@@ -7,6 +7,185 @@ The following lists prebuilt rule updates per release. Only rules with
77significant modifications to their query or scope are listed. For detailed
88information about a rule's changes, see the rule's description page.
99
10+ [float]
11+ === 7.11.0
12+
13+ <<attempt-to-modify-an-okta-network-zone>>
14+
15+ <<attempt-to-modify-an-okta-policy-rule>>
16+
17+ <<azure-automation-account-created>>
18+
19+ <<azure-automation-runbook-created-or-modified>>
20+
21+ <<azure-automation-runbook-deleted>>
22+
23+ <<azure-automation-webhook-created>>
24+
25+ <<azure-blob-container-access-level-modification>>
26+
27+ <<azure-command-execution-on-virtual-machine>>
28+
29+ <<azure-conditional-access-policy-modified>>
30+
31+ <<azure-diagnostic-settings-deletion>>
32+
33+ <<azure-event-hub-authorization-rule-created-or-updated>>
34+
35+ <<azure-event-hub-deletion>>
36+
37+ <<azure-external-guest-user-invitation>>
38+
39+ <<azure-firewall-policy-deletion>>
40+
41+ <<azure-global-administrator-role-addition-to-pim-user>>
42+
43+ <<azure-key-vault-modified>>
44+
45+ <<azure-network-watcher-deletion>>
46+
47+ <<azure-privilege-identity-management-role-modified>>
48+
49+ <<azure-resource-group-deletion>>
50+
51+ <<azure-storage-account-key-regenerated>>
52+
53+ <<clearing-windows-event-logs>>
54+
55+ <<dns-activity-to-the-internet>>
56+
57+ <<ftp-file-transfer-protocol-activity-to-the-internet>>
58+
59+ <<gcp-firewall-rule-creation>>
60+
61+ <<gcp-firewall-rule-deletion>>
62+
63+ <<gcp-firewall-rule-modification>>
64+
65+ <<gcp-iam-custom-role-creation>>
66+
67+ <<gcp-iam-role-deletion>>
68+
69+ <<gcp-iam-service-account-key-deletion>>
70+
71+ <<gcp-logging-bucket-deletion>>
72+
73+ <<gcp-logging-sink-deletion>>
74+
75+ <<gcp-logging-sink-modification>>
76+
77+ <<gcp-pub-sub-subscription-creation>>
78+
79+ <<gcp-pub-sub-subscription-deletion>>
80+
81+ <<gcp-pub-sub-topic-creation>>
82+
83+ <<gcp-pub-sub-topic-deletion>>
84+
85+ <<gcp-service-account-creation>>
86+
87+ <<gcp-service-account-deletion>>
88+
89+ <<gcp-service-account-disabled>>
90+
91+ <<gcp-service-account-key-creation>>
92+
93+ <<gcp-storage-bucket-configuration-modification>>
94+
95+ <<gcp-storage-bucket-deletion>>
96+
97+ <<gcp-storage-bucket-permissions-modification>>
98+
99+ <<gcp-virtual-private-cloud-network-deletion>>
100+
101+ <<gcp-virtual-private-cloud-route-creation>>
102+
103+ <<gcp-virtual-private-cloud-route-deletion>>
104+
105+ <<iis-http-logging-disabled>>
106+
107+ <<irc-internet-relay-chat-protocol-activity-to-the-internet>>
108+
109+ <<microsoft-build-engine-loading-windows-credential-libraries>>
110+
111+ <<microsoft-build-engine-using-an-alternate-name>>
112+
113+ <<microsoft-iis-connection-strings-decryption>>
114+
115+ <<microsoft-iis-service-account-password-dumped>>
116+
117+ <<multi-factor-authentication-disabled-for-an-azure-user>>
118+
119+ <<persistence-via-telemetrycontroller-scheduled-task-hijack>>
120+
121+ <<possible-consent-grant-attack-via-azure-registered-application>>
122+
123+ <<potential-dll-sideloading-via-trusted-microsoft-programs>>
124+
125+ <<potential-modification-of-accessibility-binaries>>
126+
127+ <<potential-secure-file-deletion-via-sdelete-utility>>
128+
129+ <<potential-windows-error-manager-masquerading>>
130+
131+ <<proxy-port-activity-to-the-internet>>
132+
133+ <<rdp-remote-desktop-protocol-from-the-internet>>
134+
135+ <<rdp-remote-desktop-protocol-to-the-internet>>
136+
137+ <<rpc-remote-procedure-call-from-the-internet>>
138+
139+ <<rpc-remote-procedure-call-to-the-internet>>
140+
141+ <<remote-file-download-via-desktopimgdownldr-utility>>
142+
143+ <<remote-file-download-via-mpcmdrun>>
144+
145+ <<renamed-autoit-scripts-interpreter>>
146+
147+ <<smb-windows-file-sharing-activity-to-the-internet>>
148+
149+ <<smtp-to-the-internet>>
150+
151+ <<sql-traffic-to-the-internet>>
152+
153+ <<ssh-secure-shell-from-the-internet>>
154+
155+ <<ssh-secure-shell-to-the-internet>>
156+
157+ <<suspicious-.net-code-compilation>>
158+
159+ <<suspicious-endpoint-security-parent-process>>
160+
161+ <<suspicious-ms-office-child-process>>
162+
163+ <<suspicious-process-execution-via-renamed-psexec-executable>>
164+
165+ <<suspicious-zoom-child-process>>
166+
167+ <<tcp-port-8000-activity-to-the-internet>>
168+
169+ <<tor-activity-to-the-internet>>
170+
171+ <<uac-bypass-via-diskcleanup-scheduled-task-hijack>>
172+
173+ <<unusual-child-processes-of-rundll32>>
174+
175+ <<unusual-file-modification-by-dns.exe>>
176+
177+ <<unusual-network-connection-via-rundll32>>
178+
179+ <<unusual-parent-child-relationship>>
180+
181+ <<user-added-as-owner-for-azure-application>>
182+
183+ <<user-added-as-owner-for-azure-service-principal>>
184+
185+ <<vnc-virtual-network-computing-from-the-internet>>
186+
187+ <<vnc-virtual-network-computing-to-the-internet>>
188+
10189[float]
11190=== 7.10.0
12191
@@ -24,25 +203,25 @@ information about a rule's changes, see the rule's description page.
24203
25204<<aws-waf-rule-or-rule-group-deletion>>
26205
27- <<administrator-privileges-assigned-to-okta-group>>
206+ <<administrator-privileges-assigned-to-an- okta-group>>
28207
29208<<attempt-to-create-okta-api-token>>
30209
31- <<attempt-to-deactivate-mfa-for-okta-user-account>>
210+ <<attempt-to-deactivate-mfa-for-an- okta-user-account>>
32211
33- <<attempt-to-deactivate-okta-mfa-rule >>
212+ <<attempt-to-deactivate-an- okta-policy >>
34213
35- <<attempt-to-deactivate-okta-policy>>
214+ <<attempt-to-deactivate-an- okta-policy-rule >>
36215
37- <<attempt-to-delete-okta-policy>>
216+ <<attempt-to-delete-an- okta-policy>>
38217
39- <<attempt-to-modify-okta-mfa-rule >>
218+ <<attempt-to-modify-an- okta-network-zone >>
40219
41- <<attempt-to-modify-okta-network-zone >>
220+ <<attempt-to-modify-an- okta-policy >>
42221
43- <<attempt-to-modify-okta-policy>>
222+ <<attempt-to-modify-an- okta-policy-rule >>
44223
45- <<attempt-to-reset-mfa-factors-for-okta-user-account>>
224+ <<attempt-to-reset-mfa-factors-for-an- okta-user-account>>
46225
47226<<attempt-to-revoke-okta-api-token>>
48227
0 commit comments