Updated Analytic Stories:
CRL-1711 - Updated "Credential Dumping" analytic story detections with corresponding MITRE technique IDs
CRL-1714 - Updated "Lateral Movement", "Windows Privilege Escalation", and "Disabling Security Tools" analytic stories.
- added a new detection "Unload Sysmon Filter Driver".
- added appropriate MITRE ATT&CK technique IDs to all detection searches.
- refreshed MITRE ATT&CK reference URLs where needed.
- added input and output filter macros where needed.
CRL-1718 - Updated DNS Hijack analytic story
- Added output filter macros to "Clients Connecting to Multiple DNS Servers", "DNS record changed", and "DNS Query Requests Resolved by Unauthorized DNS Servers" detections.
- Updated cis20 mappings in "Clients Connecting to Multiple DNS Servers" detection.
- Updated mitre_attack mappings in "DNS Query Requests Resolved by Unauthorized DNS Servers" detection.
- Added lookup 'discovered_dns_records' to "DNS record changed" detection.
- Updated entities output by "Detect hosts connecting to dynamic domain providers" detection.
Fixed issues:
- CRL-1715 - Updated "First Time Seen Running Windows Service" detection and "Previously Seen Running Windows Services" support search to use field names provided by Splunk Add-on for Microsoft Windows.
- CRL-1716 - Updated Malicious PowerShell Process With Obfuscation Techniques detection to address a false negative.
- CRL-1717 - Updated macro definitions to resolve error "Error in 'SearchParser' unable to find definition for macro 'X'. It is expected in the 'definition' conf key.]"
- CRL-1719 - Fixed URL reference in "Windows Privilege Escalation" analytic story