October 10, 2025 - Content Release

This content release includes:

• New and updated rules.
• Updated Threat Intelligence rules with match lists which can be populated with exclusions to prevent the generation of undesired signals.
• Mapping update.

Changes are enumerated below.

Rules

• [New] CHAIN-S00023 Administrative Remote Interactive Brute Force Login
  This rule correlates a high number of failed authentication attempts with a successful remote interactive login (such as via RDP) coming from the same source IP address and user account.
• [New] CHAIN-S00024 RDP Brute Force Login Attempt
  This rule correlates a high number of failed authentication attempts with repeated inbound connections over port 3389 (the default RDP port).
• [New] MATCH-S01056 Administrative Remote Interactive Login
  This rule triggers on a successful remote interactive login (such as via RDP) of a privileged user.
• [Updated] MATCH-S00139 Abnormal Parent-Child Process Combination
  Updated to reduce false positive matches for certain parent-child process combinations.
• [Updated] MATCH-S01024 Threat Intel - Destination IP Address (High Confidence)
• [Updated] MATCH-S01026 Threat Intel - Destination IP Address (Low Confidence)
• [Updated] MATCH-S01028 Threat Intel - Destination IP Address (Medium Confidence)
• [Updated] MATCH-S01023 Threat Intel - Inbound Traffic from Threat Feed IP (High Confidence)
• [Updated] MATCH-S01025 Threat Intel - Inbound Traffic from Threat Feed IP (Low Confidence)
• [Updated] MATCH-S01027 Threat Intel - Inbound Traffic from Threat Feed IP (Medium Confidence)
• [Updated] MATCH-S01018 Threat Intel - Successful Authentication from Threat Feed IP

Log Mappers

• [Updated] Slack Anomaly Event
  Updated to include threat_name mapping for improved context in alerts.