<html lang="en">
<body>

<p>
  	<b>[OOTB] SOC Content - ENG for KUMA 3.2. Version 7</b><br>
	Change list:<br>
	Rules were updated:
	<ul>
		<li>Rules R004, R030_01, R030_02, R032_01, R032_02: Selector was revised; Active list 'Workstation' is removed; Filter 'Workstation' is added, it can be used to configure rule</li>
		<li>Rule R035_03: Selector was revised</li>
		<li>Rule R036_01: Selector was revised</li>
		<li>Rule R074: Selector and detection mechanism was revised</li>
		<li>Rule R089_01: Selector was revised</li>
		<li>Rule R288_04: Selector was revised</li>
		<li>Rule R296_22: Selector was revised</li>
		<li>Rule R402_01: Selector was revised</li>
		<li>Rule R427_04: Selector was revised</li>
		<li>Rule R437_07: Selector was revised</li>
		<li>Rule R426_02: Selector was revised</li>
		<li>Rules R116_07, R116_08, R116_14-R116_20, R437_09, R437_10: Selector was revised due to normalization</li>
		<li>Rules R113, R114, R115: Selector was revised</li>
	</ul>
	
	Other changes:
	<ul>
		<li>Minor typos were fixed</li>
		<li>Filter 'Windows system account' was fixed and renamed to 'DestinationUserName is Windows system account'</li>
		<li>Filter 'Network connection events' was fixed</li>
		<li>FortiGate event filter was fixed</li>
		<li>Condition order in some rules was corrected to optimize event processing on correlator</li>
		<li>Filter for CheckPoint events was fixed</li>		
	</ul>
</p>

<p>
  	<b>[OOTB] SOC Content - ENG for KUMA 3.2. Version 6</b><br>
	Change list:<br>
	New rules were added:
	<ul>
		<li>Rule R036_02_Potential brute force vpn (Huawei USG)</li>
		<li>Rule R402_06_Phishing email with internal sender (KSMG)</li>
		<li>Rule R405_12_Disabling paging file in Linux</li>
		<li>Rule R436_04_Decoding files from base64 (Linux)</li>
	</ul>
	
	Rules were updated:
	<ul>
		<li>Rule R034_01: Selector was revised</li>
		<li>Rule R034_02: Selector was revised</li>
		<li>Rule R050_03: Selector was revised</li>
		<li>Rule R076_04: Selector was revised</li>
		<li>Rule R082_06: Threshold was changed</li>
		<li>Rule R082_07: Selector was revised</li>
		<li>Rule R087_04: Selector was revised</li>
		<li>Rule R152_08: Selector was revised</li>
		<li>Rule R224_07: Selector was revised</li>
		<li>Rule R225_03: Selector was revised</li>
		<li>Rule R233_04: Selector was revised</li>
		<li>Rule R300_04: Selector was revised</li>
		<li>Rule R423_03: Selector was revised</li>
		<li>Rule R436_03: Selector was fixed</li>
		<li>Rule R290_09 was deleted. Rule was merged with rule R150_01</li>
	</ul>
	
	Other changes:
	<ul>
		<li>Minor typos was fixed</li>
		<li>FortiGate event filter was fixed</li>
		<li>Condition order in some rules was corrected to optimize event processing on correlator</li>
		<li>Severity level was updated for all rules</li>
		<li>Kaspersky Endpoint Security for Linux (KESL) event source was supported for Linux audit event-based rules</li>
		<li>Techniques and tactics updated for rules in accordance with ATT&CK MITRE v17</li>
		<li>Conditions for Windows logs provider field added for Microsoft Windows filters to avoid collisions with other event sources with the same Event IDs</li>
		<li>Filter for CheckPoint events was fixed</li>
		<li>Local variables in rules for automatic placing of rules in stop list were corrected</li>
		<li>For rules based on event ID 4104 (PowerShell), the field S.ScriptBlockText has been added to the aggregation fields</li>
	</ul>
</p>

<p>
  	<b>[OOTB] SOC Content - ENG for KUMA 3.2. Version 5</b><br>
	Change list:<br>
	<b>Attention</b><br>
	All top-level rules that previously combined multiple rules have been removed from the package. As a result, each rule now has an action to create alerts. To update the package from older versions, two options are available:<br>
		1. Delete all resources except the KUMA Packages/SOC package/Integration folder, then update the package. All changes made will be preserved.<br>
		2. Manually delete resources that are no longer relevant. To do this, delete correlation rules and filters that match the following filter:<br>
		^(R001|R002|R003|R005|R030|R031|R032|R034|R035|R036|R050|R057|R058|R059|R061|R062|R063|R076|R077|R078|R079|R080|R081|R082|R083|R084|R087|R089|R093|R097|R098|R099|R100|R101|R102|R103|R104|R105|R106|R107|R108|R109|R110|R116|R150|R152|R154|R203|R207|R208|R209|R211|R219|R220|R221|R222|R223|R224|R225|R226|R227|R228|R229|R230|R231|R233|R240|R280|R281|R282|R283|R285|R286|R287|R288|R289|R290|R291|R292|R293|R294|R295|R296|R300|R301|R302|R331|R335|R350|R351|R402|R405|R406|R407|R408|R409|R410|R411|R412|R413|R414|R415|R416|R417|R418|R419|R420|R421|R422|R423|R424|R425|R426|R427|R428|R429|R430|R431|R432|R433|R434|R435|R436|R437|R438)_\D
		<br>
	    This regular expression can be entered into the search bar in the Resources section.<br>
		If no custom rule settings were made, it is recommended to delete the KUMA Packages/SOC package directory for all resources and reinstall the package.<br>
		<b>If the top-level rules are not deleted, duplicate events will be sent to the alerts.</b><br>
	
		The structure of the "Integration" resource catalog has been changed.
  </p>

<p>
  	<b>[OOTB] SOC Content - ENG for KUMA 3.2. Version 4</b><br>
	Change list:<br>
	<b>Attention</b><br>
	All top-level rules that previously combined multiple rules have been removed from the package. As a result, each rule now has an action to create alerts. To update the package from older versions, two options are available:<br>
		1. Delete all resources except the KUMA Packages/SOC package/Integration folder, then update the package. All changes made will be preserved.<br>
		2. Manually delete resources that are no longer relevant. To do this, delete correlation rules and filters that match the following filter:<br>
		^(R001|R002|R003|R005|R030|R031|R032|R034|R035|R036|R050|R057|R058|R059|R061|R062|R063|R076|R077|R078|R079|R080|R081|R082|R083|R084|R087|R089|R093|R097|R098|R099|R100|R101|R102|R103|R104|R105|R106|R107|R108|R109|R110|R116|R150|R152|R154|R203|R207|R208|R209|R211|R219|R220|R221|R222|R223|R224|R225|R226|R227|R228|R229|R230|R231|R233|R240|R280|R281|R282|R283|R285|R286|R287|R288|R289|R290|R291|R292|R293|R294|R295|R296|R300|R301|R302|R331|R335|R350|R351|R402|R405|R406|R407|R408|R409|R410|R411|R412|R413|R414|R415|R416|R417|R418|R419|R420|R421|R422|R423|R424|R425|R426|R427|R428|R429|R430|R431|R432|R433|R434|R435|R436|R437|R438)_\D
		<br>
	    This regular expression can be entered into the search bar in the Resources section.<br>
		If no custom rule settings were made, it is recommended to delete the KUMA Packages/SOC package directory for all resources and reinstall the package.<br>
		<b>If the top-level rules are not deleted, duplicate events will be sent to the alerts.</b><br>
	
	New rules were added:
	<ul>
		<li>Rule R033: Remote process launch using WMI</li>
		<li>Rules R084_05, R084_06: Use of remote administration software</li>
		<li>Rules R087_06, R087_07, R087_08: Possible process hollowing</li>
		<li>Rule R089_08: Attempt of suspicious file overwrite</li>
		<li>Rule R093_40: Deletion of Windows registry key value</li>
		<li>Rules R097_05, R097_06: Suspicious shortcut creation</li>
		<li>Rule R152_14: Suspicion of persistence on host using wpbbin.exe</li>
		<li>Rule R224_23: Cisco network device configuration discovery</li>
		<li>Rules R231_08, R231_09, R231_10, R231_11: Credential gathering from OS files</li>
		<li>Rule R284_01: Creation of executable file in unusual directory</li>
		<li>Rule R285_04: Suspicious file manipulation on shared resources</li>
		<li>Rule R286_05: Suspicion of web shell</li>
		<li>Rules R288_03, R288_04: Suspicious file extension</li>
		<li>Rules R290_08, R290_09: Suspicious system utility manipulation</li>
		<li>Rules R296_20, R296_21, R296_22: Suspicious PowerShell manipulation</li>
		<li>Rule R351_03: Suspicion of HTML smuggling attack</li>
		<li>Rule R409_07: Email mailbox data clearing</li>
		<li>Rule R435_05: Local firewall manipulation</li>
		<li>Rule R437_11: Detected interaction with C&C (Palo Alto)</li>
		<li>Rule R446_01: MSSQL configuration change</li>
	</ul>
	
	Rules were updated:
	<ul>
		<li>Rule R034_01: Selector was revised</li>
		<li>Rule R061_04: Selector was revised</li>
		<li>Rule R072: Selector was revised</li>
		<li>Rule R079_03: Support for KSC events from DB and CEF normalizers</li>
		<li>Rule R087_04: Selector was revised</li>
		<li>Rule R110_02: Selector was revised</li>
		<li>Rule R110_06: Selector was revised</li>
		<li>Rule R203_02: Selector was revised</li>
		<li>Rule R224_04: Selector was revised</li>
		<li>Rule R231_03: Selector was revised</li>
		<li>Rule R296_19: Selector was revised</li>
		<li>Rule R402_04: Selector was revised</li>
		<li>Rule R426_02: Selector was revised</li>
	</ul>
	
	Other changes:
	<ul>
		<li>Minor typos have been fixed</li>
		<li>Rules related to network activity monitoring have been removed from the package and transferred to a separate package</li>
	</ul>
  </p>

  <p>
  	<b>[OOTB] SOC Content - ENG for KUMA 3.2. Version 3</b><br>
	Change list:<br>
	New rules were added:
	<ul>
		<li>Rule R050_07, R050_08: event log cleared</li>
		<li>Rules R058_04, R058_05: a local account creation</li>
		<li>Rule R061_10, R061_11: manipulations with user accounts</li>
		<li>Rule R082_09, R082_10, R082_11, R082_12, R082_13: ICMP exfiltration</li>
		<li>Rule R083_13: suspicious virtualization usage</li>
		<li>Rule R087_05: possible process injection</li>
		<li>Rule R093_39: registry modification</li>
		<li>Rule R107_04: data compression</li>
		<li>Rules R116: an attempt to access to malicious resource</li>
		<li>Rule R152_13: suspicious process tree</li>
		<li>Rules R154: authentication process modification</li>
		<li>Rule R224_22: system discovery</li>
		<li>Rules R225_04, R225_05: system discovery</li>
		<li>Rule R228_04: network discovery</li>
		<li>Rule R283_03: suspicious activity via browser</li>
		<li>Rule R285_03: suspicious file on network share</li>
		<li>Rules R286_02, R286_03, R286_04: possible reverse shell</li>
		<li>Rule R291_06: DLL side-loading</li>
		<li>Rule R293_04: suspicious process tree</li>
		<li>Rule R296_19: LotL bins usage</li>
		<li>Rules R402: possible phishing attack</li>
		<li>Rule R405_10: configuration modification</li>
		<li>Rule R409_06: mailbox export attempt</li>
		<li>Rules R419: code validation process manipulations</li>
		<li>Rules 427: suspicious file transfer</li>
		<li>Rules R433_04, R433_05, R433_06: suspicious container usage</li>
		<li>Rule R434_04: container discovery</li>
		<li>Rule R435_04: network traffic mirroring</li>
		<li>Rules R437: possible network attack</li>
		<li>Rules R438: data collection</li>
		<li>Rule R440: KES disabled</li>
		<li>Rule R441: disk wiping utilities usage</li>
		<li>Rule R442: process flow delay detection</li>
		<li>Rule R443: process uninterrupted execution via nohup</li>
	</ul>
	
	Rules were updated:
	<ul>
		<li>Rule R002_02: selector was revised</li>
		<li>Rule R031_01: selector was revised</li>
		<li>Rule R083_03: selector was revised</li>
		<li>Rule R093_07: selector was revised</li>
		<li>Rule R100_01: selector was revised</li>
		<li>Rule R107_01: selector was revised</li>
		<li>Rule R109_01: selector was revised</li>
		<li>Rules R116, R117: renamed to R116_01 и R116_02</li>
		<li>Rule R296_01: selector was revised</li>
		<li>Rule R402: renamed to R402_01</li>
		<li>Rule R438_01: selector was revised</li>
	</ul>
	
	Other changes:
	<ul>
		<li>Typos were fixed</li>
		<li>Message field enrichment was improved</li>
		<li>Rules' description was improved</li>
	</ul>
  </p>

  <p>
	<b>[OOTB] SOC Content - ENG for KUMA 3.2. Version 2</b><br>
	Change list:<br>
	New rules were added:
	<ul>
		<li>Rule R050_06_Audit log deletion (Linux)</li>
		<li>Rule R077_05_Kernel Callback Table Shell Hijacking (KSC)</li>
		<li>Rule R083_10_Suspicious activity related to PTASpy.dll (cmd)</li>
		<li>Rule R093_37_Registry subkey creation or modification related to root certificates</li>
		<li>Rule R093_38_Modification in SIP and Trust provider settings</li>
		<li>Rules R203_Access to a suspicious URL</li>
		<li>Rule R209_05_Internet connectivity check on Linux systems</li>
		<li>Rule R219_02_Instant messaging usage (UserGate)</li>
		<li>Rule R220_07_Email accounts enumeration</li>
		<li>Rules R224_17, R224_18, R224_19, R224_20, R224_21: detection of system data collection</li>
		<li>Rule R231_07_Container exec commands with credential files</li>
		<li>Rule R282_03_Disablement of Linux audit service</li>
		<li>Rules R302_05_Removing immutable file attribute, R302_06_File time modification by using touch command, R302_07_System time modification via PowerShell</li>
		<li>Rule R350_07_Browser launched in application mode by an Office app</li>
		<li>Rule R405_09_Suspicious modification of Windows hosts file</li>
		<li>Rules R422_02, R422_03: audit settings manipulation</li>
		<li>Rules R431_Suspicious removable device activity</li>
		<li>Rules R432_Peripheral device discovery</li>
		<li>Rules R433: R433_Suspicious container manipulations</li>
		<li>Rules R434_Container discovery</li>
		<li>Rules R435_Network device configuration changes</li>
		<li>Rule R436_Potential file obfuscation</li>
		<li>Rule R437_Possible network attack</li>
	</ul>
	
	Rules were updated:
	<ul>
		<li>Conditions of the rules R001_01, R002_01, R003_01, R005_02, R031_02, R050_06, R059_02, R082_03, R082_04, R083_06, R099_06, R099_08, R152_08, OR152_08, R209_05, R211_02, R221_04, R224_04, R224_05, R224_06, R224_07, R224_10, R224_16, R231_05, R231_06, R231_07, R282_03, R286_01, R302_04, R302_05, R302_06, R335_01, R405_01, R405_02, R405_04, R405_05, R405_06, R405_08, R412_02, R413_01, R416_01, R418_01, R420_02, R422_02, R423_01, R429_01, R430_01, R433_01, R433_02, R433_03, R434_01, R434_02, R434_03, R436_03 were updated in accordance with the new version of the normalizer for Auditd events.</li>
		<li>Conditions of the rules R089_06, R227_01, R262, R350_01, R405_07, R405_09 were updated в in accordance to normalization.</li>
		<li>Conditions of the rules R058_03, R082_01, R083_01, R083_03, R083_07, R089_01, R098_01, R100_03, R110_06, R110_07, R150_01, R104_02were updated в in accordance to normalization.</li>
		<li>In the Rules R002_01 and R002_02 the Servers list was removed. You must use an exception filter to configure the rule.</li>
		<li>Condition of the rule R077_04 was corrected.</li>
		<li>Condition of the rule R082_05 was corrected.</li>
		<li>Condition of the rule R098_01 was corrected for FP reduction.</li>
		<li>Condition of the rule R099_01 was updated.</li>
		<li>Condition of the rule R110_01 was corrected.</li>
		<li>Rule R203 was split to several different rules.</li>
		<li>Rule R219 was split to several different rules.</li>
		<li>Condition of the rule R281_02 was updated.</li>
		<li>Condition of the rule R283_01 was corrected for FP reduction.</li>
		<li>Condition of the rule R285_01 was corrected.</li>
		<li>Condition of the rule R288_02 was corrected for FP reduction.</li>
		<li>Rules R289_01 и R289_03 were renamed to R436_02 and R436_03.</li>
		<li>Condition of the rule R290_05 was corrected.</li>
		<li>Condition of the rule R295_01 was corrected for FP reduction.</li>
		<li>Condition of the rule R297 was corrected.</li>
		<li>Rules R152_08, R035_03, R035_01, R036_01, R089_04 were updated. Error in the variable was fixed, escape characters was added to regular expressions.</li>
		<li>Description of the rule R401 was corrected.</li>
	</ul>
	
	Other changes:
	<ul>
		<li>Rules names and descriptions were updated.</li>
		<li>KUMA "Message" field was updated for most of the rules.</li>
	</ul>
	</p>
  
  <p>
  <b>[OOTB] SOC Content - ENG for KUMA 3.2. Version 1</b><br>
	Change list:<br>
	Information about coverage of the MITRE ATT&CK matrix by rules was added.
	</p>

</body>
</html>