. Suppose you want to run a report in pre-compute mode, with the operation running pre-computations hourly. This means the report will be run hourly, and when a user runs for a longer interval, the pre-computed results would be combined to generate the final result.
    2. Check for pre-compute eligibility.
      1. Run the report in adhoc mode for 1 hour by removing group by conditions.
      2. If the number of rows is less than 100K, then the original report is a candidate for pre-computation.Note: This is for Elasticsearch only. If the number of results in #Bii is more than 100K, then the pre-computed results and adhoc results will be different since FortiSIEM caps the number of results retrieved via Rollup API to be less than 100K.

  3. AWS Managed Elasticsearch 7.x limits search.max_buckets to 10K. In 6.8 there was no such limit. This may cause Elasticsearch to throw an exception and not return results for aggregated queries. Contact AWS Managed Elasticsearch Support to increase search.max_buckets to a large value (recommended 10M). There is an API to change this value, but this does not work in AWS Managed Elasticsearch. Therefore you must contact AWS Managed Elasticsearch Support before running queries.
    1. For general discussion about search.max_buckets, see here.
    2. For general discussion about this issue, see here.
    3. Elasticsearch does not consistently handle sorting functions when there are NULL values. For example:
      1. AVG(): NULL values are at the bottom.
      2. MIN(): NULL values are considered to be the largest value possible, so if you choose ASC (respectively DESC) order, NULL values appear at the bottom (respectively top).
      3. MAX():NULL values are considered to be the smallest value possible, so if you choose ASC (respectively DESC) order, NULL values appear at the top (respectively bottom).
  4. Pre-compute queries do not work with the HAVING clause. Currently, the FortiSIEM GUI is preventing this operation. For public discussion about Rollup search and query scripts, see here.
  5. The HourOfDay(Event Receive Time) and DayOfWeek(Event Receive Time) calculations are incorrect if Elasticsearch and Supervisor are in different time zones.
  6. In Elasticsearch, a non-aggregated query spanning multiple display pages requires 1 open scroll context per shard. This enables the user to visit multiple pages and see the results. Elasticsearch has a (configurable) limit on open scroll contexts. This is defined in phoenix_config.txt on the Supervisor node. By default, FortiSIEM limits to 1000 open scroll contexts and each context remains open for 60 seconds, as shown.

    [BEGIN Elasticsearch]
    ...

    max_open_scroll_context=1000

    scroll_timeout=60000

    ...
    [END Elasticsearch]

    When the open scroll context limit is reached, Elasticsearch throws an exception and returns partial results. When 80% of the search context limit is reached, FortiSIEM writes a log in /opt/phoenix/log/javaQueryServer.log, as shown.

    com.accelops.elastic.server.task.ChoresTask - [PH_JAVA_QUERYSERVER_WARN]:[eventSeverity]=PHL_WARNING,[phEventCategory]=3,[procName]=javaQueryServer,[phLogDetail]=node=node236, openContexts=1000, it has 80 percent of available search contexts open

     

    • You can increase max_open_scroll_context. However, AWS Elasticsearch does not allow more than 500 open scroll contexts, and will enforce a 500 limit. Be careful in choosing very high max_open_scroll_context. It is strongly recommended to use a test instance to experiment with your number prior to production.

    • After changing max_open_scroll_context, you need to apply Test & Save from the GUI for changes to take effect. This is because max_open_scroll_context is a cluster level setting.

    • You can change scroll_timeout, but after changing this value, you must restart the Java Query Server on the Supervisor for the change to take effect.

      For Elasticsearch discussion forum information on this topic, see here.

  7. The maximum number of group by query result is 2,000 by default. You can change the setting in phoenix_config.txt on the Supervisor node by taking the following steps.
    1. Change the setting: aggregation_size=2000
    2. Restart the JavaQueryServer.

Elasticsearch Based Deployments Terms Query Limit

In Elasticsearch based deployments, queries containing "IN Group X" are handled using Elastic Terms Query. By default, the maximum number of terms that can be used in a Terms Query is set to 65,536. If a Group contains more than 65,536 entries, the query will fail.

The workaround is to change the “max_terms_count” setting for each event index. Fortinet has tested up to 1 million entries. The query response time will be proportional to the size of the group.

Case 1. For already existing indices, issue the REST API call to update the setting

PUT fortisiem-event-*/_settings
{
  "index" : {
    "max_terms_count" : "1000000"
  }
}

Case 2. For new indices that are going to be created in the future, update fortisiem-event-template so those new indices will have a higher max_terms_count setting

  1. cd /opt/phoenix/config/elastic/7.7

  2. Add "index.max_terms_count": 1000000 (including quotations) to the “settings” section of the fortisiem-event-template.

    Example:

    ...

      "settings": {
        "index.max_terms_count": 1000000,
    

    ...

  3. Navigate to ADMIN > Storage > Online and perform Test and Deploy.

  4. Test new indices have the updated terms limit by executing the following simple REST API call.

    GET fortisiem-event-*/_settings

Public Domain Built-in Rules

The following table shows the public domain built-in rules incorporated into FortiSIEM.

Rules that are adopted from the SIGMA rule set are licensed under the Detection Rule License available here.

 

 

 

FortiSIEM Rule Author Source Link

AWS CloudTrail Important Changes

vitaliy0x1

https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/
aws_cloudtrail_disable_logging.yml

AWS EC2 Userdata Download

faloker

https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/
aws_ec2_download_userdata.yml

Linux: Attempt to Disable Crowdstrike Service

Ömer Günal

https://github.com/SigmaHQ/sigma/blob/master/rules/linux/
lnx_security_tools_disabling.yml

Linux: Attempt to Disable CarbonBlack Service

Ömer Günal

https://github.com/SigmaHQ/sigma/blob/master/rules/linux/
lnx_security_tools_disabling.yml

Windows: Turla Service Install

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_apt_carbonpaper_turla.yml

Windows: StoneDrill Service Install

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_apt_stonedrill.yml

Windows: Turla PNG Dropper Service

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_apt_turla_service_png.yml

Windows: smbexec.py Service Installation

Omer Faruk Celik

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_hack_smbexec.yml

Windows: Malicious Service Installations

Florian Roth, Daniil Yugoslavskiy, oscd.community (update)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_mal_service_installs.yml

Windows: Meterpreter or Cobalt Strike Getsystem Service Installation

Teymur Kheirkhabarov, Ecco

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_meterpreter_or_cobaltstrike_getsystem_service_
installation.yml

Windows: PsExec Tool Execution

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
other/win_tool_psexec.yml

Windows: Local User Creation

Patrick Bareiss

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_user_creation.yml

Windows: Local User Creation Via Powershell

@ROxPinTeddy

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
powershell/powershell_create_local_user.yml

Windows: Local User Creation Via Net.exe

Endgame, JHasenbusch (adapted to sigma for oscd.community)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_net_user_add.yml

Windows: Suspicious ANONYMOUS LOGON Local Account Created

James Pemberton / @4A616D6573

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_local_anon_logon_created.yml

Windows: New or Renamed User Account with $ in Attribute SamAccountName

Ilyas Ochkov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_new_or_renamed_user_account_with_dollar_sign.yml

Windows: AD Privileged Users or Groups Reconnaissance

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_account_discovery.yml

Windows: Administrator and Domain Admin Reconnaissance

Florian Roth (rule), Jack Croock (method)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_net_recon_activity.yml

Windows: Access to ADMIN$ Share

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_admin_share_access.yml

Windows: Login with WMI

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_wmi_login.yml

Windows: Admin User Remote Logon

juju4

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_admin_rdp_login.yml

Windows: RDP Login from Localhost

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_rdp_localhost_login.yml

Windows: Interactive Logon to Server Systems

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_interactive_logons.yml

Windows: Pass the Hash Activity

Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_pass_the_hash.yml

Windows: Pass the Hash Activity 2

Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_pass_the_hash_2.yml

Windows: Successful Overpass the Hash Attempt

Roberto Rodriguez (source), Dominik Schaudel (rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_overpass_the_hash.yml

Windows: RottenPotato Like Attack Pattern

@SBousseaden, Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_rottenpotato.yml

Windows: Hacktool Ruler

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_alert_ruler.yml

Windows: Metasploit SMB Authentication

Chakib Gzenayi (@Chak092), Hosni Mribah

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_metasploit_authentication.yml

Windows: Kerberos Manipulation

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_kerberos_manipulation.yml

Windows: Suspicious Kerberos RC4 Ticket Encryption

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_rc4_kerberos.yml

Windows: Persistence and Execution at Scale via GPO Scheduled Task

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_GPO_scheduledtasks.yml

Windows: Powerview Add-DomainObjectAcl DCSync AD Extend Right

Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_account_backdoor_dcsync_rights.yml

Windows: AD Object WriteDAC Access

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_ad_object_writedac_access.yml

Windows: Active Directory Replication from Non Machine Account

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_ad_replication_non_machine_account.yml

Windows: AD User Enumeration

Maxime Thiebaut (@0xThiebaut)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_ad_user_enumeration.yml

Windows: Enabled User Right in AD to Control User Objects

@neu5ron

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_alert_active_directory_user_control.yml

Windows: Eventlog Cleared

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_eventlog_cleared.yml

Windows: MSHTA Suspicious Execution 01

Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_mshta_execution.yml

Windows: Dumpert Process Dumper

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_hack_dumpert.yml

Windows: Blue Mockingbird

Trent Liffick (@tliffick)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
malware/win_mal_blue_mockingbird.yml

Windows: Windows PowerShell Web Request

James Pemberton / @4A616D6573

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
powershell/win_powershell_web_request.yml

Windows: DNS Tunnel Technique from MuddyWater

@caliskanfurkan_

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/sysmon_apt_muddywater_dnstunnel.yml

Windows: Advanced IP Scanner Detected

@ROxPinTeddy

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_advanced_ip_scanner.yml

Windows: APT29 Detected

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_apt29_thinktanks.yml

Windows: Baby Shark Activity

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_babyshark.yml

Windows: Judgement Panda Credential Access Activity

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_bear_activity_gtr19.yml

Windows: Logon Scripts - UserInitMprLogonScript

Tom Ueltschi (@c_APT_ure)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/sysmon_logon_scripts
_userinitmprlogonscript_proc.yml

Windows: BlueMashroom DLL Load

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_bluemashroom.yml

Windows: Password Change on Directory Service Restore Mode DSRM Account

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_dsrm_password_change.yml

Windows: Account Tampering - Suspicious Failed Logon Reasons

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_failed_logon_reasons.yml

Windows: Backup Catalog Deleted

Florian Roth (rule), Tom U. @c_APT_ure (collection)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_backup_delete.yml

Windows: Failed Code Integrity Checks

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_codeintegrity_check_failure.yml

Windows: DHCP Server Loaded the CallOut DLL

Dimitrios Slamaris

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_dhcp_config.yml

Windows: Suspicious LDAP-Attributes Used

xknow @xknow_infosec

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_ldap_dataexchange.yml

Windows: Password Dumper Activity on LSASS

 

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_lsass_dump.yml

Windows: Generic Password Dumper Activity on LSASS

Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_lsass_dump_generic.yml

Windows: Suspicious PsExec Execution

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_psexec.yml

Windows: Suspicious Access to Sensitive File Extensions

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_raccess_sensitive_fext.yml

Windows: Secure Deletion with SDelete

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_sdelete.yml

Windows: Unauthorized System Time Modification

@neu5ron

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_time_modification.yml

Windows: Windows Defender Exclusion Set

@BarryShooshooga

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
other/win_defender_bypass.yml

Windows: Windows Pcap Driver Installed

Cian Heasley

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
other/win_pcap_drivers.yml

Windows: Weak Encryption Enabled and Kerberoast

@neu5ron

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_alert_enable_weak_encryption.yml

Windows: Remote Task Creation via ATSVC Named Pipe

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_atsvc_task.yml

Windows: Chafer Activity

Florian Roth, Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_chafer_mar18.yml

Windows: WMIExec VBS Script

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_cloudhopper.yml

Windows: CrackMapExecWin Activity

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_dragonfly.yml

Windows: Elise Backdoor

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_elise.yml

Windows: Emissary Panda Malware SLLauncher Activity

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_emissarypanda_sep19.yml

Windows: Empire Monkey Activity

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_empiremonkey.yml

Windows: Equation Group DLL-U Load

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_equationgroup_dll_u_load.yml

Windows: EvilNum Golden Chickens Deployment via OCX Files

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_evilnum_jul20.yml

Windows: GALLIUM Artefacts Via Hash Match

Tim Burrell

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_gallium.yml

Windows: GALLIUM Artefacts Via Hash and Process Match

Tim Burrell

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_gallium.yml

Windows: Windows Credential Editor Startup

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/sysmon_hack_wce.yml

Windows: Greenbug Campaign Indicators

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_greenbug_may20.yml

Windows: Hurricane Panda Activity

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_hurricane_panda.yml

Windows: Judgement Panda Exfiltration Activity

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_judgement_panda_gtr19.yml

Windows: Ke3chang Registry Key Modifications

Markus Neis, Swisscom

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_ke3chang_regadd.yml

Windows: Lazarus Session Highjacker

Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_lazarus_session_highjack.yml

Windows: Mustang Panda Dropper Activity

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_mustangpanda.yml

Windows: Defrag Deactivation

Florian Roth, Bartlomiej Czyz (@bczyz1)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_slingshot.yml

Windows: Sofacy Trojan Loader Activity

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_sofacy.yml

Windows: Ps.exe Renamed SysInternals Tool

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_ta17_293a_ps.yml

Windows: TAIDOOR RAT DLL Load

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_taidoor.yml

Windows: TropicTrooper Campaign November 2018

@41thexplorer, Microsoft Defender ATP

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_tropictrooper.yml

Windows: Turla Group Commands May 2020

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_turla_comrat_may20.yml

Windows: Unidentified Attacker November 2018 Activity 1

@41thexplorer, Microsoft Defender ATP

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_unidentified_nov_18.yml

Windows: Unidentified Attacker November 2018 Activity 2

@41thexplorer, Microsoft Defender ATP

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_unidentified_nov_18.yml

Windows: Winnti Malware HK University Campaign

Florian Roth, Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_winnti_mal_hk_jan20.yml

Windows: Winnti Pipemon Characteristics

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_winnti_pipemon.yml

Windows: Operation Wocao Activity

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_wocao.yml

Windows: ZxShell Malware

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_zxshell.yml

Windows: Active Directory User Backdoors

@neu5ron

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_alert_ad_user_backdoors.yml

Windows: Mimikatz DC Sync

Benjamin Delpy, Florian Roth, Scott Dermott

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_dcsync.yml

Windows: Windows Event Auditing Disabled

@neu5ron

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_disable_event_logging.yml

Windows: DPAPI Domain Backup Key Extraction

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_dpapi_domain_backupkey_extraction.yml

Windows: DPAPI Domain Master Key Backup Attempt

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_dpapi_domain_masterkey_backup_attempt.yml

Windows: External Disk Drive or USB Storage Device

Keith Wright

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_external_device.yml

Windows: Possible Impacket SecretDump Remote Activity

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_impacket_secretdump.yml

Windows: Obfuscated Powershell IEX invocation

Daniel Bohannon (@Mandiant/@FireEye), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_invoke_obfuscation_obfuscated_iex_services.yml

Windows: First Time Seen Remote Named Pipe

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_lm_namedpipe.yml

Windows: LSASS Access from Non-System Account

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_lsass_access_non_system_account.yml

Windows: Credential Dumping Tools Service Execution

Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_mal_creddumper.yml

Windows: WCE wceaux dll Access

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_mal_wceaux_dll.yml

Windows: MMC20 Lateral Movement

@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_mmc20_lateral_movement.yml

Windows: NetNTLM Downgrade Attack

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_net_ntlm_downgrade.yml

Windows: Denied Access To Remote Desktop

Pushkarev Dmitry

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_not_allowed_rdp_access.yml

Windows: Possible DCShadow

Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_possible_dc_shadow.yml

Windows: Protected Storage Service Access

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_protected_storage_service_access.yml

Windows: Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Florian Roth (rule), Adam Bradbury (idea)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_rdp_bluekeep_poc_scanner.yml

Windows: RDP over Reverse SSH Tunnel

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_rdp_reverse_tunnel.yml

Windows: Register new Logon Process by Rubeus

Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_register_new_logon_process_by_rubeus.yml

Windows: Remote PowerShell Sessions

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_remote_powershell_session.yml

Windows: Remote Registry Management Using Reg Utility

Teymur Kheirkhabarov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_remote_registry_management_using_reg_utility.yml

Windows: SAM Registry Hive Handle Request

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_sam_registry_hive_handle_request.yml

Windows: SCM Database Handle Failure

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_scm_database_handle_failure.yml

Windows: SCM Database Privileged Operation

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_scm_database_privileged_operation.yml

Windows: Addition of Domain Trusts

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_add_domain_trust.yml

Windows: Addition of SID History to Active Directory Object

Thomas Patzke, @atc_project (improvements)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_add_sid_history.yml

Windows: Failed Logon From Public IP

NVISO

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_failed_logon_source.yml

Windows: Failed Logins with Different Accounts from Single Source System

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_susp_failed_logons_single_source.yml

Windows: Remote Service Activity via SVCCTL Named Pipe

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_svcctl_remote_service.yml

Windows: SysKey Registry Keys Access

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_syskey_registry_access.yml

Windows: Tap Driver Installation

Daniil Yugoslavskiy, Ian Davis, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_tap_driver_installation.yml

Windows: Transferring Files with Credential Data via Network Shares

Teymur Kheirkhabarov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_transferring_files_with_credential_data_via_network
_shares.yml

Windows: User Added to Local Administrators

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_user_added_to_local_administrators.yml

Windows: Failed to Call Privileged Service LsaRegisterLogonProcess

Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_user_couldnt_call_privileged_service_
lsaregisterlogonprocess.yml

Windows: Suspicious Driver Loaded By User

xknow (@xknow_infosec), xorxes (@xor_xes)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_user_driver_loaded.yml

Windows: Suspicious Driver Load from Temp

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
driver_load/sysmon_susp_driver_load.yml

Windows: File Created with System Process Name

Sander Wiebing

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_creation_system_file.yml

Windows: Credential Dump Tools Dropped Files

Teymur Kheirkhabarov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_cred_dump_tools_dropped_files.yml

Windows: Detection of SafetyKatz

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_ghostpack_safetykatz.yml

Windows: LSASS Memory Dump File Creation

Teymur Kheirkhabarov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_lsass_memory_dump_file_creation.yml

Windows: Microsoft Office Add-In Loading

NVISO

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_office_persistence.yml

Windows: QuarksPwDump Dump File

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_quarkspw_filedump.yml

Windows: RedMimicry Winnti Playbook Dropped File

Alexander Rausch

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_redmimicry_winnti_filedrop.yml

Windows: Suspicious ADSI-Cache Usage By Unknown Tool

xknow @xknow_infosec

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_susp_adsi_cache_usage.yml

Windows: Suspicious desktop.ini Action

Maxime Thiebaut (@0xThiebaut)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_susp_desktop_ini.yml

Windows: Suspicious PROCEXP152 sys File Created In TMP

xknow (@xknow_infosec), xorxes (@xor_xes)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_susp_procexplorer_driver_created_in_tmp
_folder.yml

Windows: Hijack Legit RDP Session to Move Laterally

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_tsclient_filewrite_startup.yml

Windows: Windows Web shell Creation

Beyu Denis, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_webshell_creation_detect.yml

Windows: WMI Persistence - Script Event Consumer File Write

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/sysmon_wmi_persistence_script_event_consumer
_write.yml

Windows: Suspicious Desktopimgdownldr Target File

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
file_event/win_susp_desktopimgdownldr_file.yml

Windows: In-memory PowerShell

Tom Kern, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_in_memory_powershell.yml

Windows: PowerShell load within System Management Automation DLL

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_powershell_execution_moduleload.yml

Windows: Fax Service DLL Search Order Hijack

NVISO

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_susp_fax_dll.yml

Windows: Possible Process Hollowing Image Loading

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_susp_image_load.yml

Windows: .NET DLL Loaded Via Office Applications

Antonlovesdnb

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml

Windows: CLR DLL Loaded Via Office Applications

Antonlovesdnb

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_susp_office_dotnet_clr_dll_load.yml

Windows: GAC DLL Loaded Via Office Applications

Antonlovesdnb

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_susp_office_dotnet_gac_dll_load.yml

Windows: Active Directory Parsing DLL Loaded Via Office Applications

Antonlovesdnb

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_susp_office_dsparse_dll_load.yml

Windows: Active Directory Kerberos DLL Loaded Via Office Applications

Antonlovesdnb

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_susp_office_kerberos_dll_load.yml

Windows: VBA DLL Loaded Via Office Applications

Antonlovesdnb

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_susp_winword_vbadll_load.yml

Windows: WMI DLL Loaded Via Office Applications

Michael R. (@nahamike01)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_susp_winword_wmidll_load.yml

Windows: Loading dbghelp dbgcore DLL from Suspicious Processes

Perez Diego (@darkquassar), oscd.community, Ecco

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_suspicious_dbghelp_dbgcore_load.yml

Windows: Svchost DLL Search Order Hijack

SBousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_svchost_dll_search_order_hijack.yml

Windows: Unsigned Image Loaded Into LSASS Process

Teymur Kheirkhabarov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_unsigned_image_loaded_into_lsass.yml

Windows: Suspicious WMI Modules Loaded

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_wmi_module_load.yml

Windows: WMI Persistence - Command Line Event Consumer

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_wmi_persistence_commandline_event_
consumer.yml

Windows: Registry Entries Found For Azorult Malware

Trent Liffick

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
malware/mal_azorult_reg.yml

Windows: Registry Entries Found For FlowCloud Malware

NVISO

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
malware/win_mal_flowcloud.yml

Windows: Octopus Scanner Malware Detected

NVISO

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
malware/win_mal_octopus_scanner.yml

Windows: Registry Entries For Ursnif Malware

megan201296

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
malware/win_mal_ursnif.yml

Windows: Dllhost.exe Internet Connection

bartblaze

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_dllhost_net_connections.yml

Windows: Suspicious Typical Malware Back Connect Ports

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_malware_backconnect_ports.yml

Windows: Notepad Making Network Connection

EagleEye Team

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_notepad_network_connection.yml

Windows: PowerShell Network Connections

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_powershell_network_connection.yml

Windows: RDP Over Reverse SSH Tunnel

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_rdp_reverse_tunnel.yml

Windows: Regsvr32 Network Activity

Dmitriy Lifanov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_regsvr32_network_activity.yml

Windows: Remote PowerShell Session

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_remote_powershell_session
_network.yml

Windows: Rundll32 Internet Connection

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_rundll32_net_connections.yml

Windows: Network Connections From Executables in Suspicious Program Locations

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_susp_prog_location_network
_connection.yml

Windows: Outbound RDP Connections From Suspicious Executables

Markus Neis - Swisscom

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_susp_rdp.yml

Windows: Outbound Kerberos Connection From Suspicious Executables

Ilyas Ochkov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_suspicious_outbound_kerberos_connection.yml
;

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_suspicious_outbound_kerberos
_connection.yml

Windows: Microsoft Binary Github Communication

Michael Haag (idea), Florian Roth (rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_win_binary_github_com.yml

Windows: Microsoft Binary Suspicious External Communication

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
network_connection/sysmon_win_binary_susp_com.yml

Windows: Data Compressed - Powershell

Timur Zinniatullin, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
powershell/powershell_data_compressed.yml

Windows: Dnscat Execution

Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
powershell/powershell_dnscat_execution.yml

Windows: PowerShell Credential Prompt

John Lambert (idea), Florian Roth (rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
powershell/powershell_prompt_credentials.yml

Windows: Powershell Profile ps1 Modification

HieuTT35

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
powershell/powershell_suspicious_profile_create.yml

Windows: Credentials Dumping Tools Accessing LSASS Memory

Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_access/sysmon_cred_dump_lsass_access.yml

Windows: Suspicious In-Memory Module Execution

Perez Diego (@darkquassar), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_access/sysmon_in_memory_assembly_execution.yml

Windows: Suspect Svchost Memory Asccess

Tim Burrell

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_access/sysmon_invoke_phantom.yml

Windows: Credential Dumping by LaZagne

Bhabesh Raj

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_access/sysmon_lazagne_cred_dump_lsass_access.yml

Windows: LSASS Memory Dump

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_access/sysmon_lsass_memdump.yml

Windows: Malware Shellcode in Verclsid Target Process

John Lambert (tech), Florian Roth (rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_access/sysmon_malware_verclsid_shellcode.yml

Windows: Mimikatz through Windows Remote Management

Patryk Prauze - ING Tech

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_access/sysmon_mimikatz_trough_winrm.yml

Windows: Turla Group Lateral Movement

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_apt_turla_commands.yml

Windows: Hiding Files with Attrib exe

Sami Ruohonen

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_attrib_hiding_files.yml

Windows: Modification of Boot Configuration

E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_bootconf_mod.yml

Windows: SquiblyTwo

Markus Neis / Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_bypass_squiblytwo.yml

Windows: Change Default File Association

Timur Zinniatullin, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_change_default_file_association.yml

Windows: Cmdkey Cached Credentials Recon

jmallette

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_cmdkey_recon.yml

Windows: CMSTP UAC Bypass via COM Object Access

Nik Seetharaman

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_cmstp_com_object_access.yml

Windows: Cmd exe CommandLine Path Traversal

xknow @xknow_infosec

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_commandline_path_traversal.yml

Windows: Unusual Control Panel Items

Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_control_panel_item.yml

Windows: Copying Sensitive Files with Credential Data

Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_copying_sensitive_files_with_credential
_data.yml

Windows: Fireball Archer Malware Install

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_crime_fireball.yml

Windows: Maze Ransomware

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_crime_maze_ransomware.yml

Windows: Snatch Ransomware

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_crime_snatch_ransomware.yml

Windows: Data Compressed - rar.exe

Timur Zinniatullin, E.M. Anhaus, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_data_compressed_with_rar.yml

Windows: DNS Exfiltration and Tunneling Tools Execution

Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_dns_exfiltration_tools_execution.yml

Windows: DNSCat2 Powershell Detection Via Process Creation

Cian Heasley

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_dnscat2_powershell_implementation.yml

Windows: Encoded FromBase64String

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_encoded_frombase64string.yml

Windows: Encoded IEX

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_encoded_iex.yml

Windows: COMPlus-ETWEnabled Command Line Arguments

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_etw_modification_cmdline.yml

Windows: Disabling ETW Trace

@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_etw_trace_evasion.yml

Windows: Exfiltration and Tunneling Tools Execution

Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_exfiltration_and_tunneling_tools
_execution.yml

Windows: Exploit for CVE-2015-1641

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_exploit_cve_2015_1641.yml

Windows: Exploit for CVE-2017-0261

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_exploit_cve_2017_0261.yml

Windows: Droppers Exploiting CVE-2017-11882

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_exploit_cve_2017_11882.yml

Windows: Exploit for CVE-2017-8759

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_exploit_cve_2017_8759.yml

Windows: Exploiting SetupComplete.cmd CVE-2019-1378

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_exploit_cve_2019_1378.yml

Windows: Exploiting CVE-2019-1388

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_exploit_cve_2019_1388.yml

Windows: Exploited CVE-2020-10189 Zoho ManageEngine

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_exploit_cve_2020_10189.yml

Windows: Suspicious PrinterPorts Creation CVE-2020-1048

EagleEye Team, Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_exploit_cve_2020_1048.yml

Windows: DNS RCE CVE-2020-1350

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_exploit_cve_2020_1350.yml

Windows: File/Folder Permissions Modifications Via Command line Utilities

Jakob Weinzettl, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_file_permission_modifications.yml

Windows: Grabbing Sensitive Hives via Reg Utility

Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_grabbing_sensitive_hives_via_reg.yml

Windows: Bloodhound and Sharphound Hack Tool

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_hack_bloodhound.yml

Windows: Koadic Execution

wagga

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_hack_koadic.yml

Windows: Rubeus Hack Tool

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_hack_rubeus.yml

Windows: SecurityXploded Tool

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_hack_secutyxploded.yml

Windows: HH exe Execution

E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_hh_chm.yml

Windows: CreateMiniDump Hacktool

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_hktl_createminidump.yml

Windows: HTML Help Shell Spawn

Maxim Pavlunin

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_html_help_spawn.yml

Windows: Suspicious HWP Sub Processes

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_hwp_exploits.yml

Windows: Impacket Lateralization Detection

Ecco

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_impacket_lateralization.yml

Windows: Indirect Command Execution

E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_indirect_cmd.yml

Windows: Suspicious Debugger Registration Cmdline

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_install_reg_debugger_backdoor.yml

Windows: Interactive AT Job

E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_interactive_at.yml

Windows: Invoke-Obfuscation Obfuscated IEX Invocation when to create process

Daniel Bohannon (@Mandiant/@FireEye), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_invoke_obfuscation_obfuscated_iex
_commandline.yml

Windows: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing

Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_kernel_and_3rd_party_drivers_exploits
_token_stealing.yml

Windows: MSHTA Spawned by SVCHOST

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_lethalhta.yml

Windows: Local Accounts Discovery

Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_local_system_owner_account
_discovery.yml

Windows: LSASS Memory Dumping Using procdump

E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_lsass_dump.yml

Windows: Adwind Remote Access Tool JRAT

Florian Roth, Tom Ueltschi

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_mal_adwind.yml

Windows: Dridex Process Pattern

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_malware_dridex.yml

Windows: DTRACK Malware Process Creation

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_malware_dtrack.yml

Windows: Emotet Malware Process Creation

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_malware_emotet.yml

Windows: Formbook Malware Process Creation

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_malware_formbook.yml

Windows: QBot Process Creation

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_malware_qbot.yml

Windows: Ryuk Ransomware

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
malware/win_mal_ryuk.yml
; https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_malware_ryuk.yml

Windows: WScript or CScript Dropper

Margaritis Dimitrios (idea), Florian Roth (rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_malware_script_dropper.yml

Windows: Trickbot Malware Recon Activity

David Burkett, Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_malware_trickbot_recon_activity.yml

Windows: WannaCry Ransomware

Florian Roth (rule), Tom U. @c_APT_ure (collection)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_malware_wannacry.yml

Windows: MavInject Process Injection

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_mavinject_proc_inj.yml

Windows: Meterpreter or Cobalt Strike Getsystem Service Start

Teymur Kheirkhabarov, Ecco

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_meterpreter_or_cobaltstrike_getsystem
_service_start.yml

Windows: Mimikatz Command Line

Teymur Kheirkhabarov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_mimikatz_command_line.yml

Windows: MMC Spawning Windows Shell

Karneades, Swisscom CSIRT

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_mmc_spawn_shell.yml

Windows: Mouse Lock Credential Gathering

Cian Heasley

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_mouse_lock.yml

Windows: Mshta JavaScript Execution

E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_mshta_javascript.yml

Windows: MSHTA Spawning Windows Shell

Michael Haag

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_mshta_spawn_shell.yml

Windows: Quick Execution of a Series of Suspicious Commands

juju4

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_multiple_suspicious_cli.yml

Windows: Windows Network Enumeration

Endgame, JHasenbusch (ported for oscd.community)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_net_enum.yml

Windows: Netsh RDP Port Opening

Sander Wiebing

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_netsh_allow_port_rdp.yml

Windows: Netsh Port or Application Allowed

Markus Neis, Sander Wiebing

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_netsh_fw_add.yml

Windows: Netsh Program Allowed with Suspcious Location

Sander Wiebing

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_netsh_fw_add_susp_image.yml

Windows: Network Trace with netsh exe

Kutepov Anton, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_netsh_packet_capture.yml

Windows: Netsh Port Forwarding

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_netsh_port_fwd.yml

Windows: Netsh RDP Port Forwarding

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_netsh_port_fwd_3389.yml

Windows: Harvesting of Wifi Credentials Using netsh exe

Andreas Hunkeler (@Karneades)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_netsh_wifi_credential_harvesting.yml

Windows: Network Sniffing

Timur Zinniatullin, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_network_sniffing.yml

Windows: New Service Creation via sc.exe

Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_new_service_creation.yml

Windows: Non Interactive PowerShell

Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_non_interactive_powershell.yml

Windows: Microsoft Office Product Spawning Windows Shell

Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_office_shell.yml

Windows: MS Office Product Spawning Exe in User Directory

Jason Lynch

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_office_spawn_exe_from_users
_directory.yml

Windows: Executable Used by PlugX in Uncommon Location

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_plugx_susp_exe_locations.yml

Windows: Possible Applocker Bypass

juju4

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_possible_applocker_bypass.yml

Windows: Detection of Possible Rotten Potato

Teymur Kheirkhabarov

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_possible_privilege_escalation_using
_rotten_potato.yml

Windows: Powershell AMSI Bypass via NET Reflection

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_powershell_amsi_bypass.yml

Windows: Audio Capture via PowerShell

E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_powershell_audio_capture.yml

Windows: PowerShell Base64 Encoded Shellcode

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_powershell_b64_shellcode.yml

Windows: Suspicious Bitsadmin Job via PowerShell

Endgame, JHasenbusch (ported to sigma for oscd.community)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_powershell_bitsjob.yml

Windows: Suspicious PowerShell Execution via DLL

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_powershell_dll_execution.yml

Windows: PowerShell Downgrade Attack

Harish Segar (rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_powershell_downgrade_attack.yml

Windows: Download via PowerShell URL

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_powershell_download.yml

Windows: FromBase64String Command Line

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_powershell_frombase64string.yml

Windows: Suspicious PowerShell Parameter Substring

Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_powershell_suspicious_parameter
_variation.yml

Windows: Suspicious XOR Encoded PowerShell Command Line

Sami Ruohonen, Harish Segar (improvement)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_powershell_xor_commandline.yml

Windows: Default PowerSploit and Empire Schtasks Persistence

Markus Neis, @Karneades

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_powersploit_empire_schtasks.yml

Windows: Windows Important Process Started From Suspicious Parent Directories

vburov

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_proc_wrong_parent.yml

Windows: Bitsadmin Download

Michael Haag

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_process_creation_bitsadmin
_download.yml

Windows: Process Dump via Rundll32 and Comsvcs dll

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_process_dump_rundll32_comsvcs.yml

Windows: PsExec Service Start

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_psexesvc_start.yml

Windows: Query Registry

Timur Zinniatullin, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_query_registry.yml

Windows: MSTSC Shadowing

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_rdp_hijack_shadowing.yml

Windows: RedMimicry Winnti Playbook Execute

Alexander Rausch

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_redmimicry_winnti_proc.yml

Windows: Remote PowerShell Session for creating process

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_remote_powershell_session_process.yml

Windows: System Time Discovery

E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_remote_time_discovery.yml

Windows: Renamed Binary

Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_renamed_binary.yml

Windows: Highly Relevant Renamed Binary

Matthew Green - @mgreen27, Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_renamed_binary_highly_relevant.yml

Windows: Renamed jusched exe

Markus Neis, Swisscom

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_renamed_jusched.yml

Windows: Execution of Renamed PaExec

Jason Lynch

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_renamed_paexec.yml

Windows: Renamed PowerShell

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_renamed_powershell.yml

Windows: Renamed ProcDump

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_renamed_procdump.yml

Windows: Renamed PsExec

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_renamed_psexec.yml

Windows: Run PowerShell Script from ADS

Sergey Soldatov, Kaspersky Lab, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_run_powershell_script_from_ads.yml

Windows: Possible Shim Database Persistence via sdbinst exe

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_sdbinst_shim_persistence.yml

Windows: Manual Service Execution

Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_service_execution.yml

Windows: Stop Windows Service

Jakob Weinzettl, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_service_stop.yml

Windows: Shadow Copies Access via Symlink

Teymur Kheirkhabarov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_shadow_copies_access_symlink.yml

Windows: Shadow Copies Creation Using Operating Systems Utilities

Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_shadow_copies_creation.yml

Windows: Shadow Copies Deletion Using Operating Systems Utilities

Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_shadow_copies_deletion.yml

Windows: Windows Shell Spawning Suspicious Program

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_shell_spawn_susp_program.yml

Windows: SILENTTRINITY Stager Execution

Aleksey Potapov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_silenttrinity_stage_use.yml

Windows: Audio Capture via SoundRecorder

E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_soundrec_audio_capture.yml

Windows: Possible SPN Enumeration

Markus Neis, keepwatch

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_spn_enum.yml

Windows: Possible Ransomware or Unauthorized MBR Modifications

@neu5ron

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_bcdedit.yml

Windows: Application Allowlisting Bypass via Bginfo

Beyu Denis, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_bginfo.yml

Windows: Suspicious Calculator Usage

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_calc.yml

Windows: Possible App Allowlisting Bypass via WinDbg CDB as a Shell code Runner

Beyu Denis, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_cdb.yml

Windows: Suspicious Certutil Command

Florian Roth, juju4, keepwatch

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_certutil_command.yml

Windows: Certutil Encode

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_certutil_encode.yml

Windows: Suspicious Commandline Escape

juju4

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_cli_escape.yml

Windows: Command Line Execution with Suspicious URL and AppData Strings

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_cmd_http_appdata.yml

Windows: Suspicious Code Page Switch

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_codepage_switch.yml

Windows: Reconnaissance Activity with Net Command

Florian Roth, Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_commands_recon_activity.yml

Windows: Suspicious Compression Tool Parameters

Florian Roth, Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_compression_params.yml

Windows: Process Dump via Comsvcs DLL

Modexp (idea)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_comsvcs_procdump.yml

Windows: Copy from Admin Share

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_copy_lateral_movement.yml

Windows: Suspicious Copy From or To System32

Florian Roth, Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_copy_system32.yml

Windows: Covenant Launcher Indicators

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_covenant.yml

Windows: CrackMapExec Command Execution

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_crackmapexec_execution.yml

Windows: CrackMapExec PowerShell Obfuscation

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_crackmapexec_powershell
_obfuscation.yml

Windows: Suspicious Parent of Csc.exe

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_csc.yml

Windows: Suspicious Csc.exe Source File Folder

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_csc_folder.yml

Windows: Suspicious Curl Usage on Windows

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_curl_download.yml

Windows: Suspicious Curl File Upload

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_curl_fileupload.yml

Windows: Curl Start Combination

Sreeman

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_curl_start_combo.yml

Windows: ZOHO Dctask64 Process Injection

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_dctask64_proc_inject.yml

Windows: Suspicious Desktopimgdownldr Command

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_desktopimgdownldr.yml

Windows: Devtoolslauncher.exe Executing Specified Binary

Beyu Denis, oscd.community (rule), @_felamos (idea)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_devtoolslauncher.yml

Windows: Direct Autorun Keys Modification

Victor Sergeev, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_direct_asep_reg_keys
_modification.yml

Windows: Disabled IE Security Features

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_disable_ie_features.yml

Windows: DIT Snapshot Viewer Use

Furkan Caliskan (@caliskanfurkan_)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_ditsnap.yml

Windows: Application Allowlisting Bypass via Dnx.exe

Beyu Denis, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_dnx.yml

Windows: Suspicious Double File Extension

Florian Roth (rule), @blu3_team (idea)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_double_extension.yml

Windows: Application Allowlisting Bypass via Dxcap.exe

Beyu Denis, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_dxcap.yml

Windows: Suspicious Eventlog Clear or Configuration Using Wevtutil or Powershell or Wmic

Ecco, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_eventlog_clear.yml

Windows: Executables Started in Suspicious Folder

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_exec_folder.yml

Windows: Execution in Non-Executable Folder

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_execution_path.yml

Windows: Execution in Webserver Root Folder

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_execution_path_webserver.yml

Windows: Explorer Root Flag Process Tree Break

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_explorer_break_proctree.yml

Windows: Suspicious File Characteristics Due to Missing Fields

Markus Neis, Sander Wiebing

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_file_characteristics.yml

Windows: Findstr Launching lnk File

Trent Liffick

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_findstr_lnk.yml

Windows: Firewall Disabled via Netsh

Fatih Sirin

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_firewall_disable.yml

Windows: Fsutil Suspicious Invocation

Ecco, E.M. Anhaus, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_fsutil_usage.yml

Windows: Suspicious GUP.exe Usage

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_gup.yml

Windows: IIS Native-Code Module Command Line Installation

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_iss_module_install.yml

Windows: Windows Defender Download Activity

Matthew Matchen

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_mpcmdrun_download.yml

Windows: Suspicious MsiExec Directory

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_msiexec_cwd.yml

Windows: MsiExec Web Install

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_msiexec_web_install.yml

Windows: Malicious Payload Download via Office Binaries

Beyu Denis, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_msoffice.yml

Windows: Net.exe Execution For Discovery

Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_net_execution.yml

Windows: Suspicious Netsh.DLL Persistence

Victor Sergeev, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_netsh_dll_persistence.yml

Windows: Invocation of Active Directory Diagnostic Tool ntdsutil exe

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_ntdsutil.yml

Windows: Application Allowlisting Bypass via DLL Loaded by odbcconf exe

Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_odbcconf.yml

Windows: OpenWith.exe Executing Specified Binary

Beyu Denis, oscd.community (rule), @harr0ey (idea)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_openwith.yml

Windows: Suspicious Execution from Outlook

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_outlook.yml

Windows: Execution in Outlook Temp Folder

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_outlook_temp.yml

Windows: Ping Hex IP

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_ping_hex_ip.yml

Windows: Empire PowerShell Launch Parameters

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_powershell_empire_launch.yml

Windows: Empire PowerShell UAC Bypass

Ecco

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_powershell_empire_uac
_bypass.yml

Windows: Suspicious Encoded PowerShell Command Line

Florian Roth, Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_powershell_enc_cmd.yml

Windows: PowerShell Encoded Character Syntax

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_powershell_encoded_param.yml

Windows: Malicious Base64 Encoded PowerShell Keywords in Command Lines

John Lambert (rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_powershell_
hidden_b64_cmd.yml

Windows: Suspicious PowerShell Invocation Based on Parent Process

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_powershell_parent_combo.yml

Windows: Suspicious PowerShell Parent Process

Teymur Kheirkhabarov, Harish Segar (rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_powershell_parent_process.yml

Windows: Suspicious Use of Procdump

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_procdump.yml

Windows: Programs starting from Suspicious Location

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_prog_location_process_starts.yml

Windows: PowerShell Script Run in AppData

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_ps_appdata.yml

Windows: PowerShell DownloadFile

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_ps_downloadfile.yml

Windows: Psr.exe Capture Screenshots

Beyu Denis, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_psr_capture_screenshots.yml

Windows: Rar with Password or Compression Level

@ROxPinTeddy

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_rar_flags.yml

Windows: Suspicious RASdial Activity

juju4

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_rasdial_activity.yml

Windows: Suspicious Reconnaissance Activity via net group or localgroup

Florian Roth, omkar72

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_recon_activity.yml

Windows: Suspicious Regsvr32 Usage

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_regsvr32_anomalies.yml

Windows: Regsvr32 Flags Anomaly

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_regsvr32_flags_anomaly.yml

Windows: Renamed ZOHO Dctask64

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_renamed_dctask64.yml

Windows: Renamed SysInternals Debug View

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_renamed_debugview.yml

Windows: Suspicious Process Start Locations

juju4

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_run_locations.yml

Windows: Suspicious Arguments in Rundll32 Usage

juju4

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_rundll32_activity.yml

Windows: Suspicious DLL Call by Ordinal

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_rundll32_by_ordinal.yml

Windows: Scheduled Task Creation

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_schtask_creation.yml

Windows: WSF JSE JS VBA VBE File Execution

Michael Haag

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_script_execution.yml

Windows: Suspicious Service Path Modification

Victor Sergeev, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_service_path_modification.yml

Windows: Squirrel Lolbin

Karneades / Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_squirrel_lolbin.yml

Windows: Suspicious Svchost Process

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_svchost.yml

Windows: Suspect Svchost Activity

David Burkett

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_svchost_no_cli.yml

Windows: Sysprep on AppData Folder

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_sysprep_appdata.yml

Windows: Suspicious SYSVOL Domain Group Policy Access

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_sysvol_access.yml

Windows: Taskmgr Created By Local SYSTEM Account

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_taskmgr_localsystem.yml

Windows: Process Launch from Taskmgr

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_taskmgr_parent.yml

Windows: Suspicious tscon.exe Created By Local SYSTEM Account

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_tscon_localsystem.yml

Windows: Suspicious RDP Redirect Using tscon.exe

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_tscon_rdp_redirect.yml

Windows: Suspicious Use of CSharp Interactive Console

Michael R. (@nahamike01)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_use_of_csharp_console.yml

Windows: Suspicious Userinit Child Process

Florian Roth (rule), Samir Bousseaden (idea)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_userinit_child.yml

Windows: Whoami Execution

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_whoami.yml

Windows: Suspicious WMI Execution

Michael Haag, Florian Roth, juju4

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_susp_wmi_execution.yml

Windows: Sysmon Driver Unload

Kirill Kiryanov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_sysmon_driver_unload.yml

Windows: System File Execution Location Anomaly

Florian Roth, Patrick Bareiss

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_system_exe_anomaly.yml

Windows: Tap Installer Execution

Daniil Yugoslavskiy, Ian Davis, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_tap_installer_execution.yml

Windows: Tasks Folder Evasion

Sreeman

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_task_folder_evasion.yml

Windows: Terminal Service Process Spawn

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_termserv_proc_spawn.yml

Windows: Domain Trust Discovery

E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_dsquery_domain_trust_discovery.yml
;
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_trust_discovery.yml

Windows: Bypass UAC via CMSTP

E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_uac_cmstp.yml

Windows: Bypass UAC via Fodhelper.exe

E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_uac_fodhelper.yml

Windows: Bypass UAC via WSReset exe

E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_uac_wsreset.yml

Windows: Possible Privilege Escalation via Weak Service Permissions

Teymur Kheirkhabarov

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_using_sc_to_change
_sevice_image_path_by_non_admin.yml

Windows: Java Running with Remote Debugging

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_vul_java_remote_debugging.yml

Windows: Webshell Detection With Command Line Keywords

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_webshell_detection.yml

Windows: Webshell Recon Detection Via CommandLine Processes

Cian Heasley

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_webshell_recon_detection.yml

Windows: Shells Spawned by Web Servers

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_webshell_spawn.yml

Windows: Run Whoami as SYSTEM

Teymur Kheirkhabarov

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_whoami_as_system.yml

Windows: Windows 10 Scheduled Task SandboxEscaper 0-day

Olaf Hartong

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_win10_sched_task_0day.yml

Windows: WMI Backdoor Exchange Transport Agent

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_wmi_backdoor_exchange_transport
_agent.yml

Windows: WMI Persistence - Script Event Consumer

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_wmi_persistence_script_event
_consumer.yml

Windows: WMI Spawning Windows PowerShell

Markus Neis / @Karneades

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_wmi_spwns_powershell.yml

Windows: Wmiprvse Spawning Process

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_wmiprvse_spawning_process.yml

Windows: Microsoft Workflow Compiler

Nik Seetharaman

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_workflow_compiler.yml

Windows: Wsreset UAC Bypass

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/
windows/process_creation/win_wsreset_uac_bypass.yml

Windows: XSL Script Processing

Timur Zinniatullin, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
process_creation/win_xsl_script_processing.yml

Windows: Leviathan Registry Key Activity

Aidan Bracher

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_apt_leviathan.yml

Windows: OceanLotus Registry Activity

megan201296

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_apt_oceanlotus_registry.yml

Windows: Pandemic Registry Key

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_apt_pandemic.yml

Windows: Autorun Keys Modification

Victor Sergeev, Daniil Yugoslavskiy, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_asep_reg_keys_modification.yml

Windows: Suspicious New Printer Ports in Registry CVE-2020-1048

EagleEye Team, Florian Roth, NVISO

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_cve-2020-1048.yml

Windows: DHCP Callout DLL Installation

Dimitrios Slamaris

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_dhcp_calloutdll.yml

Windows: Disable Security Events Logging Adding Reg Key MiniNt

Ilyas Ochkov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_disable_security_events_logging
_adding_reg_key_minint.yml

Windows: DNS ServerLevelPluginDll Install

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_dns_serverlevelplugindll.yml

Windows: COMPlus-ETWEnabled Registry Modification

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
builtin/win_etw_modification.yml
; https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_etw_disabled.yml

Windows: Windows Credential Editor Install Via Registry

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_hack_wce_reg.yml

Windows: Logon Scripts UserInitMprLogonScript Registry

Tom Ueltschi (@c_APT_ure)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_logon_scripts_userinitmprlogonscript
_reg.yml

Windows: Narrator s Feedback-Hub Persistence

Dmitriy Lifanov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_narrator_feedback_persistance.yml

Windows: New DLL Added to AppCertDlls Registry Key

Ilyas Ochkov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_new_dll_added_to_appcertdlls_registry
_key.yml

Windows: New DLL Added to AppInit-DLLs Registry Key

Ilyas Ochkov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_new_dll_added_to_appinit_dlls_registry
_key.yml

Windows: Possible Privilege Escalation via Service Permissions Weakness

Teymur Kheirkhabarov

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_possible_privilege_escalation_via
_service_registry_permissions_weakness.yml

Windows: RDP Registry Modification

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_rdp_registry_modification.yml

Windows: RDP Sensitive Settings Changed

Samir Bousseaden

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_rdp_settings_hijack.yml

Windows: RedMimicry Winnti Playbook Registry Manipulation

Alexander Rausch

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_redmimicry_winnti_reg.yml

Windows: Office Security Settings Changed

Trent Liffick (@tliffick)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_reg_office_security.yml

Windows: Windows Registry Persistence COM Key Linking

Kutepov Anton, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_registry_persistence_key_linking.yml

Windows: Windows Registry Persistence COM Search Order Hijacking

Maxime Thiebaut (@0xThiebaut)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_registry_persistence_search_order.yml

Windows: Windows Registry Trust Record Modification

Antonlovesdnb

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_registry_trust_record_modification.yml

Windows: Security Support Provider SSP Added to LSA Configuration

iwillkeepwatch

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_ssp_added_lsa_config.yml

Windows: Sticky Key Like Backdoor Usage

Florian Roth, @twjackomo

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_stickykey_like_backdoor.yml

Windows: Suspicious RUN Key from Download

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_susp_download_run_key.yml

Windows: DLL Load via LSASS

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_susp_lsass_dll_load.yml

Windows: Suspicious Camera and Microphone Access

Den Iuzvyk

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_susp_mic_cam_access.yml

Windows: Registry Persistence via Explorer Run Key

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_susp_reg_persist_explorer_run.yml

Windows: New RUN Key Pointing to Suspicious Folder

Florian Roth, Markus Neis, Sander Wiebing

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_susp_run_key_img_folder.yml

Windows: Suspicious Service Installed

xknow (@xknow_infosec), xorxes (@xor_xes)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_susp_service_installed.yml

Windows: Suspicious Keyboard Layout Load

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_suspicious_keyboard_layout_load.yml

Windows: Usage of Sysinternals Tools

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_sysinternals_eula_accepted.yml

Windows: UAC Bypass via Event Viewer

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_uac_bypass_eventvwr.yml

Windows: UAC Bypass via Sdclt

Omer Yampel

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_uac_bypass_sdclt.yml

Windows: Registry Persistence Mechanisms

Karneades

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_win_reg_persistence.yml

Windows: Azure Browser SSO Abuse

Den Iuzvyk

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
image_load/sysmon_abusing_azure_browser_sso.yml

Windows: Executable in ADS

Florian Roth, @0xrawsec

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_ads_executable.yml

Windows: Alternate PowerShell Hosts Pipe

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_alternate_powershell_hosts_pipe.yml

Windows: Turla Group Named Pipes

Markus Neis

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_apt_turla_namedpipes.yml

Windows: CactusTorch Remote Thread Creation

@SBousseaden (detection), Thomas Patzke (rule)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_cactustorch.yml

Windows: CMSTP Execution

Nik Seetharaman

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
registry_event/sysmon_cmstp_execution.yml

Windows: CobaltStrike Process Injection

Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_cobaltstrike_process_injection.yml

Windows: CreateRemoteThread API and LoadLibrary

Roberto Rodriguez @Cyb3rWard0g

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_createremotethread_loadlibrary.yml

Windows: Cred Dump Tools Via Named Pipes

Teymur Kheirkhabarov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_cred_dump_tools_named_pipes.yml

Windows: Malicious Named Pipe

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_mal_namedpipes.yml

Windows: Password Dumper Remote Thread in LSASS

Thomas Patzke

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_password_dumper_lsass.yml

Windows: Possible DNS Rebinding

Ilyas Ochkov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_possible_dns_rebinding.yml

Windows: Raw Disk Access Using Illegitimate Tools

Teymur Kheirkhabarov, oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml

Windows: PowerShell Rundll32 Remote Thread Creation

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_susp_powershell_rundll32.yml

Windows: Suspicious Remote Thread Created

Perez Diego (@darkquassar), oscd.community

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_suspicious_remote_thread.yml

Windows: WMI Event Subscription

Tom Ueltschi (@c_APT_ure)

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_wmi_event_subscription.yml

Windows: Suspicious Scripting in a WMI Consumer

Florian Roth

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/
sysmon/sysmon_wmi_susp_scripting.yml


This document describes new and enhanced features for the FortiSIEM 6.2.0 (build) release.

New Features

MITRE ATT&CK Framework Support

The MITRE ATT&CK framework is defined as a comprehensive matrix of tactics and techniques used by threat hunters, red teamers, and defenders to better classify attacks and assess an organization's risk. This release adds comprehensive support for the MITRE ATT&CK framework. The currently supported version is 0.8. This release provides the following features:

  • Ability to associate a MITRE technique to a FortiSIEM (built in or custom) rule

  • Over 950 built in rules to detect a wide variety of MITRE techniques

  • Ability to assign techniques and tactics to Rules and search incidents by techniques and tactics

  • ATT&CK Rule Coverage Dashboard that displays rules associated with a tactic or technique

  • ATT&CK Incident Coverage Dashboard that displays incidents associated with a tactic or technique

  • Enhanced ATT&CK Incident Explorer Dashboard that provides a host centric view of hosts triggering various techniques and tactics.

For information on defining a technique to a rule, see Technique in Step 3: Define Actions in Creating a Rule.

For information on searching incidents by technique or tactic, see Searching for MITRE ATT&CK Incidents.

For Rule Coverage Dashboard information, see Rule Coverage View.

For Incident Coverage Dashboard information, see Incident Coverage View.

Note: Attack View in 6.1.x, is now the MITRE ATT&CK Incident Explorer View in 6.2.x.

Pre-computed Queries

Aggregated searches with large time windows can be expensive, specially in a high EPS environment. This release enables you to set up pre-computation schedules. FortiSIEM will pre-compute search results at user specified intervals, enabling users to run faster searches against pre-computed results.

This feature was introduced for FortiSIEM EventDB in Release 5.3.3 and has been ported over to this release. In addition, pre-computation using Elasticsearch is also supported in this release using Elasticsearch Rollup functionality. For details, see here.

There are two limitations for Elasticsearch based pre-computation:

  1. Pre-computation is available only from the time the schdule is defined. Unlike FortiSIEM EventDB, the system does not pre-compute historial results. This limitation is a results of the Elasticsearch APIs.

  2. Because Elasticsearch does roll up in a different index, pre-computation based search results may differ significantly from regular search results if the number of events matching the filter condition for the specified pre-computation interval exceeds 100K. Fortinet recommends users to first run the pre-computation query over the interval and make sure that the number of results is less than 100K.

For details on setting up pre-computed searches, see Setting Up Pre-computation.

Incident Remediation Workflow

Currently, any FortiSIEM user with Write permission to the Incident page can remediate an incident by running remediation scripts. In this release, a role permission is introduced to provide finer control over a user who can remediate an incident immediately and a user who requires approval to remediate an incident. The general workflow follows:

  • Full Admin users set up Incident remediation roles and users

    • Role and users who can remediate an incident, and role and users who must get approval to remediate an incident

    • Role and users who can approve incident remediation approval requests.

  • A user that cannot remediate an incident can request permission to remediate.

  • Once an approver approves the request, the user can then remediate the incident.

For details on setting up remediation roles, see steps 6 and 7 in Adding a New Role.

For details on remediating incidents using workflow, see Creating a Remediation action.

For details on approver handling requests, see Approving a de-anonymization request.

An example setup workflow is provided here.

External Authentication via SAML

Currently, FortiSIEM users can be authenticated as (a) local authentication, (b) external authentication via Active Directory or LDAP, and (c) Single Sign On via OKTA. This release generalizes OKTA based authenication to external authentication via Security Association Markup Language (SAML).

A user must first create an External Authentication entry via SAML in FortiSIEM. If the SAML Identity Provide provides Role information, the user has to map the SAML Role to the FortiSIEM Role. Otherwise, the user has to manually define the FortiSIEM Role for SAML users. A role is required for a user to be able to log in to FortiSIEM.

For details, see Configuring FortiSIEM for SAML Overview.

Scale Out UEBA and State Persistence

This release adds two enhancements.

  • Scale out design - The AI module now runs on Super and Worker nodes. All Agent activity is routed to one node in a sticky manner. If a Worker is down, Agent events are routed to another Worker. If a Worker is added, then new Agents are routed to that Worker.

  • Persistence – AI models are now persisted across AI module restarts.

For information on setting up UEBA, see here.

Key Enhancements

Elasticsearch Enhancements

This release adds the following enhancements to FortiSIEM Elasticsearch support.

  • Support for Elastic Cloud

  • Support for Elasticsearch version 7.8. - See the Elasticsearch table for version support in each deployment.

  • Support for Cold Data Node – in this node, indices are frozen and saved to disk, thereby saving heap memory. Data can be moved from Hot to Warm to Cold data nodes, either based on disk space, or time duration using the Elasticsearch index lifecycle management (ILM) feature. This allows more event storage in Cold Data Nodes since the heap memory constraint is eliminated. Regardless of the node type, events can be queried wherever they reside. When a query hits Cold nodes, further queries run a bit slower since the indices have to be loaded to memory. This feature is not available on AWS Elasticsearch Service and Elastic Cloud. General workflow information is available here.

  • Age based Retention/Index Lifecycle Management (ILM) – in earlier releases, disk thresholds could be specified to determine when data would move from Hot to Cold node. In this release, the number of days can be specified for each data node type. FortiSIEM will move data from Hot to Warm to Cold based on space thresholds or time duration limit, whichever occurs first. This feature is not available on AWS Elasticsearch Service and Elastic Cloud. Retention configuration details are available here. Default setting information is available here.

  • Queries with multi-field term aggregation is now sorted. For example, when the Group By and Display Fields option is used for "Reporting IP" and "Reporting Device" using "COUNT(Matched Events)" in descending (DESC) order, the count appears in descending order.

  • Support for Java Transport Client API is removed.

  • With Elasticsearch 7.x, the index refresh rate is reduced to 15 seconds. This enables users to search all data, except for the last 15 seconds. Choosing an even lower index refresh rate may lower the event indexing speed.

There are 3 distinct Elasticsearch deployments. This table shows the versions and features supported for each deployment type. Please also see the list of Elasticsearch related known issues in Known Issues and in the Appendix.

Elasticsearch Deployment

Supported Versions

API (Insertion and Search)

Supported Data Node Types

Disk Space based Retention

Age based retention (ILM)

Self-Managed (On-Prem or Hosted) 5.6, 6.4, 6.8, 7.8 REST Hot, Warm, Cold Yes Yes (6.8 and above)
AWS Elasticsearch Service 6.8, 7.8 REST N/A Yes No
Elastic Cloud 6.8 REST N/A Yes No

 

Real Time Archive for Elasticsearch

For Elasticsearch deployments, users can choose NFS or HDFS as Archive. Currently, when Elasticsearch disk space capacity is close to full, events are read from Elasticsearch and then archived to NFS or HDFS. For high EPS scenarios, this can be a very expensive operation and may impact Elasticsearch cluster performance.

In this release, users can choose to store events to both Elasticsearch and Archive (NFS or HDFS) in parallel, when the event arrives to FortiSIEM. Events are stored in two stores at the same time, but this reduces the need to archive when Elasticsearch disk space is full or Index Life-cycle Management (ILM) policies kick in. At that time, data is simply purged from Elasticsearch, which is an inexpensive operation.

For details on how to set up Real time Archive for Elasticsearch, see Setting Up the Database (NFS) or Setting Up the Database (HDFS).

SVN-lite for Storing Monitored Files

FortiSIEM can detect file changes in network devices and servers. In earlier releases, these files were stored in SVN. Since SVN stores incremental changes, older files could not be deleted, even when the device is deleted.

In this release, a new SVN-lite service is introduced to manage files. From a user perspective, there is no change except that a user is able to delete files from the GUI. Files are also automatically deleted when a device is deleted. When upgrading from earlier releases to 6.2.0, older files are migrated from SVN to SNV-lite format.

For details on where you can delete files, see the table in Viewing Device Information.

A few implementation notes:

  • Files are stored in /svn/repos. Files are organized by ordId and then deviceId. deviceId is teh PostgreSQL Device Id. To conserve disk space, a limited number of file revisions are kept based on the following threholds defined in /opt/phoenix/config/svnlite.properties on the Supervisor node.

    svnlite.store.dir = /svn/repos
    svnlite.revisions.keep = 100
    svnlite.revisions .purge = 5

     

    svnlite.revisions.keep defines how many revisions are kept for each file. Older revisions are automatically deleted. svnlite.revisions.purge defines how many files are deleted at a time when the upper limit of svnlite.revisions.keep is reached.

     

  • During a 6.2.0 upgrade, up to 100 revisions of each file are migrated to SVN-lite.

Windows Agent 4.1 Enhancements

This release adds the following enhancements for Windows Agent.

  • Agent will restart automatically after 1 minute if it is killed. See here.

  • Service protection – A user cannot Stop/Restart/Pause the agent from Service Manager. See here.

  • Users can change the logging level without restarting service by changing the registry key. See here for more information. Registry key instructions follow:

    • Open HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent key

    • To update with trace logging, modify “LogLevel” value to “2” from “1”.

    • To update with debug logging, modify “LogLevel” value to “1” from “2”.

  • The Agent Database is used to store Agent configuration parameters and to store events when connectivity to collectors is lost. The default size for your Agent Database is 1GB. This can be changed by modifying the MaxDBSizeInMB entry in your Registry Editor. See here for more information.

Details are documented in Configuring Windows Agent.

Event Forwarding from Super/Worker

FortiSIEM can forward the events it receives to a third party system. Normally, events are forwarded by the node (Worker, Collector, Super) that parsed the event. This release allows you to force events to only be forwarded by Workers (and Super). Users can choose this as part of their Event Forwarding policy, see here.

Super Global Dashboard

This release adds the concept of a Super Global dashboard that is only available for Super Global users in service provider installations. All regular dashboards are now only available as Organization level. Super Global users can define their own dashboards that are only visible for Super Global users.

Windows and Linux Agent Health Dashboard

This release provides a separate health dashboard for FortiSIEM agents. See ADMIN > Health > Agent Health. For details, see here.

Note: If you've upgraded your FortiSIEM to 6.2.0 from an older version, the dashboard will show an inaccurate agent version, or no version. You will need to re-install your agents with a new version after upgrading FortiSIEM to 6.2.0 to resolve this issue. If an old version is installed for an agent, the dashboard will still show no version or an inaccurate version for that agent. See Linux and/or Windows Agent guides for uninstall and installation steps. Upgrading your collectors to 6.2.0 is recommended (please see the FortiSIEM Version Compatibility Matrix for details).

Ability to Activate or Deactivate Multiple Rules with One Click

Users often need to activate or deactivate all rules in one folder, and could only perform this action on individual rules. This release enables users to activate or deactivate multiple rules in one click.

For details, see Activating/Deactivating Multiple Rules.

System Upgrade

This release includes several third party software upgrades - CentOS 8.3, PostgreSQL 13.2, Glassfish 5.0, JDK 1.8.0_272, php 7.4, nodejs 14.15.0, Hibernate 5, and Apache 2.4.37 (patched by Redhat).

Upgrade Overview

For software installations, the upgrade path is pre-5.3.0->5.4.0->6.1.1->6.2.0.
Specifically:

  • From pre-5.3.0 releases, first upgrade to 5.4.0, then migrate to 6.1.1, and then upgrade to 6.2.0.

  • From 5.4.0, migrate to 6.1.1, and then upgrade to 6.2.0.

  • If you are running 6.1.0, 6.1.1, or 6.1.2, then upgrade to 6.2.0.

For hardware installations, 6.1.1 is not available, so the migration path is pre-5.3.0->5.4.0->6.1.2->6.2.0.
Specifically:

  • From pre-5.3.0 releases, first upgrade to 5.4.0, then migrate to 6.1.2, and then upgrade to 6.2.0.

  • From 5.4.0, migrate to 6.1.2, and then upgrade to 6.2.0.

  • If you are running 6.1.2, then upgrade to 6.2.0.

These steps are documented in detail in the Upgrade Guide.

Points to consider before upgrade:

  1. For your Supervisor and Worker, do not use the upgrade menu item in configFSM.sh to upgrade from 6.1.x to 6.2.0. This is deprecated, so it will not work. Use the new method as instructed in the Upgrade Guide.
  2. The 6.2.0 upgrade will attempt to migrate existing SVN files (stored in /svn) from the old svn format to the new svn-lite format. During this process, it will first export /svn to /opt and then import them back to /svn in the new svn-lite format. If your /svn uses a large amount of disk space, and /opt does not have enough disk space left, then migration will fail. Fortinet recommends doing the following steps before upgrading:
    • Check /svn usage
    • Check if there is enough disk space left in /opt to accommodate /svn
    • Expand /opt by the size of /svn
    • Begin upgrade

    Steps for expanding /opt disk:

    1. Go to the Hypervisor and increase the /opt disk by the size of /svn disk

    2. # ssh into the supervisor as root

    3. # lsblk

      NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
      ...
      sdb           8:16   0  100G  0 disk            << old size
      ├─sdb1        8:17   0 22.4G  0 part [SWAP]
      └─sdb2        8:18   0 68.9G  0 part /opt
            ...
      
    4. # yum -y install cloud-utils-growpart gdisk

    5. # growpart /dev/sdb 2
      CHANGED: partition=2 start=50782208 old: size=144529408 end=195311616 new: size=473505759 end=524287967

    6. # lsblk

      Changed the size to 250GB for example:
      #lsblk
      NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
      ...
      sdb           8:16   0  250G  0 disk            <<< NOTE the new size for the disk in /opt
      ├─sdb1        8:17   0 22.4G  0 part [SWAP]
      └─sdb2        8:18   0 68.9G  0 part /opt
      ...
      

       

    7. # xfs_growfs /dev/sdb2

      meta-data=/dev/sdb2              isize=512    agcount=4, agsize=4516544 blks
               =                       sectsz=512   attr=2, projid32bit=1
               =                       crc=1        finobt=1, sparse=1, rmapbt=0
               =                       reflink=1
      data     =                       bsize=4096   blocks=18066176, imaxpct=25
               =                       sunit=0      swidth=0 blks
      naming   =version 2              bsize=4096   ascii-ci=0, ftype=1
      log      =internal log           bsize=4096   blocks=8821, version=2
               =                       sectsz=512   sunit=0 blks, lazy-count=1
      realtime =none                   extsz=4096   blocks=0, rtextents=0
      data blocks changed from 18066176 to 59188219
      
    8. # df -hz

      Filesystem           Size  Used Avail Use% Mounted on
      ...
      /dev/sdb2            226G  6.1G  220G   3% /  << NOTE the new disk size
      
  3. If you are using AWS Elasticsearch, then after upgrading to 6.2.0, take the following steps:
    1. Go to ADMIN > Setup > Storage> Online.
    2. Select "ES-type" and re-enter the credential.
  4. In 6.1.x releases, new 5.x collectors could not register to the Supervisor. This restriction has been removed in 6.2.0 so long as the Supervisor is running in non-FIPS mode. However, 5.x collectors are not recommended since CentOS 6 has been declared End of Life.
  5. If you have more than 5 Workers, Fortinet recommends using at least 16 vCPU for the Supervisor and to increase the number of notification threads for RuleMaster. To do this, SSH to the Supervisor and take the following steps:
    1. Modify the phoenix_config.txt file, located at /opt/phoenix/config/ with

      #notification will open threads to accept connections
      #FSM upgrade preserves customer changes to the parameter value
      #notification_server_thread_num=50

      Note: The default notification_server_thread_num is 20.
    2. Restart phRuleMaster.
  6. Upgrading Elasticsearch Transport Client usage - The Transport Client option has been removed as Elasticsearch no longer supports that client. If you are using Transport Client in pre-6.2.0, you will need to modify the existing URL by adding "http://" or "https://" in front of the URL field after upgrading, as displayed in ADMIN > Setup > Storage > Online > with Elasticsearch selected, as shown here.
    1. Before Upgrade, Elasticsearch appears as:

    2. After Upgrade: Elasticsearch appears as:

    3. In the URL field, add "http://" or "https://" to your IP address. Next, select Test to confirm functionality, and select Save to save the updated settings.

     

  7. Prior to upgrading, ensure that hot node and warm node counts are both greater than the number of replicas. Failure to do so will result in Test and Save operation failure after an upgrade. This basic requirement check has been added for version 6.2.0 and later.
  8. Remember to remove the browser cache after logging on to the 6.2.0 GUI and before doing any operations.

New Data Work

  • Added OT/IoT Rules, Reports and Dashboard.

  • Added New Compliance Report - Center for Internet Security (CIS) Controls.

  • Added 615 new rules and 206 new reports to cover MITRE ATT&CK Tactics and Techniques. Many of the rules are adopted from public domain SIGMA Rules. See here for details.

  • Existing rules mapped to MITRE ATT&CK Tactics and Techniques where applicable.

  • Added Rules and Reports for Hafnium Exchange Server attack and Solarwinds Sunburst attack.

New Device Support

The following device support has been added.

  • Malwarebytes Breach Detection

  • Dragos OT Platform

  • Oracle CASB

  • Claroty

  • Corero Smartwall Threat Defense System (TDS)

  • Proofpoint

Device Support Enhancements

  • CrowdStrike integration using OAuth2 API

  • The following parsers have been updated.
    Windows: Security, Sysmon and DNS, FortiGate, FortiEDR, FortiMail, FortiDeceptor, FortiADC, FortiWeb, AWS security Hub, Sourcefire, Office365, F5BigIP, Sentinel One, Tipping Point NMS, AWS Kinesis, CiscoFTDParser, Sophos XG, Bluecoat Proxy SG Device, and Tigera Calico.

 

Bug Fixes and Minor Enhancements

The current release includes the following bug fixes and minor enhancements:

Bug ID Severity Module Description

656383

Major

App Server

Malware Hash import from a CSV file fails when the CSV file contains 75,000 or more Malware Hash entries.

684128

Major

App Server

Scheduled bundle reports fail after migration.

655781

Major

App Server

Update Malware Hash via API does not work as expected, producing "duplicate" errors.

624133

Major

App Server

Cisco Meraki log discovery does not add devices to CMDB.

695082

Major

GUI

FortiSIEM does not recognize a UEBA perpetual license, so users with a UEBA perpetual license are unable to add UEBA for their devices.

694897

Major

Inline Report Engine

For Elasticsearch cases with inline report mode set to 2, the ReportMaster memory may grow quickly.

701383

Major

Java Query Server

The Java Query Server has a file descriptor leak which may cause a loss of connection to the Elasticsearch Coordinating node.

682751

Major

Query Engine

Malware IP, Domain, and URL Group lookup performance slower than expected.

670053

Major

Rule Engine

Security incidents always indicate "System Cleared" after 24 hours, even if auto_clear_security_incidents=0 is set.

676614

Major

Rule Engine

SSL communication sockets between rule worker and rule master are not always closed properly, leading to rules not triggering.

589656

Major

Rule Engine

Rules with a pattern-based clearing condition do not always clear even if the condition is met. This is because the clear rule’s time window is sometimes read incorrectly.

645987

Minor

App Server

Scheduled CSV formatted report finishes, but is never received by a user if the "do not send scheduled email if report is empty" flag is set.

679164

Minor

App Server

Incident subcategory names are incorrectly displayed in PDF export.

668989

Minor

App Server

STIX/Taxii Integration does not work for certain websites.

671564

Minor

App Server

An empty value of Source Interface SNMP Index in Report Result causes App Server to throw NullPointerException when parsing it.

683528

Minor

App Server

After Java starts up, rule exceptions with watchlists do not take effect.

685100

Minor

App Server

Logs are unnecessarily pulled from unmanaged devices, and then dropped. This sometimes causes event pulling to lag behind.

658886

Minor

App Server

Identity and Location Tables show data from a different organization when enriched (no collector environment).

678695

Minor

App Server

An error is thrown when a user navigates to CMDB > Business Services > IT Srvc > Select the Service > Edit > Device/Application > User App.

658755

Minor

App Server

Rule exceptions do not work for Source User in LDAP group.

682184

Minor

App Server

In rare circumstances, different incidents with identical incident IDs are created.

661353

Minor

App Server

The rule test function does not work. Note: This was due to an issue when updating a rule definition or conditions.

672285

Minor

App Server

After configuring important interfaces, if the device's hostname is changed, the modification for the name change /merge does not trickle down into the important interface table.

671376

Minor

App Server

From incident notification emails, links to a specific FortiSIEM incident in the FortiSIEM GUI do not work.

674077

Minor

App Server

Sophos Central Credential Configuration shows orgs with collectors in drop-down list.

639827

Minor

App Server

The event PH_DEV_MON_LOG_DEVICE_DELAY_HIGH is not generated correctly in accordance with the thresholds defined.

670750

Minor

App Server

Data leak issue occurs on rule exceptions in Analytic Search Results against CMDB Rules. When running a query using CMDB Attributes and choosing a target RULE, the user can see the exception condition from the query result from org 1 while running a report at a different org (org 2).

662400

Minor

App Server

Excessive PH_APPSERVER_INCIDENT_UPDATE_FAILED errors occur for user names longer than 255 characters.

676038

Minor

App Server

Initial load of Redis had performance issues. This required a check against loading active inline reports with missing query ID to resolve the issue.

648730

Minor

App Server

Remediation pop up populates the "Enforce on" field with incorrect values.

672934

Minor

App Server

Cloning a rule does not copy the Watchlist Entry from the original rule.

611553

Minor

App Server

Accounts that cannot edit rules can see rule definitions in the Incidents page.

609289

Minor

App Server

API query for monitor/critical interfaces does not give correct information.

602340

Minor

App Server

LDAP/AD discovery causes a user to be removed from custom user groups.

639397

Minor

App Server

The GUI shows a negative unused device count in org if device provisioning is changed after an initial provisioning.

597456

Minor

App Server

For orgs without collectors, virtual IP entries do not prevent devices from merging.

608133

Minor

App Server

In CMDB Report Results, the "App Group Name" appears empty, even if an application is defined against a device.

659853

Minor

App Server

FortiSIEM SNMP TRAP output has a duplicate field (iso.3.6.1.4.1.35409.101.5.0).

659028

Minor

App Server

When importing a CSV file with Malware Hash, a "Full" data update does not work as expected.

630329

Minor

App Server

Radius External Authentication fails due to shared secret not getting updated in the database.

645660

Minor

App Server

From the Identity and Location Dashboard, when exporting a PDF report, the filter parameters are ignored while the report is generated.

618475

Minor

App Server

The Incident Group (e.g. Security, Availability, etc.) is missing in the exported rule XML file.

653427

Minor

App Server

Exporting a custom watchlist to CSV format fails. Note: Exporting a custom watchlist to PDF works fine.

696873

Minor

App Server

Clean up of expired watch list entries occur at 2:00 am of each day. Clean up must occur hourly.

670247

Minor

Data

Syslog from Meraki AP are miscategorized as Meraki Firewall.

672320

Minor

Data

The Incident Title is incorrect for some rules.

673177

Minor

Data

Many built-in AWS Security Hub Events reports are missing Group BY attributes.

661691

Minor

Data

"Excessive End User Mail" and "Excessive End User Mail To Unauthorized Mail Gateways" rules are generating false positive for UDP protocol. Fixed with AddTCP restriction to the two rules.

645659

Minor

Data

The Netflow/Sflow Parser does not parse Link Aggregation Control Protocol (LACP) counter sample.

658760

Minor

Data

The Windows Agent DNS Parser parses incorrectly in a few scenarios.

658990

Minor

Data

PAN OS VPN LOGIN Events are categorized under DEVICE Logon success / failed when they should be classified as VPN Logon success / failure events.

670672

Minor

Data

Tenable integration (vulnerability scanning) needs to parse more attributes, specifically CVSS Score, OS, SCSS3 Base Score, and Vulnerability Priority Rating (VPR).

686051

Minor

Discovery

When attempting to import over 200 users using a CVS file for Okta integration, the operation fails, and no errors appear in the log.

660690

Minor

GUI

When trying to display interfaces on a dashboard, the dashboard freezes when there are more than 10K interfaces for a device.

671868

Minor

GUI

In an Incident Notification policy, sometimes selected a rule or affected items are not saved.

669876

Minor

GUI

In ADMIN > Health > Collector Health > Tunnels, the “Close Tunnel” button is always inaccessible (grayed out).

617943

Minor

GUI

Removing a value from a customize device property does not reset the property to "Undefined".

663653

Minor

GUI

The Parser test fails when a regex pattern and regex tags are on different lines.

645657

Minor

GUI

Unable to sort incidents when multiple categories are selected.

655536

Minor

GUI

Email subject and rawEvents tag does not appear in the email preview pop up.

647709

Minor

GUI

In Incident Search, filter by category "Security" does not capture new Incidents without a refresh.

659851

Minor

GUI

After saving discovery entries, the list reloads and resets to the first discovery page.

604148

Minor

GUI

Integration Policy > Org Mapping , located by navigating to ADMIN > Settings > External Integration clicking New and Organization Mapping, does not handle special characters.

624771

Minor

GUI

When editing an Event Organization (ADMIN > Settings > Event Handling > Event Org Mapping), two save and two cancel buttons appear.

653753

Minor

GUI

The Identity & Location Dashboard does not refresh with the correct information.

592961

Minor

GUI

The Dashboard single line widget shows a needle below the chart graphic if stretched too long.

637722

Minor

GUI

Importing a watchlist while in Organization fails.

607810

Minor

GUI

Editing an interface forces the user to enter an IP address, even if the interface did not have one originally.

647105

Minor

GUI

In Notification Policy, the seconds and time zone region are not saved.

644186

Minor

GUI

If the user goes to the INCIDENTS > List by Time view, selects an incident, navigates to another page, and returns to the Incidents page, the selected incident position is lost.

626043

Minor

GUI

The user is logged out before the log off expiration time period elapses.

683801

Minor

Java Query Server

Elastic Search Cluster disconnects from FortiSIEM once a week.

661333

Minor

Java Query Server

Analytic search fails to retrieve the Destination and Source TCP/IP Port value from Elastic search index.

659018

Minor

Java Query Server

Elasticsearch insert sometimes fails when a raw message contains non UTF-8 characters.

698147

Minor

Java Query Server (Elasticsearch)

The Java Query Server does not properly close sockets in all cases, which can lead to its inability to communicate with the App Server.

592607

Minor

Parser

EPS Usage per node is higher than the global Used EPS.

676294

Minor

Parser

Office365 GCC High Authentication does not work due to hard coded URLs.

669837

Minor

Parser

Event Type comparison in Drop Rule needs to be case insensitive.

659180

Minor

Parser

Sometimes, excessive collector time skew is generated when the App Server is busy. This occurs when phMonitor on Collector mistakenly caches a timestamp when failing to communicate with the App Server.

670324

Minor

Parser

For Service Provider Install, the Org name in Events is not the same as the Org Association in the Credential page.

648732

Minor

Parser

AD/LDAP user details metadata is not always added to incidents.

662899

Minor

Parser

The Test Parser function with resolveDNSName does not work when DNS lookup is enabled.

635113

Minor

Parser

The Windows Parser sometimes adds reporting device metadata from DNS lookup instead of reporting it from another event.

637631

Minor

Query Engine

When you export (CSV format) from a date before a Daylight Saving Time change when Daylight Saving Time has occurred, a difference of one hour is observed.

670060

Minor

Rule Engine

Incident Exceptions do not work when time period exceptions are set for Monday and Friday.

657601

Minor

System

In phoenix_config.txt, the setting http_client_verify_peer=no changes to yes upon upgrade.

658491

Minor

System

After an Archive configuration has been set up (NFS/HDFS), ADMIN > Setup > Storage > Archive, the user is unable to clear and remove the archive from the GUI.

577821

Minor

System

In Cloud Health, workers and super always incorrectly report 100% CPU utilization.

696873

Minor

Windows Agent

After Windows Agent 4.0.0 installation, an unnecessary system reboot may occur.

607443

Enhancement

App Server

LAST (Event Receive Time) is shown in Epoch Time format for PDF export in Elastic Storage setup.

627546

Enhancement

App Server

The Incident Notification Email link needs to have Super FQDN in addition to IP.

609102

Enhancement

App Server

The PDF Report does not display Incident category name.

649588

Enhancement

App Server

Custom Device Properties cannot be queried via CMDB Report.

580110

Enhancement

App Server

In CMDB > CMDB Report, add a scope attribute to display whether a property is either system or user defined.

611929

Enhancement

Data

Enhance the Cisco Meraki Parser to handle Air Marshall events.

670414

Enhancement

Data

The CloudTrail Parser does not parse the User and User Type for event type = AWS-CloudTrail-SIGNIN-ConsoleLogin-Success.

661692

Enhancement

Data

Event Type Categorization is inconsistent for ipsec/VPN log off.

669102

Enhancement

Data

The Unix Parser doesn't handle the user attribute when the rhost field is a hostname, and not an IP.

653421

Enhancement

Data

The "Multiple admin Login Failure" rule name should be renamed as there is no indicator of admin role usage.

530467

Enhancement

Data

FortiSIEM does not detect certain event SSH/Audit events using the Unix Parser.

660734

Enhancement

Data

The Aruba Parser does not parse Event Name and causes high CPU usage.

625194

Enhancement

Data

Enhance the Windows OS Parser update to pass terminal services logs.

652184

Enhancement

Data

Support the Unix Parser with a new timestamp format.

649496

Enhancement

Data

Enhance the Windows Parser fix for Alternate UPN domain suffix support.

624070

Enhancement

Data

Parse the Cisco ASA-722051 event ID.