2016 SIEM Content and Parsing Updates Table of Contents

Table of Contents 2 SIEM Data Sources 5 January 21, 2016 5 February 10, 2016 5 February 16, 2016 5 February 26, 2016 5 March 25, 2016 5 June 2, 2016 6 June 8, 2016 6 July 19, 2016 6 August 04, 2016 6 August 11, 2016 6 August 15, 2016 6 September 1, 2016 6 September 2, 2016 7 September 26, 2016 7 October 12, 2016 7 October 13, 2016 7 November 7, 2016 7 November 10, 2016 8 November 11, 2016 8 December 2, 2016 8 SIEM Custom Types 9 October 13, 2016 9 October 25, 2016 9 SIEM Parsing Rules 10 January 8, 2015 10 January 12, 2016 10 January 13, 2016 10 January 21, 2016 10 January 22, 2016 11 January 25, 2016 11 January 29, 2016 11 January 29, 2016 11 February 4, 2016 11 February 8, 2016 12 February 10, 2016 12 February 11, 2016 12 February 16, 2016 12 February 17, 2016 12 February 19, 2016 13 February 23, 2016 13 February 24, 2016 13 February 25, 2016 13 February 26, 2016 13 February 29, 2016 14 March 2, 2016 14 March 3, 2016 14 March 7, 2016 15 March 8, 2016 15 March 9, 2016 15 March 11, 2016 15 March 14, 2016 15 March 16, 2016 15 March 17, 2016 16 March 18, 2016 16 March 21, 2016 16 March 24, 2016 17 March 25, 2016 17 March 29, 2016 17 March 30, 2016 18 March 31, 2016 18 April 01, 2016 18 April 04, 2016 18 April 07, 2016 18 April 08, 2016 18 April 21, 2016 18

2 April 26, 2016 19 May 3, 2016 19 May 5, 2016 19 May 5, 2016 19 May 9, 2016 19 May 11, 2016 19 May 16, 2016 19 May 18, 2016 19 May 23, 2016 19 May 24, 2016 20 May 25, 2016 20 May 26, 2016 21 May 27, 2016 21 June 2, 2016 21 June 06, 2016 21 June 08, 2016 21 June 13, 2016 21 June 15, 2016 22 June 17, 2016 22 June 20, 2016 22 June 23, 2016 22 June 28, 2016 22 June 30, 2016 22 July 07, 2016 23 July 08, 2016 23 July 11, 2016 24 July 12, 2016 24 July 13, 2016 24 July 15, 2016 24 July 19, 2016 24 July 22, 2016 24 July 25, 2016 24 August 02, 2016 24 August 04, 2016 25 August 11, 2016 25 August 15, 2016 25 August 22, 2016 25 August 24, 2016 25 September 1, 2016 25 September 2, 2016 26 September 15, 2016 26 September 19, 2016 26 September 23, 2016 26 September 26, 2016 27 October 5, 2016 27 October 12, 2016 27 October 13, 2016 27 October 25, 2016 27 October 28, 2016 27 November 2, 2016 27 November 7, 2016 28 November 9, 2016 28 November 10, 2016 28 November 11, 2016 28 December 2, 2016 28 December 5, 2016 28 December 14, 2016 28 December 15, 2016 29 December 16, 2016 29 Content Packs 30 February 3, 2016 30 February 4, 2016 30 February 18, 2016 30 April 13, 2016 30 April 18, 2016 30 May 20, 2016 31 May 31, 2016 31 June 2, 2016 31 July 12, 2016 31 August 9, 2016 31 September 15, 2016 31 September 27, 2016 32 September 30, 2016 32 3 November 2, 2016 32 IPS Rules 33 January 12, 2016 33 January 14, 2016 34 January 15, 2016 35 February 9, 2016 35 March 8, 2016 37 March 17, 2016 39 March 23, 2016 40 April 13, 2016 40 May 20, 2016 41

4 SIEM Data Sources

January 21, 2016 New Data Source Vendor: SSH Communications Security Product: CryptoAuditor Collector: Syslog Parser: ASP Device ID: 554 Version: ESM 9.4.1 and above Notes:

February 10, 2016 New Data Source Vendor: IBM Product: ISS SiteProtector - LEEF Collector: Syslog Parser: ASP Device ID: 555 Version: ESM 9.5.0 and above Notes: Parses LEEF formatted events received over syslog.

February 16, 2016 New Data Source Vendor: Microsoft Product: Internet Authentication Service - Database Compatible Format Collector: File Pull / Syslog Parser: ASP Device ID: 556 Version: ESM 9.5.2 and above Notes: Parses database-compatible formatted log files. Parsed events use signature IDs associated with data source ID 407.

February 26, 2016 Modified Data Source Vendor: Oracle Product: Oracle Audit - SQL Pull (ASP) Collector: SQL Parser: ASP Device ID: 470 Version: ESM 9.4.2 and above Notes: Updated to support pulling Audit events from Oracle 12c.

New Data Source Vendor: Prevoty Product: Prevoty Collector: Syslog Parser: ASP Device ID: 557 Version: ESM 9.5.1 and above Notes: Syslog support requires the use of Log4j on Prevoty.

March 25, 2016 New Data Source

Vendor: Wurldtech Product: OpShield Collector: Syslog Parser: ASP Device ID: 558 Version: ESM 9.4.1 and above Notes:

5 June 2, 2016 New Data Source Vendor: Interset Product: Interset Collector: Syslog Parser: ASP Device ID: 560 Version: ESM 9.5.1 and above Notes:Requires Interset version 4.1 or greater.

June 8, 2016 New Data Source Vendor: Globalscape Product: Globalscape EFT Collector: MEF Parser: ASP Device ID: 561 Version: ESM 9.4.1 and above. Notes:

New Data Source Vendor: Blue Coat Product: Reporter Collector: File Parser: ASP Device ID: 562 Version: ESM 9.5.0 and above. Notes: Added support for Blue Coat Reporter 9.5.1 Cloud Access logs.

July 19, 2016 New Data Source Vendor: PhishMe Product: PhishMe Intelligence Collector: Syslog Parser: ASP Device ID: 563 Version: ESM 9.5.0 and above.

August 04, 2016 New Data Source Vendor: Malwarebytes Product: Breach Remediation Collector: Syslog Parser: ASP Device ID: 564 Version: ESM 9.5.0 and above Notes: CEF format is supported.

August 11, 2016 New Data Source Vendor: Malwarebytes Product: Management Console Collector: Syslog Parser: ASP Device ID: 565 Version: ESM 9.5.0 and above Notes:Management Console version 1.7, part of Malwarebytes Enterprise Endpoint Security, sends security events generated by Malwarebytes Anti- Malware and Malwarebytes Anti-Exploit running on managed endpoints. CEF formatted syslog is supported by ESM.

August 15, 2016 New Data Sources Vendor: CyberArk Product: Privilaged Threat Analytics Collector: Syslog Parser: ASP Device ID: 566 Version: ESM 9.5.0 and above Notes: CEF format is supported from PTA version 3.1

September 1, 2016 New Data Sources Vendor: Skyhigh Networks Product: Cloud Security Platform Collector: Syslog Parser: ASP Device ID: 567 Version: ESM 9.5.1 and above Notes: Requires Skyhigh Enterprise Connector. CEF format is supported. Skyhigh version 2.2 and above is supported by ESM.

Vendor: Niara Product: Niara Collector: Syslog Parser: ASP Device ID: 568 Version: ESM 9.5.0 and above Notes: Niara version 1.5 and above is supported by ESM.

6 Vendor: TrapX Security Product: DeceptionGrid Collector: Syslog Parser: ASP Device ID: 569 Version: ESM 9.5.0 and above Notes:

September 2, 2016 New Data Sources Vendor: Attivo Networks Product: BOTsink Collector: Syslog Parser: ASP Device ID: 570 Version: ESM 9.5.0 and above Notes: Requires BOTsink version 3.3 or above.

Vendor: PhishMe Product: PhishMe Triage Collector: Syslog Parser: ASP Device ID: 571 Version: ESM 9.5.1 and above. Notes:

September 26, 2016 Updated Data Sources Vendor: McAfee Product: ePolicy Orchestrator (SiteAdvisor) Collector: SQL Parser: ASP Device ID: 357 Version: ESM 9.4.1 and above Notes: The SQL configuration was updated to report the HostName and HostIP fields belonging to the host running the SiteAdvisor client.

October 12, 2016 New Data Sources Vendor: Fortscale Product: Fortscale UEBA Collector: Syslog Parser: ASP Device ID: 572 Version: ESM 9.5.0 and above Notes:

October 13, 2016 New Data Source Vendor: ThreatConnect Product: ThreatConnect Threat Intelligence Platform Collector: Syslog Parser: ASP Device ID: 573 Version: ESM 9.5.0 and above Notes:

November 7, 2016 New Data Sources Vendor: McAfee Product: Endpoint Security Platform (ePO) Collector: SQL Parser: ASP Device ID: 574 Version: ESM 9.5.0 and above Notes: Data source coupled with ePO.

Vendor: McAfee Product: Endpoint Security Firewall (ePO) Collector: SQL Parser: ASP Device ID: 575 Version: ESM 9.5.0 and above Notes: Data source coupled with ePO.

Vendor: McAfee Product: Endpoint Security Threat Prevention (ePO) Collector: SQL Parser: ASP Device ID: 576 Version: ESM 9.5.0 and above Notes: Data source coupled with ePO.

Vendor: McAfee Product: Endpoint Security Web Control (ePO) Collector: SQL Parser: ASP Device ID: 577 7 Device ID: 577 Version: ESM 9.5.0 and above Notes: Data source coupled with ePO.

November 10, 2016 Updated Data Sources Vendor: Oracle Product: Oracle Audit - SQL Pull (ASP) Collector: SQL Parser: ASP Device ID: 470 Version: ESM 9.4.2 and above Notes: The SQL configuration was updated to pull Unified Audit events from version 12c when mixed mode reporting is disabled and Unified Auditing is specifically enabled.

November 11, 2016 Updated Data Sources Vendor: McAfee Product: ePolicy Orchestrator (HIPS) Collector: SQL Parser: ASP Device ID: 357 Version: ESM 9.4.1 and above Notes: The SQL configuration was updated to collect the Local Port and Remote Port fields from the HIPS tables in ePO.

December 2, 2016 Updated Data Sources Vendor: Symantec Product: Critical System Protection - SQL Pull (ASP) Collector: SQL Parser: ASP Device ID: 103 Version: ESM 9.6.0 and above Notes: The SQL configuration was updated to collect events from newer versions of Data Center Security including version 6.7. The data source name was also updated to Data Center Security (CSP) - SQL Pull.

8 SIEM Custom Types

October 13, 2016 New Custom Types Field Name: Device_Confidence Data Type: Unsigned Integer Event Field: 24 Indexed: Yes ESM Version: 9.2.0 and above

October 25, 2016 New Custom Types Field Name: Total_Bytes Data Type: Accumulator Event Field: 3 Indexed: Yes ESM Version: 9.2.0 and above

9 SIEM Parsing Rules

January 8, 2015 Modified Rules Vendor: McAfee Data Source: Advanced Threat Defense Affected Versions: ESM 9.4.0 and above Parsing rules 43-263051360, 43-2630513700, and 43-263051410 were updated to map the Object GUID and Correlation ID from the log to the Object_GUID and Instance_GUID fields in the ESM.

Vendor: McAfee Data Source: Advanced Threat Defense Affected Versions: ESM 9.4.1 and above Data Source rules 525-3186621865, 525-3768867276, 525-3260456963, 525-2089798990, 525-2353735580, and 525-2242864416 were added to the Advanced Threat Defense rule set.

January 12, 2016 New Rules Vendor: Juniper Networks Data Source: JUNOS Router (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1068405 and 1068406 were added to the JUNOS Router (ASP) rule set.

Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.4.2 and above Parsing rules 43-402000130, 43-403000000, 43-404000030, 43-405005020, 43-405005010, 43-406133970, 43-407009000, 43-407010660, 43- 408100000, 43-409245760, 43-410002580, 43-411006540, 43-412050500, 43-412058550, and 43-412092020 were added to the Windows Event Log - WMI rule set.

January 13, 2016 Modified Rules Vendor: Vormetric Data Source: Data Security (ASP) Affected Versions: ESM 9.4.0 and above Parsing rule 1055606 was updated to add key to Registry_Key, and faked usernames to User_Nickname. Also updated normilization.

New Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.5.0 and above Parsing rule 43-413000000 was created to the Windows Event Log - WMI rule set to parse events from Vasco Identikey authentication server.

January 21, 2016 Modified Rules Vendor: Microsoft Data Source: Microsoft Event Log - WMI Affected Versions: ESM 9.4.0 and above Parsing rule 43-294011160 was updated to map the filename to the Filename field in the ESM.

Vendor: Fortinet Data Source: FortiGate UTM Affected Versions: ESM 9.4.0 and above Parsing rules 1067976 and 1067977 were updated to include edit in the action map.

Vendor: Cisco Data Source: IOS IPS (SDEE protocol) Affected Versions: ESM 9.5.1 and above Parsing rule 1067511 was updated to map the CVE reference from the log to the Vulnerability_References field in the ESM.

New Rules Vendor: SSH Communications Security Data Source: CryptoAuditor Affected Versions: ESM 9.4.1 and above Parsing rule 1068487 was added to the CryptoAuditor rule set.

10 January 22, 2016 Modified Rules Vendor: McAfee Data Source: Network Security Manager (ASP) Affected Versions: ESM 9.3.0 and above Data source rule messages were updated to reflect changes made by the McAfee NSM.

January 25, 2016 New Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.4.2 and above Parsing rule 43-265010850 was added to the Windows Event Log - WMI rule set to parse event 1085 from the Microsoft-Windows-GroupPolicy source.

Modified Rules Vendor: Microsoft Data Source: Forefront Threat Management Gateway / ISA Server -W3C (ASP) Affected Versions: ESM 9.2.0 and above Parsing rule 1034545 was updated to account for optional ports at the end of source and destination IP's. Added Denied to action mapa ction from the log to the Event Subtype field in the ESM.

January 29, 2016 New Rules Vendor: Cisco Data Source: Meraki Affected Versions: ESM 9.4.1 and above Parsing rules 1068487 through 1068491 were added to the Meraki rule set.

January 29, 2016 Modified Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.4.0 and above Parsing rules 43-216070220, 43-216070230, 43-216070240, 43-216070260, 43-216070310, 43-216070320, 43-216070330, and 43-216070340 were updated to parse and capture the service name into ESM field Service_Name where they used to parse into Application. The rules also parse the following additional data from the logs: error code into ESM field Status, event count into ESM field Count, device action into ESM field Device_Action, and time for corrective actions into ESM field Response_Time.

Vendor:F5 Networks Data Source: BIG-IP Application Security Manager (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1056805, 1056806, 1036218, 1036219 and 1036220 were updated to parse the PID from the logs.

Vendor:F5 Networks Data Source: BIG-IP Local Traffic Manager - LTM (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1067701, 1012944, 1012946, 1012945, 1067702, and 1012948 were updated to parse the PID from the logs into ESM field PID. Rule 1012948 was also updated to capture the instance guid from the logs into ESM field instance_GUID for ESM versions 9.4.1 and above

Vendor: Fortinet Data Source: FortiGate UTM - Space delimited (ASP) Affected Versions: ESM 9.4.0 and above Parsing rule 1064618 was updated to parse changes made to the event in newer versions of FortiGate UTM

New Rules Vendor: Cisco Data Source: PIX/ASA/FWSM (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1068492 through 1068499 were added to the Cisco PIX/ASA/FWSM rule set.

Vendor: Cisco Data Source: PIX/ASA/FWSM (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1068492 through 1068499 were added to the Cisco PIX/ASA/FWSM rule set.

Vendor:F5 Networks Data Source: BIG-IP Local Traffic Manager (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1068500 through 1068547 were added to the BIG-IP Local Traffic Manager (ASP) rule set.

Vendor: Fortinet Data Source: FortiGate UTM - Space delimited (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1068548 and 1068549 were added to the FortiGate UTM rule set.

February 4, 2016 New Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.4.1 and above Parsing rules were added to the Windows Event Log - WMI rule set to support Terminal Services and Remote Desktop Services events.

Modified Rules Vendor: Microsoft Data Source: Windows Event Log - WMI 11 Affected Versions: ESM 9.1.0 and above Parsing rules 43-323002020, 43-323003030, and 43-323003040 have updated normalization from Authentication -> User Account to Network Access -> Connection/Session. Parsing rules 43-323005300, 43-323005310, 43-323005320, and 43-323005330 have updated normalization from Authentication -> Login to Application -> Configuration Status.

February 8, 2016 New Rules Vendor: Cisco Data Source: PIX/ASA/FWSM - ASP Affected Versions: ESM 9.4.1 and above Parsing rules 1068550 through 1068555 were added to the PIX/ASA/FWSM - ASP rule set.

Modified Rules Vendor: Cisco Data Source: IOS (ASP) Affected Versions: ESM 9.1.0 and above Multiple rules were updated to modify the parsing of the data and time from Cisco events.

February 10, 2016 Modified Rules Vendor: Checkpoint Data Source: Checkpoint - ASP Affected Versions: ESM 9.3.0 and above Parsing rules were updated to prioritize an IPV4 address to capture into the ESM field NAT_Details.NAT_Address, when it exists in the logs.

Vendor: Enterasys Networks Data Source: Enterasys Network Access Control (ASP) Affected Versions: ESM 9.2.0 and above Parsing rule 1016999 was modified to account for new format for the State field in the logs.

New Rules Vendor: IBM Data Source: ISS SiteProtector - LEEF Affected Versions: ESM 9.5.0 and above Parsing rule 1068601 was added to the ISS SiteProtector - LEEF rule set.

February 11, 2016 Modified Rules Vendor: SourceFire Data Source: FireSIGHT Management Console - eStreamer Affected Versions: ESM 9.5.0 and above Parsing rules 1051818, 1056620, 1056621, 1056622, and 1056623 were updated to handle logs where no source IP is present.

Vendor: Microsoft Data Source: SharePoint (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1026507 through 1026648 were updated to to enhance hostname parsing.

New Rules Vendor: Microsoft Data Source: SharePoint (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1068603, 1068604, and 1068605 were added to the SharePoint (ASP) rule set.

February 16, 2016 Modified Rules Vendor: Microsoft Data Source: Internet Authentication Service - Formatted (ASP) Affected Versions: ESM 9.5.2 and above Parsing rule 1034046 was updated to map the Nas ID, Nas IP, Client-IP-Address, Framed IP Address, Called Station ID, Calling Station ID, Class Data, and Computer Name fields in the log to the External Device Name, Device IP, Source IP, Destination MAC, Source MAC, Destination IP, and Destination Host fields in the ESM. The Messages and Signature ID's have been updated to reflect the packet type and reason code from the logs.

Vendor: Microsoft Data Source: Internet Authentication Service - XML (ASP) Affected Versions: ESM 9.5.2 and above Parsing rule 1031688 was updated to map the Nas ID, Nas IP, Client-IP-Address, Framed IP Address, Called Station ID, Calling Station ID, Class Data, and Computer Name fields in the log to the External Device Name, Device IP, Source IP, Destination MAC, Source MAC, Destination IP, and Destination Host fields in the ESM. The Messages and Signature ID's have been updated to reflect the packet type and reason code from the logs.

New Rules Vendor: Microsoft Data Source: Internet Authentication Service - Database Compatible Format Affected Versions: ESM 9.5.2 and above Parsing rule 1068606 was added to the Internet Authentication Service - Database Compatible Format rule set.

February 17, 2016 New Rules Vendor: McAfee Data Source: Network Security Manager (ASP) Affected Versions: ESM 9.2.0 and above 1566 Data Source Rules were added to the Network Security Manager (ASP) rule set.

12 February 19, 2016 Modified Rules Vendor: Juniper Networks Data Source: Juniper Secure Access / MAG (ASP) Affected Versions: ESM 8.2.0 and above Parsing rule 1008031 was updated to account for a spelling error in the Secure Access log, and will match on either Occured or Occurred.

February 23, 2016 New Rules Vendor: McAfee Data Source: Network Security Manager (ASP) Affected Versions: ESM 9.2.0 and above Added new data source rules: 305-4219029, 305-4528462, 305-4528531, 305-4528532, 305-4528533, 305-4528534, 305-4528535, 305-4528536, 305- 4528537, 305-4528538, 305-4528539, 305-4528541, 305-4528542, 305-4528543, 305-4528544, 305-4528545, 305-4528546, 305-4528547, 305- 4526718, 305-4527546, 305-4528549, 305-4528548, 305-4576105, 305-4206723, 305-4206724, 305-4206725, 305-4206726, 305-4206727, 305- 4206728, 305-4206717, 305-4223213, 305-4528384, 305-4528416, 305-4528431, 305-4528512, 305-4211033, 305-4215039, 305-4219028, 305- 4440236, 305-4440237, 305-4527993, 305-4528099, 305-4528202, 305-4528334, 305-4528338, 305-4528339, 305-4528340, 305-4528341, 305- 4528355, 305-4528399, 305-4528413, 305-4567061, 305-4576107, 305-4677737, 305-4739464, 305-4739604, 305-4739612, 305-4739613, 305- 4739697, 305-4739701, 305-4739708, 305-4739709, 305-4739711, 305-4739739, 305-4739740, 305-4739763, 305-4739787, 305-4739788, 305- 4739800, 305-4739805, 305-4739807, 305-4739808, 305-4739823, 305-4739830, 305-4528342, 305-4528343, 305-4528344, 305-4528368, 305- 4528376, 305-4528377, 305-4528378, 305-4528379, 305-4528381, 305-4528382, 305-4528383, 305-4528393, 305-4528394, 305-4528395, 305- 4528397, 305-4528398, 305-4528411, 305-4528412, 305-4528414, 305-4528417, 305-4528418, 305-4528420, 305-4528421, 305-4528430, 305- 4528433, 305-4528434, 305-4528435, 305-4528459, 305-4528461, 305-4571255, 305-4571256, and 305-4735896 to the McAfee Network Security Manager (ASP) data source

Modified Rules Vendor: McAfee Data Source: Network Security Manager (ASP) Affected Versions: ESM 9.2.0 and above Updated the normalization for data source rules: 305-4528507, 305-4528508, 305-4528509, 305-4528510, 305-4528514, 305-4528515, 305-4528516, 305-4528517, 305-4528519, 305-4528520, 305-4528525, 305-4528526, 305-4528527, 305-4528528, 305-4528529, 305-4528530, 305-4528550, 305- 4528551, 305-4528552, 305-4528553, 305-4528554, 305-4528555, 305-4528556, 305-4528557, 305-4528558, 305-4528559, 305-4528560, 305- 4528561, 305-4528562, 305-4528563, 305-4528564, 305-4528565, 305-4528567, 305-4528568, 305-4528570, 305-4528571, 305-4528572, 305- 4528573, 305-4528574, 305-4528575, 305-4528576, 305-4528578, and 305-4735171 for the McAfee Network Security Manager (ASP) data source

February 24, 2016 New Rules Vendor: RioRey Data Source: DDOS Protection Affected Versions: ESM 9.4.0 and above Parsing rule 1068607 was added to the RioRey DDOS Protection rule set.

Modified Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.2.0 and above Parsing rules 43-263046970, 43-263047680, 43-263047690, 43-263047700, 43-263047710, and 43-263047720 were updated to map Service Name and File Name from the logs to Service_Name and Filename in the ESM. In some cases Service Name from the logs was mapped to Application in the ESM.

February 25, 2016 Modifed Rules Vendor: Cisco Data Source: IOS (ASP) Affected Versions: ESM 9.2.0 and above Parsing rule 1052665 was updated with a severity value of 10 and will parse Source IP, Source Port, Destination IP, Destination Port, and Protocol from the logs to Source IP, Source Port, Destination IP, Destination Port and Protocol in the ESM.

February 26, 2016 New Rules Vendor: Cisco Data Source: NX-OS (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1068608 through 1068610 were added to the Cisco NX-OS (ASP) rule set.

Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Affected Versions: ESM 9.4.0 and above Parsing rule 1068611 was added to the Cooper Power Systems Cybectec RTU (ASP) rule set.

Vendor: Prevoty Data Source: Prevoty Affected Versions: ESM 9.5.1 and above Parsing rules 1068612 through 1068615 were added to the Prevoty rule set.

Modified Rules Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Affected Versions: ESM 9.2.0 and above Parsing rule 1021971 was updated to support the Console service in addition to Log and Maintenance on the Cooper Power Systems Cybectec RTU (ASP) rule set.

Vendor: McAfee Data Source: McAfee Host Data Loss Prevention (ePO) Affected Versions: ESM 9.2.0 and above Parsing rules 1050406, 1039681, and 1039682 were updated to include the product family name of Data Loss Prevention in the adsid map and regular expression matches. 13 expression matches.

February 29, 2016 Modified Rules Vendor: InterSect Alliance Data Source: Snare for Windows (ASP) Affected Versions: ESM 9.2.0 and above Parsing rule 1011177 was updated to map the Subject Account Name, New Logon Account Name, New Logon Logon ID, Subject Logon ID, New Logon Security ID, New Logon Account Domain, Package Name, Failure Reason, and Failure Information Satus from the log, to the Destination Username, Source Username, Source_Logon_ID, Destination_Logon_ID, Security_ID, Domain, Version, Message_Text, and Status fields in the ESM. The changes were made to improve reporting for event IDs 4624, 4625, 4675, 4648, 4634, 4647, 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 4672 and 4694.

March 2, 2016 Modified Rules

Vendor: Websense Data Source: Websense - CEF, Key Value Pair (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1042178, 1042179, were updated to include the following additional categories: '220 : Security:Compromised Websites', '221 : Extended Protection:Newly Registered Websites', '222 : Collaboration - Office', '223 : Collaboration - Office:Office - Mail', '224 : Collaboration - Office:Office - Drive', '225 : Collaboration - Office:Office - Documents', '226 : Collaboration - Office:Office - Apps', '227 : Information Technology:Web Analytics', '228 : Information Technology:Web and Email Marketing'. Rule 1055661 was updated to enhance auto learning for the Websense - CEF, Key Value Pair (ASP) data source.

Vendor: Websense Data Source: Websense Enterprise - SQL Pull (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1042178, 1042179, and 1018095 were updated to include the following additional categories: '220 : Security:Compromised Websites', '221 : Extended Protection:Newly Registered Websites', '222 : Collaboration - Office', '223 : Collaboration - Office:Office - Mail', '224 : Collaboration - Office:Office - Drive', '225 : Collaboration - Office:Office - Documents', '226 : Collaboration - Office:Office - Apps', '227 : Information Technology:Web Analytics', '228 : Information Technology:Web and Email Marketing 'for the Websense Enterprise - SQL Pull (ASP) data source.

Vendor: Websense Data Source: Websense Enterprise - SQL Pull (ASP) Affected Versions: ESM 9.2.0 and above Normalization was updated for Data Source Rules 1029, 1030, 1031, 1035, 1037, 1040, 1041, 1052, 1053, 1054, 1057, 1060, 1061, 1293, 1296, 1310, 1313, 1537, 1553, 2179658656, and 2546160569 for the Websense Enterprise - SQL Pull (ASP) data source.

Vendor: LOGbinder Data Source: LOGbinder (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1055294, 1055300, 1055306, 1055307, 1055308, 1055310, 1055311, 1055312, 1055314, 1055316, 1055318, 1055319, 1055320, 1055322, 1055327, 1055328, 1055331, 1055337, 1055338, 1055340, 1055341, 1055342, 1055343, 1055344, 1055347, 1055352, 1055353, 1055355, 1055356, 1055357, 1055361, 1055362, 1055363, 1055367, 1055368, 1055369, 1055370, 1055371, 1055372, 1055373, 1055374, 1055375, 1055376, 1055377, 1055378, 1055379, 1055380, 1055381, 1055382, 1055384, 1055387, 1055389, 1055392, 1055394, 1055395, 1055397, 1055399, 1055402, 1055403, 1055404, 1055409, 1055410, 1055411, 1055415, 1055416, 1055417, 1055418, 1055419, 1055420, 1055421, 1055422, 1055423, 1055434, 1055435, 1055436, 1055438, 1055439, 1055441, 1055442, 1055443, 1055445, 1055446, 1055447, 1055448, 1055450, 1055451, 1055452, 1055453, 1055454, 1055455, 1055456, 1055457, 1055458, 1055459, 1055460, 1055461, 1055462, 1055463, 1055464, 1055465, 1055466, 1055467, 1055468, 1055469, 1055470, 1055471, 1055472, 1055473, 1055474, 1055475, 1055476, 1055477, 1055478, 1055479, 1055480, 1055481, 1055482, 1055483, 1055484, 1055485, 1055486, 1055487, 1055488, 1055489, 1055490, 1055491, 1055492, 1055493, 1055494, 1055495, 1055496, 1055497, 1055498, 1055499, 1055500, 1055501, 1055502, 1055503, 1055504, 1055505, 1055506, 1055507, 1055508, 1055509, 1055510, 1055511, 1055512, 1055513, 1055514, 1055515, 1055516, 1055517, 1055518, 1055519, 1055520, 1055521, 1055522, 1055523, 1055524, 1055525, 1055526, 1055527, 1055528, 1055529, 1055530, 1055531, 1055532, 1055533, 1055534, 1055535, 1055536, 1055537, 1055538, 1055539, 1055540, 1055541, 1055556, 1055557, 1055558, 1055559, 1055560, 1055561, 1055562, 1055568, 1055569, and 1055570 were updated to map the Statement from the log to the SQL_Statement field in the ESM. Parsing rules 1055306 through 1055308, 1055369 through 1055378, 1055402 through 1055404, 1055409, and 1055415 through 1055421 were updated to map the Target Object Type from the log to the Object_Type field in the ESM. Parsing rules 1055353, 1055369, 1055370, 1055371, 1055373, 1055374, 1055375, 1055376, 1055377, 1055378, 1055382, 1055384, 1055387, 1055389, 1055392, 1055394, 1055397, 1055399, 1055402, 1055403, 1055404, 1055409, 1055410, 1055411, 1055415, 1055416, 1055417, 1055418, 1055419, 1055420, 1055421, 1055422, 1055423, 1055434 through 1055436, 1055441 through 1055443, 1055445 through 1055448, and 1055450 were updated to map the Target Object Name from the log to the Object field in the ESM.

March 3, 2016 Modified Rules Vendor: Fortinet Data Source: FortiManager (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1037921 through 1038258, and 1064559 through 1064562 were updated to improve parsing username.

Vendor: Kaspersky Data Source: Administration Kit - SQL Pull (ASP) Affected Versions: ESM 9.2.1 and above Parsing rule 1048681 was updated to to capture Threat Name from the logs into Threat Name in the ESM.

Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.2.0 and above Parsing rule 43-263047810 was updated to parse Old Account Name and New Account Name from the logs into Old Value and New Value in the ESM.

March 7, 2016 14 March 7, 2016 Modified Rules Vendor: LOGbinder Data Source: LOGbinder (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1068616 through 1068618, were added to the LOGbinder - LOGbinder (ASP) data source.

March 8, 2016 Modified Rules Vendor: Palo Alto Networks Data Source: Palo Alto Firewalls (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1010436 and 1012909 were updated to map the Threat_ID and Threat_Severity from the logs to the Incident_ID and Object fields respectively in the ESM.

March 9, 2016 New Rules Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Affected Versions: ESM 9.4.0 and above Parsing rule 1068643 was added to the Cybectec RTU (ASP) data source.

Modified Rules Vendor: Citrix Data Source: NetScaler (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1009227, 1009228, 1009232, 1009233, 1009234, 1009235, 1009236, 1009237, 1009245, 1009246, 1009247, 1009262, 1009268, 1009273, 1009274, 1009275, 1009289, 1009290, 1009291, 1009292, 1009293, 1009294, 1009295, 1009296, 1009297, 1009299, 1009301, 1009305, 1009311, 1009312, 1009313, 1009314, 1018019, 1018020, 1021461, 1021516, 1025795, 1055649, 1055651, 1055652, 1055653, 1055654, 1055655, 1055656, 1055657, 1055658, 1056391, 1056392, 1056741, 1056742, 1056743, 1056744, 1056755, 1056756, 1056758 were updated to enhance normalization for Cybectec RTU (ASP) data source.

Modified Rules Vendor: RioRey Data Source: DDOS Protection Affected Versions: ESM 9.4.0 and above Parsing rule 1068607 was updated to map zone from the logs into Destination_Zone and Source_Zone on the ESM. Rule message has also been updated to show full context of event.

March 11, 2016 New Rules Vendor: LOGbinder Data Source: LOGbinder (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1068644 through 1068670 were added to the LOGbinder (ASP) data source.

Modified Rules Vendor: LOGbinder Data Source: LOGbinder (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1054664 through 1054676 were updated to account for updated log formats, updated rules also map Performed Logon Type, Item Subject, and Mailbox GUID from the logs into Logon_Type, Subject, and Instance_GUID in the ESM for the LOGbinder (ASP) data source.

Vendor: IBM Data Source: ISS SiteProtector - SQL Pull Affected Versions: ESM 9.4.0 and above Updated parsing rule 1067566 to map blocked from the logs to Action in the ESM for the ISS SiteProtector - SQL Pull data source.

March 14, 2016 Modified Rules Vendor: Cisco Data Source: IOS IPS (SDEE protocol) Affected Versions: ESM 9.5.1 and above Updated parsing rule 1067511 to capture sd:originator/cid:appName, cid:alertDetails, cid:riskRatingValue, sd:signature/@cid:type, sd:signature/@id, cid:os/@type, sd:signature/marsCategory, sd:attacker/sd:addr/@cid:locality, and sd:target/sd:addr/@cid:locality from the logs to application, Message_Text, Reputation, Threat_Category, Incident_ID, objectname, Threat_Name, Source_Zone, and Destination_Zone in the ESM for the IOS IPS (SDEE protocol) data source.

March 16, 2016 New Rules Vendor: Proofpoint Data Source: Messaging Security Gateway (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1068671 through 1068746 were added to the Messaging Security Gateway (ASP) data source.

Vendor: Cisco Data Source: Wireless Lan Controller (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1068747 through 1068768 were added to the Wireless Lan Controller (ASP) data source.

15 Modified Rules Vendor: Proofpoint Data Source: Messaging Security Gateway (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rules 1012996, 1012997, 1013001, 1013002, 1013004, 1013005, 1013007, 1013008, 1013010, 1013012, 1013013, 1013015, 1013016 through 1013018, 1013020, 1013021, 1013022, 1017001, 1017003 through 1017008, 1013006, 1017009, 1013014, 1013009, 1012956, 1012957 through 1012994, 1013003, 1017010, 1012998, 1012999, 1013000, 1013011, and 1017002 to enhance application captures and improve reporting for the Messaging Security Gateway (ASP) data source.

Vendor: UNIX Data Source: Linux (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rules 1036635, 1022474, 1046862, 1064496, 1042160, 1022471, 1047402, 1022502, 1022487, 1042177, and 1022483 to enhance parsing and reporting for the Linux (ASP) data source.

March 17, 2016 Modified Rules Vendor: UNIX Data Source: Linux (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1012094 and 1064621 were updated to map the DNS Type from the logs into the DNS_Type field in the ESM. The normalization was updated from System -> Misc System Event to Network Access -> DNS.

Vendor: Microsoft Data Source: Windows DNS (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1013184 through 1013355 and 1064201 through 1064204 were updated to map the DNS Type from the logs into the DNS_Type field in the ESM. The normalization was updated from System -> Misc System Event to Network Access -> DNS.

March 18, 2016 Modified Rules Vendor: SourceFire Data Source: FireSIGHT Management Console - eStreamer Affected Versions: ESM 9.5.0 and above Parsing rules 1056622 and 1056623 were updated to map the Device ID.Name from the log, when present, to the Sensor_Name field in the ESM.

Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1021982, 1021979, 1068611, and 1021969 were updated to enhance parsing for the Cybectec RTU (ASP) data source.

Vendor: Cisco Data Source: IOS (ASP) Affected Versions: ESM 9.4.0 and above Parsing rule 1009087, and 1050278 were updated to enhance parsing and action reporting for the IOS (ASP) data source. Rule 1050278 has been enhanced to parse source ip and destination ip from the logs into Source IP and Destination IP and the normalization has been updated from Suspicious Activity -> Protocol Anomaly -> TCP Protocol Anomaly to Suspicious Activity -> Invalid Command or Data.

New Rules Vendor: SourceFire Data Source: FireSIGHT Management Console - eStreamer Affected Versions: ESM 9.5.2 and above Parsing rules 1068777 through 1068781 were added to the FireSIGHT Management Console - eStreamer rule set.

Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1068782 through 1068783 were added to the Cybectec RTU (ASP) data source.

Vendor: Cisco Data Source: IOS (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1068784 through 1068791 were added to the IOS (ASP) data source.

March 21, 2016 Modified Rules

Vendor: McAfee Data Source: Network Security Manager (ASP) Affected Versions: ESM 9.2.0 and above Parsing rule 1051797 was updated to enhance parsing, the rule will now capture URI referrer, CLI command, Login ID, IP, and Port from the logs into URL, Command, Source IP, and Source Port in the ESM, for the Network Security Manager (ASP) data source.

New Rules Vendor: McAfee Data Source: Network Security Manager (ASP) Affected Versions: ESM 9.2.0 and above Data Source rule 503-3938051225 was added to the Network Security Manager (ASP) data source.

16 March 24, 2016 Modified Rules Vendor: Unix Data Source: Linux (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1006195 - 1006199, 1006222 - 1006224, 1006236, 1006243, 1006244, 1011074, 1011075, 1011077, 1012093 - 1012097, 1012100 - 1012103, 1016062, 1027593 - 1027595, 1037313 - 1037315, 1037882, and 1064621 were updated to account for IPv6 addresses. Parsing rules 1006195 - 1006199, 1006224, and 1006243 were updated to remove setting the message from the log text. The updates were made to rules parsing BIND events.

Vendor: McAfee Data Source: ePolicy Orchestrator (ASP) Affected Versions: ESM 9.2.0 and above Parsing rule 1039683 was updated to map siem_severity as the primary capture and ThreatSeverity as the secondary capture for the Severity field in the ESM.

Vendor: Enforcive Data Source: Cross-Platform Audit Affected Versions: ESM 9.4.1 and above Parsing rule 1068804 was added to the Cross-Platform Audit data source.

March 25, 2016 New Rules Vendor: Wurldtech Data Source: OpShield Affected Versions: ESM 9.4.1 and above Parsing rules 1068805 through 1068825 were added to the OpShield rule set.

Vendor: Reversing Labs Data Source: N1000 Affected Versions: ESM 9.5.0 and above Parsing rules 1068826 through 1068828 and 1068830 were added to the N1000 parsing ruleset.

Vendor: UNIX Data Source: Linux (ASP) Affected Versions: ESM 9.5.0 and above Parsing rules 1068829 has been added to the Linux ruleset.

March 29, 2016 Modified Rules Vendor: Cisco Data Source: PIX/ASA/FWSM (ASP) Affected Versions: ESM 9.4.0 and above Updated parsing rules 1015389, 610122704, 1014561 through 1014562, 1014604, 610121919, 1014179, 1014180, 1014826, 1014931, 1015269, 1014925, 1014631, 1014759, 1015380, 1014952, 1014484, and 1014086 through 1014090 to improve Normalization and enhance parsing for the PIX/ASA/FWSM (ASP) data source. Parsing Rules 1014086-1014090, 1014179, 1014180, 1014484, 1014604, 1014631, 1014759, 1014826, 1014925, 1014931, 1014952, 1015269, 1015380, and 1015389 were updated to map Destination IP, Source IP, Hostname, Shun List, Username, Interface, Destination Interface, and Device Type from the logs to Destination IP, Source IP, Hostname, Objectname, Source Username, Interface, Destination Interface, and External Device Type in the ESM.

Vendor: McAfee Data Source: Network Security Manager (ASP) Affected Versions: ESM 9.2.0 and above Enhanced Normalizations for data source rules 305-4528638, 305-4739739, 305-4206719, 305-4206721, 305-4206722, 305-4206731, 305-4206733, 305-4206735, 305-4206736, 305-4206737, 305-4206738, 305-4206739, 305-4206740, 305-4206741, 305-4211034, 305-4211037, 305-4223214, 305- 4223217, 305-4227177, 305-4235330, 305-4309015, 305-4333579, 305-4423709, 305-4440238, 305-4526200, 305-4527128, 305-4527140, 305- 4527563, 305-4528001, 305-4528252, 305-4528335, 305-4528380, 305-4528396, 305-4528419, 305-4528423, 305-4528429, 305-4528432, 305- 4528463, 305-4528464, 305-4528466, 305-4528467, 305-4528468, 305-4528470, 305-4528472, 305-4528475, 305-4528476, 305-4528498, 305- 4528499, 305-4528501, 305-4528502, 305-4528503, 305-4528504, 305-4528505, 305-4528511, 305-4528524, 305-4528579, 305-4528580, 305- 4528581, 305-4528582, 305-4528583, 305-4528584, 305-4528585, 305-4528586, 305-4528587, 305-4528590, 305-4528591, 305-4528592, 305- 4528593, 305-4528594, 305-4528595, 305-4528596, 305-4528597, 305-4528598, 305-4528599, 305-4528600, 305-4528601, 305-4528602, 305- 4528633, 305-4528634, 305-4528635, 305-4528636, 305-4528637, 305-4528639, 305-4528640, 305-4528641, 305-4528642, 305-4528643, 305- 4528644, 305-4528645, 305-4528646, 305-4528647, 305-4528648, 305-4528649, 305-4528650, 305-4528651, 305-4528652, 305-4528653, 305- 4554767, 305-4567071, 305-4571257, 305-4571258, 305-4571260, 305-4571261, 305-4571262, 305-4571263, 305-4571264, 305-4571265, 305- 4571266, 305-4575466, 305-4576075, 305-4576109, 305-4576112, 305-4576113, 305-4576114, 305-4576116, 305-4576121, 305-4576122, 305- 4677739, 305-4685828, 305-4735883, 305-4735884, 305-4735887, 305-4735888, 305-4735892, 305-4739703, 305-4739801, 305-4739802, 305- 4739803, 305-4739804, 305-4747340, 305-4751632, 305-4206742, 305-4528603, 305-4528604, 305-4528605, 305-4528606, 305-4528607, 305- 4528608, 305-4528609, 305-4528610, 305-4528612, 305-4528613, 305-4528614, 305-4528615, 305-4528616, 305-4528617, 305-4528618, 305- 4528619, 305-4528620, 305-4528621, 305-4528622, 305-4528623, 305-4528624, 305-4528625, 305-4528626, 305-4528627, 305-4528628, 305- 4528629, 305-4528630, 305-4528631, 305-4528632, 305-4528638 for the Network Security Manager (ASP) data source.

Vendor: Citrix Data Source: NetScaler (ASP) Affected Versions: ESM 8.4.0 and above Parsing rules 1009230, 1025795, 1009231, 1009234, 1009299, 1021515, and 1055649 were updated to remove time captures. Event times are now derived from the syslog header.

17 March 30, 2016 Modified Rules Vendor: Aruba Data Source: Aruba OS Affected Versions: ESM 9.2.0 and above Updated rules 170-41260374, 170-32025424, 170-41260484, 170-53040394, 170-53040404, 170-53040414, 170-65011384, 170-65011394, 170- 65030294, 170-65030784 to enhance parsing for the Aruba OS data source.

March 31, 2016 New Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.4.1 and above Parsing rules 43-429010000, 43-429010010, and 43-429010060 were added to the Windows Event Log - WMI data source

Modified Rules Vendor: McAfee Data Source: EWS v5 / Email Gateway Original Format - Legacy - (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rule 1027962 to capture all attachments listed in the logs the logs into File_Path in the ESM, for the EWS v5 / Email Gateway Original Format - Legacy - (ASP) data source.

April 01, 2016 Modified Rules Vendor: Cisco Data Source: NX-OS (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1018245, 1018246, 1018248, 1018255 through 1018262, 1018267, 1018269, 1018273 through 1018275, 1018282, 1018284, 1018286, 1018287, 1018295, 1018297 through 1018300, 1018304, 1018305, 1018334, 1018357, 1018386, 1018392 through 1018400, 1018418, 1018423 through 1018425, 1018436, 1018444, 1018445, 1018459, 1018479 through 1018487, 1018489 through 1018588, 1018601, 1018602, 1018607 through 1018609, 1018611, 1018613, 1018614, 1018617 through 1018620, 1018667 through 1018674, 1018676 through 1018680, 1018683, 1018684, 1018686 through 1018692, 1018696, 1018697, 1018704 through 1018706, 1018709, 1018712 through 1018725, 1019037 through 1019040, 1026218, 1026222 through 1026300, 1067867, 1067868, and 1067880 were updated to enhance parsing. The rules in this data source had been parsing Interface and Port from the logs into Object in the ESM, they will now parse Interface and Port from the logs into Interface in the ESM for the NX-OS (ASP) data source.

April 04, 2016 New Rules Vendor: Raz-Lee Security Data Source: iSecurity Suite (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1068831 through 1068856 were added to the iSecurity Suite (ASP) data source.

Modified Rules Vendor: Raz-Lee Security Data Source: iSecurity Suite (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1049233 through 1049251 were updated to enhance parsing, the rules were also updated to map Job, Job Type, Document, and MsgID from the logs into Mainframe_Job_Name, Job_Type, Filename, and Message_ID in the ESM for the iSecurity Suite (ASP) data source.

April 07, 2016 Modified Rules Vendor: Good Technology Data Source: Good Mobile Control (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1048295, 1048260, 1048242, and 1048243 were updated to enhance parsing for the Good Mobile Control (ASP) data source.

April 08, 2016 Modified Rules Vendor: Enforcive Data Source: Cross-Platform Audit Affected Versions: ESM 9.4.1 and above Updated parsing rule 1068804 to map Event Status, Application, Action, Destination Process, and Message from the logs into Event Subtype, Application, Command, Target_Process_Name, and Signature_Name in the ESM, for the Cross-Platform Audit data source.

Vendor: McAfee Data Source: Advanced Threat Defense Affected Versions: ESM 9.4.1 and above Parsing rule 1056389 was updated to enhance parsing for the Advanced Threat Defense data source.

Vendor: Vormetric Data Source: Data Security (ASP) Affected Versions: ESM 9.4.0 and above Parsing rule 1055606 was updated to enhance parsing for the Data Security (ASP) data source.

April 21, 2016 Modified Rules Vendor: Palo Alto Networks Data Source: Palo Alto Firewalls (ASP) Affected Versions: ESM 9.1.0 and above Updated parsing rules 1046703 and 1046704 to account for parenthesis in rule messages for the Palo Alto Firewalls (ASP) data source.

18 April 26, 2016 New Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.4.1 and above Parsing rules 43-359055000, 43-359055010, 43-359055020, 43-359055040, 43-359055050, 43-359055060, 43-359055070, 43-359055080, 43- 359055090, 43-359055100, 43-359055110, 43-359070500, 43-359070510, 43-359070520, 43-359070530, 43-359070540, 43-359070550, 43- 359070560, 43-359070620, and 43-359075000 were added to the Windows Event Log - WMI rule set.

May 3, 2016 Modified Rules Vendor: McAfee Data Source: ePolicy Orchestrator (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1039683 and 1050406 was updated to map ThreatSeverity as the primary capture and siem_severity as the secondary capture for the Severity field in the ESM. Also, the mapping for the Severity values has been enhanced.

May 5, 2016 Modified Rules Vendor: Fortinet Data Source: FortiGate UTM - Space Delimited - (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1025149, 1025629, 1025630, 1025631, 1025632, 1025633, 1025635, 1025641, 1025647, 1025648, 1025650, 1025651, 1025652, 1025653, 1064249, 1064250, 1064251, 1064252, 1064253, 1064254, 1064352, and 1064397 were updated to map status as the primary capture and action as the secondary capture for the Event Subtype field in the ESM.

May 5, 2016 Modified Rules Vendor: Fortinet Data Source: FortiGate UTM - Comma Delimited - (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1011282, 1011398, 1011399, 1011400, 1011448, 1011449, 1011450, and 1011451 were updated to map status as the primary capture and action as the secondary capture for the Event Subtype field in the ESM.

May 9, 2016 Modified Rules Vendor: Fortinet Data Source: FortiGate UTM - Space Delimited - (ASP) Affected Versions: ESM 9.2.0 and above Parsing rule 1025149 was updated to add timeout to the action map.

Vendor: Proofpoint Data Source: Messaging Security Gateway (ASP) Affected Versions: ESM 8.4.0 and above Updated parsing rules 1012985, 1068726, 616020656, 1013013, 1068682, 1068720, 611071521, 1022487, 1047028, 1022474, 1042160, 1022464, 611071502, 1022472, and 611071510 to reduce the possibility of overlapping rules for the Messaging Security Gateway (ASP) data source.

May 11, 2016 Modified Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.4.0 and above Updated parsing rule 43-159332050 for the Windows Event Log - WMI data source to enhance Domain and Hostname Parsing.

May 16, 2016 Modified Rules Vendor: SourceFire Data Source: FireSIGHT Management Console - eStreamer Affected Versions: ESM 9.5.2 and above Parsing rules 1068778 and 1068780 were updated to account for minor changes in the log format. The Threat_Name field mapping was removed as it no longer matches the context of the event.

May 18, 2016 Modified Rules Vendor: Tufin Data Source: SecureTrack (ASP) Affected Versions: ESM 9.4.0 and above Updated parsing rules 1050338 through 1050382 for the SecureTrack (ASP) data source with new versions to enhance action mapping, support additional time formats, and improve normalization and severity.

May 23, 2016 New Rules

19 Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.4.2 and above Parsing rules 43-412040000 through 43-412040120, 43-412040140 through 43-412040160, 43-412040190 through 43-412040400, 43-412040420 through 43-412040990, 43-412041030 through 43-412041050, 43-412041170, 43-412041210 through 43-412042170, 43-412042500 through 43- 412042740, 43-412044000 through 43-412045310, 43-412045700 through 43-412046110, 43-412047000 through 43-412047020, 43-412047660, 43- 412048000 through 43-412048260, 43-412048500 through 43-412048590, 43-412049990, 43-412050050, 43-412050060, 43-412050080 through 43- 412050110, 43-412050190 through 43-412050300, 43-412050320, 43-412050360 through 43-412050380, 43-412050410 through 43-412050460, 43- 412050490 through 43-412050530, 43-412052030 through 43-412052060, 43-412052110, 43-412053580, 43-412055010 through 43-412055130, 43- 412055190, 43-412055200 through 43-412055220, 43-412055240 through 43-412055290, 43-412056000 through 43-412056360, 43-412056380 through 43-412056600, 43-412057000, 43-412057010, 43-412057490, through 43-412057580, 43-412058050 through 43-412058300, 43-412058320 through 43- 412058450, 43-412058470 through 43-412058590, 43-412058620 through 43-412058890, 43-412058900 through 43-412058980, 43-412059000 through 43-412059500, 43-412059600 through 43-412059720, 43-412060040, 43-412060050, 43-412060150, 43-412060250, 43-412060260, 43-412060350, 43- 412060370, 43-412060470 through 43-412060530, 43-412060640, 43-412060880 through 43-412060920, 43-412061000, 43-412061030, 43- 412061070, 43-412061090, 43-412061100, 43-412061120, 43-412061140, 43-412061150, 43-412061180 through 43-412061220, 43-412061250, 43- 412061340 through 43-412061480, 43-412061500 through 43-412061540, 43-412061580 through 43-412061660, 43-412061720 through 43-412061750, 43-412061770, 43-412061790, 43-412061800, 43-412061820 through 43-412061840, 43-412061870, 43-412061880, 43-412061900 through 43- 412061930, 43-412061960, 43-412062070, 43-412062080, 43-412062090, 43-412062120, 43-412062180, 43-412062240, 43-412062300 through 43- 412062450, 43-412062510 through 43-412062610, 43-412062630, 43-412062660, 43-412062710, 43-412062720, 43-412062760, 43-412062770, 43- 412066660, 43-412067080 through 43-412067100, 43-412067670, 43-412067740, 43-412067820, 43-412069010 through 43-412069150, 43- 412069880, 43-412069890, 43-412069920 through 43-412070020, 43-412070050, 43-412070060, 43-412070080, 43-412070100 through 43- 412070310, 43-412070410, 43-412070420, 43-412070440, 43-412070470, 43-412070480, 43-412070530 through 43-412070560, 43-412070590 through 43-412070690, 43-412070720 through 43-412070990, 43-412071040 through 43-412072120, 43-412072140 through 43-412072170, 43- 412072190 through 43-412072380, 43-412072490, 43-412072500, 43-412072530 through 43-412072550, 43-412072570 through 43-412072640, 43- 412072760, 43-412073050 through 43-412073080, 43-412073100, 43-412073150, 43-412073160, 43-412073200, 43-412073270, 43-412074320 through 43-412074350, 43-412074590 through 43-412074690, 43-412074720, 43-412074770, 43-412074840, 43-412074850, 43-412076010 through 43- 412076090, 43-412076120, 43-412076220 through 43-412076270, 43-412077010 through 43-412077260, 43-412077510 through 43-412077620, 43- 412077700 through 43-412077810, 43-412077830 through 43-412078100, 43-412078800 through 43-412078860, 43-412078900 through 43-412078950, 43-412079010, 43-412079030, 43-412079040, 43-412079050, 43-412079070 through 43-412079370, 43-412079430, 43-412079530 through 43- 412079650, 43-412079680 through 43-412079700, 43-412079850 through 43-412079900, 43-412080010 through 43-412080120, 43-412080140 through 43-412082270, 43-412082290 through 43-412082440, 43-412082660, 43-412082760, 43-412082780, 43-412082800, 43-412082820, 43-412082840, 43- 412082870 through 43-412082890, 43-412082910, 43-412082940 through 43-412083220, 43-412083230 through 43-412083250, 43-412083300 through 43-412083550, 43-412083670, 43-412083680, 43-412083700 through 43-412083830, 43-412083900 through 43-412083980, 43-412084010 through 43- 412084780, 43-412084800 through 43-412085200, 43-412085490 through 43-412085700, 43-412086010 through 43-412086970, 43-412087010 through 43-412087980, 43-412088010 through 43-412088470, 43-412088500 through 43-412088570, 43-412088740 through 43-412088760, 43-412089010 through 43-412089060, 43-412089190, 43-412089340 through 43-412089370, 43-412090010 through 43-412090040, 43-412091810 through 43- 412091900, 43-412091950 through 43-412091970, 43-412092010 through 43-412092480, 43-412092550, 43-412092590, 43-412092620, 43-412092700 through 43-412092730, 43-412093010, 43-412093020, 43-412094010 through 43-412094510, 43-412094530, 43-412094550 through 43-412094570, 43- 412094650, 43-412094660, 43-412094690, 43-412094870 through 43-412094960, 43-412094980 through 43-412095580, 43-412095600 through 43- 412095660, 43-412095720 through 43-412095990, 43-412096010 through 43-412096080, 43-412096100 through 43-412096990, 43-412097090, 43- 412097100 through 43-412097710, 43-412099130 through 43-412099150, 43-412099200 through 43-412099550, 43-412099900 through 43-412099920, and 43-412099990 were added to the Windows Event Log - WMI rule set.

Modified Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.4.2 and above Parsing rules 43-412050500, 43-412058550, and 43-412092020 were modified for the Windows Event Log - WMI rule set.

May 24, 2016 Modified Rules Vendor: Cisco Data Source: PIX/ASA/FWSM (ASP) Affected Versions: ESM 9.4.0 and above Updated parsing rule 1015120 for the PIX/ASA/FWSM (ASP) data source to enhance Source IP parsing.

May 25, 2016 New Rules Vendor: McAfee Data Source: Web Gateway (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1068944 through 1068979 were added to parse Audit events from the Web Gateway (ASP) data source.

Modified Rules Vendor: Cisco Data Source: PIX/ASA/FWSM (ASP) Affected Versions: ESM 9.4.0 and above Updated parsing rule 1015106 for the PIX/ASA/FWSM (ASP) data source to enhance Source IP and Destination IP parsing.

20 May 26, 2016 Modified Rules Vendor: Cisco Data Source: PIX/ASA/FWSM (ASP) Affected Versions: ESM 9.4.0 and above Updated parsing rule 1014962 for the PIX/ASA/FWSM (ASP) data source map Source IP from the log into Source IP in the ESM.

May 27, 2016 New Rules Vendor: Palo Alto Networks Data Source: Palo Alto Firewalls (ASP) Affected Versions: ESM 9.4.1 and above Added parsing rule 1068980 Palo Alto Firewalls (ASP) data source.

Modified Rules Vendor: Palo Alto Networks Data Source: Palo Alto Firewalls (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rules 1010432 through 1010433, 1010436, 1010441, 1012903, 1012906, 1012909, 1012912, 1042252, and 1042253 for the Palo Alto Firewalls (ASP) data source to enhance parsing.

June 2, 2016 New Rules Vendor:Interset Data Source: Interset Affected Versions: ESM 9.5.1 and above Added support for the Interset data source.

Modified Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.4.1 and above Parsing rules 43-263051500, 43-263051510, 43-263051520, 43-263051530, 43-263051560, and 43-263051570 were updated to map the direction from the log, to the Direction field in the ESM.

Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.5.0 and above 301 Parsing rules were added to the Windows Event Log - WMI data source to parse events from HealthService and OpsMgr SDK Service.

June 06, 2016 New Rules Vendor: UNIX Data Source: Linux (ASP) Affected Versions: ESM 9.4.0 and above Parsing rule 1068985, 1068986, and 1068987 was added to the Linux (ASP) data source.

Modified Rules Vendor: UNIX Data Source: Linux (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rules 1024835, 1024836, 1037338, 1047096, 1006257, 1009704, 1012451, 1033961, 1033962 through 1033964, 1054512, 1050462, 1037336, 1037334, 1037379, 1037383, 1046255, 1047003, 1047078, 1047125, 1009719, 1054659, 1055789, and 1055920 for the Linux (ASP) data source to enhance parsing. Parsing rules 1047158, 1037340, and 1047365 have been deprecated.

June 08, 2016 New Rules Vendor: Globalscape Data Source: Globalscape EFT Affected Versions: ESM 9.4.1 and above Added support for the Globalscape EFT data source. Parsing rule 1068988 was added to the Globalscape EFT data source.

Vendor: SafeNet Data Source: Hardware Security Modules (ASP) Affected Versions: ESM 9.4.1 and above Parsing rule 1068989 was added to the Hardware Security Modules (ASP) data source.

Vendor: Blue Coat Data Source: Reporter Affected Versions: ESM 9.5.0 and above Added support for the Reporter data source. Parsing rule 1068990 was added to the Reporter data source.

Modified Rules

Vendor: SafeNet Data Source: Hardware Security Modules (ASP) Affected Versions: ESM 9.4.1 and above Updated parsing rules 1009151 through 1009153, 1009315, 1009316 through 1009323, 1009325, and 1009326 for the Hardware Security Modules (ASP) data source.

June 13, 2016 Modified Rules Vendor: Cisco Data Source: IOS (ASP) Affected Versions: ESM 9.1.0 and above Parsing rules 1029460, 1029315, and 1029316 for the IOS (ASP) data source to enhance parsing. 21 Vendor: Cisco Data Source: IOS (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1029315 and 1029315, have been updated to parse Command from the logs into Message_Text in the ESM, they had previously parsed Command into Object. The parsing rules have also been updated to capture Event-ID from the logs into External_EventID in the ESM.

Vendor: Riverbed Data Source: Steelhead Affected Versions: ESM 9.2.0 and above Parsing rules 1016489, 1016488, and 1016487 were updated to appropriately parse user names from the logs. Rules 1016489 and 1016488 were also updated to set the subtype to stop rather than modify and remove.

June 15, 2016 Modified Rules Vendor: CyberArk Data Source: Privileged Identity Management Suite - CEF (ASP) Affected Versions: ESM 9.4.0 and above Parsing rule 1036485 was updated to map the time stamp from the log, to the firsttime and lasttime fields in the ESM.

June 17, 2016 Modified Rules Vendor: Cisco Data Source: IOS (ASP) Affected Versions: ESM 9.1.0 and above Parsing rule 1009360 was updated to map the user, source IP, and destination port from the log, to the User Name, Source IP, and Destination Port fields in the ESM.

June 20, 2016 New Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.1.0 and above Parsing rules 43-325000040, 43-325000050, and 43-325000080 were added to the Windows Event Log - WMI rule set.

Modified Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.2.1 and above Parsing rule 43-325000010 was updated to parse User, ResultSize, and EmailAddresses from the logs into Source_UserID, Request_Type and Mail_ID in the ESM, for the Windows Event Log - WMI data source.

June 23, 2016 New Rules Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Affected Versions: ESM 9.5.0 and above Parsing rule 616140601 was added to the Cybectec RTU (ASP) data source.

Modified Rules Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.2.0 and above Updated parsing rules 43-211006241, 43-211006421, 43-211006420, 43-211006450, 43-211006460, 43-211006461, 43-263047200, 43-263047380, and 43-263047420 for the Windows Event Log - WMI data source to enhance parsing of User Account Control and Password Last Set to display in human readable-format in the ESM. Updated normalization for rule 43-211006450.

June 28, 2016 Modified Rules

Vendor: SourceFire Data Source: FireSIGHT Management Console - eStreamer Affected Versions: ESM 9.5.0 and above Updated parsing rules 1056653 through 1056655, 1056622, 1056623, 1056660, 1056663, 1056667, 1056668, 1056670 through 1056673, and 1068777 through 1068780 to map the User Name from the eStreamer logs to the Username field in the ESM. This update is to accommodate changes made to these record types in eStreamer version 6.

June 30, 2016 New Rules Vendor: VMware Data Source: VMware (ASP) Affected Versions: ESM 9.5.0 and above Parsing rules 1068992 through 1069071 were added to the VMware (ASP) data source.

Modified Rules Vendor: VMware Data Source: VMware (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rules 1051853, 1026195, 1026172, 1026175, 1026179, 1026164, 1017120, 1026212, 1026156, 1026152, 1017095, 1026147, and 1009704 for the VMware (ASP) data source to enhance parsing.

22 Vendor: UNIX Data Source: Linux (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rule 1054547 for the Linux (ASP) data source to capture File from the logs into Filename in the ESM. Parsing rule 1025057 was also updated to enhance parsing and will now map Result and Process from the logs into the Reason and Process_Name fields in the ESM.

July 07, 2016 Modified Rules Vendor: Fortinet Data Source: FortiMail Affected Versions: ESM 9.4.0 and above Updated parsing rules 1063873, 1063991, and 1063992 through 1063994 for the FortiMail data source to enhance parsing.

Vendor: Fortinet Data Source: FortiWeb Web Application Firewall (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rule 1025489 for the FortiWeb Web Application Firewall (ASP) data source to enhance parsing.

Vendor: Global Technology Associates Data Source: GNAT Box (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rule 1012655 for the GNAT Box (ASP) data source to enhance parsing.

Vendor: KEMP Technologies Data Source: LoadMaster (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rule 1019843 for the LoadMaster (ASP) data source to enhance parsing.

Vendor: Nortel Networks Data Source: Contivity VPN (ASP) Affected Versions: ESM 9.4.0 and above Updated parsing rule 1056264 for the Contivity VPN (ASP) data source to enhance parsing.

Vendor: VMware Data Source: VMware (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rule 1026166 for the VMware (ASP) data source to enhance parsing.

Vendor: Cooper Power Systems Data Source: Yukon IED Manager Suite (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rule 1022282 for the Yukon IED Manager Suite (ASP) data source to enhance parsing.

Vendor: FreeRADIUS Data Source: FreeRADIUS (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rules 1010334 through 1010335 for the FreeRADIUS (ASP) data source to enhance parsing.

Vendor: Nortel Networks Data Source: VPN Gateway 3050 (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rules 1011578 through 1011579 for the VPN Gateway 3050 (ASP) data source to enhance parsing.

Vendor: Blue Coat Data Source: Director (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rule 1047667 for the Director (ASP) data source to enhance parsing.

July 08, 2016 New Rules Vendor: Juniper Networks Data Source: JUNOS Router (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1069074 through 1069085 were added to the JUNOS Router (ASP) data source.

Vendor: Juniper Networks Data Source: JUNOS - Structured-Data Format (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1069076 through 1069079 and 1069081 through 1069085 were added to the JUNOS - Structured-Data Format (ASP) data source.

Vendor: Cisco Data Source: PIX/ASA/FWSM (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1069086 and 1069087 were added to the PIX/ASA/FWSM (ASP) data source.

Modified Rules Vendor: Cisco Data Source: PIX/ASA/FWSM (ASP) Affected Versions: ESM 9.4.0 and above Parsing rules 1014132, 1014133, 1014138, 1014172, 1014173, 1014219, 1014253, 1014254, 1014258, 1014304, 1014307, 1014308, 1014366, 1014380 through 1014386, 1014431 through 1014433, 1014435, 1014437, 1014498, 1014534, 1014599, 1014603, 1014604, 1014688, 1014703, 1014710, 1014711, 1014713, 1014827, 1014828, 1014891, 1014914, 1015100, 1015101, 1015102, 1015104, 1015105 through 1015111, 1015126, 1015161, 1015448, 1015450, 1015673, 1015678, 1046702, and 1047465 through 1047466 were updated to set the protocol field in the ESM. data source.

23 July 11, 2016 Modified Rules Vendor: Aruba Data Source: Aruba OS Affected Versions: ESM 9.2.0 and above Updated rules 170-41260054, 170-41260334, 170-41260354, 170-41260364, 170-41260384, 170-41260454, 170-41260474, 170-41260484, 170- 41260524, 170-41260534, 170-41260544, 170-41260654, 170-41260664, 170-41260694, 170-41260714, 170-41260754, 170-41261094, and 170- 41260874 to enhance parsing for the Aruba OS data source.

July 12, 2016 Modified Rules Vendor: Barracuda Networks Data Source: Web Application Firewall (ASP) Affected Versions: ESM 9.2.0 and above Parsing rules 1036900, and 1036901 have been updated to parse Application Layer Protocol from the logs into Application_Layer_Protocol in the ESM, for the Web Application Firewall (ASP) data source. The normalization for rule 1036901 has been updated to Network Access from System Status.

July 13, 2016 New Rules Vendor: McAfee Data Source: Host Data Loss Prevention (ePO) Affected Versions: ESM 9.4.1 and above Data source rules 359-19100 through 359-19137, 359-19170, 359-19171, 359-19175 through 359-19179, 359-19181 through 359-19189 have been added to the Host Data Loss Prevention (ePO) data source.

Modified Rules Vendor: UNIX Data Source: Linux (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rules 1025057 and 1006274 to enhance parsing and to capture Process name from the logs into Process_Name in the ESM, for the Linux (ASP) data source.

Vendor: UNIX Data Source: Linux (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rules with additional contents 1054574, 1054561, 1047127, 1006270, 1054576, 1054591, 1054591, 1054581, 1006269, 1054564, 1006272, 1047125, 1054572, 1054559, 1006257, 1054566, 1054578, 1047129, 1054555, 1054570, 1054567, 1054586, 1054584, 1047128, 1006268, 1054562, 1054590, 1047022, 1054545, 1054589, 1054575, 1006273, 1054582, 1047126, 1054556, 1054568, 1054565, 1054579, 1054587, 1054554, 1054580, 1054571, 1054585, 1054583, 1068985, 1054552, and 1054573 for the Linux (ASP) data source. Normalization for parsing rules 1006269 and 1006268 has been changed from Misc Application Event to Authentication. Normalization for parsing rule 1006272 has been changed from Misc Application Event to Connection/Session. Normalization for rule 1054589 has been changed from Application Status to Connection/Session. The regular expressions for parsing rules 1047127, 1054566, 1054562, 1054582, and 1054568 have been updated to match style used in other rules. The parsing logic is unchanged.

July 15, 2016 New Rules Vendor: Citrix Data Source: NetScaler (ASP) Affected Versions: ESM 9.4.1 and above Parsing rules 1069088 and 1069089 were added to the NetScaler (ASP) data source.

July 19, 2016 New Rules Vendor: PhishMe Data Source: PhishMe Intelligence Affected Versions: ESM 9.5.0 and above Parsing rule 1069090 was added to the PhishMe Intelligence data source.

July 22, 2016 New Rules Vendor: Cooper Power Systems Data Source: Cybectec RTU (ASP) Affected Versions: ESM 9.5.0 and above Parsing rule 1069091 was added to the Cybectec RTU (ASP) data source.

July 25, 2016 Updated Rules Vendor: McAfee Data Source: Network DLP Monitor (ASP) Affected Versions: ESM 9.4.0 and above The regular expressions for parsing rule 1035971 were updated to improve matching and parsing where CEF keys contained equals signs in the value.

August 02, 2016 New Rules Vendor: Cisco Data Source: PIX/ASA/FWSM (ASP) Affected Versions: ESM 9.4.1 and above Parsing rule 1069092 was added to the PIX/ASA/FWSM (ASP) rule set to cover CX module events.

Vendor: Microsoft Data Source: Windows Eventlog - WMI Affected Versions: ESM 9.4.1 and above Parsing rules 43-432004110 and 43-432005160 were added to the Windows Eventlog - WMI rule set to cover AD FS Auditing events.

24 August 04, 2016 Modified Rules Vendor: UNIX Data Source:Linux (ASP) Affected Versions: ESM 9.4.0 and above Updated message parsing for rule 1047301 and 1047312 in the Linux (ASP) data source.

New Rules Vendor: McAfee Data Source: Network Security Manager (ASP) Affected Versions: ESM 9.2.0 and above Data Source rules 305-4529091, 305-4529092, 305-4529073, 305-4529090, 305-4529088, 305-4529078, 305-4529122, 305-4529075, 305-4529081, 305-4529089, 305-4529121, 305-4529077, 305-4529101, 305-4529102, 305-4529082, 305-4529103, 305-4529083, 305-4529084, 305-4529105, 305- 4529104, 305-4529093, 305-4529094, 305-4529095, 305-4529096, 305-4529079, and 305-4529076 were added to the NSM rule set.

Vendor: Malwarebytes Data Source: Breach Remediation Affected Versions: ESM 9.5.0 and above Parsing rule 1069093 and data source rules 564-3017354735, 564-2790178439, 564-2790178440, 564-3995890617, 564-2150188648, 564-2409809493, 564-2151493679, 564-2122020773, 564-3384294373, and 564-3094096311 were added to the Breach Remediation data source.

August 11, 2016 New Rules Vendor: Malwarebytes Data Source: Management Console Affected Versions: ESM 9.5.0 and above Parsing rule 1069094 was added to the Management Console rule set.

August 15, 2016 New Rules Vendor: CyberArk Data Source: Privileged Threat Analytics Affected Versions: ESM 9.5.0 and above Parsing rule 1069095 and data source rules 566-21, 566-22, 566-23, 566-24, and 566-25 were added to the Privileged Threat Analytics rule set.

August 22, 2016 New Rules Vendor: Juniper Networks Data Source: NetScreen / IDP (ASP) Affected Versions: ESM 9.4.1 and above Parsing rule 1069096 was added to the NetScreen / IDP (ASP) data source.

Modified Rules Vendor: Forcepoint/Websense Data Source:Cloud Web Security Affected Versions: ESM 9.4.0 and above Updated parsing rule 1056610 for the Cloud Web Security data source to accommodate vendor change.

Vendor: Forcepoint/Websense Data Source:Websense - CEF, Key Value Pair Affected Versions: ESM 9.4.0 and above Updated parsing rules 1055660 and 1055661 for the Websense - CEF, Key Value Pair data source to accommodate vendor change.

Vendor: Forcepoint/Websense Data Source:Websense Enterprise Affected Versions: ESM 9.4.0 and above Updated parsing rules 1042178 and 1042179 for the Websense Enterprise data source to accommodate vendor change.

Vendor: Cisco Data Source:PIX/ASA/FWSM (ASP) Affected Versions: ESM 9.4.0 and above Updated normalization and enhanced parsing for rule 1014593 for the PIX/ASA/FWSM (ASP) data source.

August 24, 2016 New Rules Vendor: Microsoft Data Source: Windows EventLog - WMI Affected Versions: ESM 9.5.0 and above Data Source rules 43-433000010, 43-433000020, 43-433000030, 43-433000040, 43-433000050, 43-433000060, 43-433000070, 43-433000080, 43- 433001000, 43-433001010, 43-433001020, 43-433001030, 43-433001040, 43-433001050, 43-433001060, 43-433001950, 43-433002000, 43- 433003000, 43-433004000, 43-433004010, 43-433004020, 43-433004030, 43-433005000, 43-433005010, 43-433005020, 43-433006000, 43- 433006010, 43-433007000, and 43-433008000 were added to the Windows EventLog - WMI rule set to enhance PowerShell event parsing.

September 1, 2016 New Rules Vendor: Skyhigh Networks Data Source: Cloud Security Platform Affected Versions: ESM 9.5.1 and above Parsing rule 1069097 was added to the Cloud Security Platform data source.

Vendor: Niara Data Source: Niara Affected Versions: ESM 9.5.0 and above Parsing rule 1069098 was added to the Niara rule set.

25 Vendor: TrapX Data Source: DeceptionGrid Affected Versions: ESM 9.5.0 and above Parsing rules 1069099 through 1069101 were added to the DeceptionGrid rule set.

Modified Rules

Vendor: McAfee Data Source:Next Generation Firewall - Stonesoft (ASP) Affected Versions: ESM 9.4.0 and above Updated parsing rule 1036002 to match logs where the vendor is displayed as Forcepoint.

September 2, 2016 New Rules Vendor: Attivo Networks Data Source: BOTsink Affected Versions: ESM 9.5.0 and above Parsing rule 1069102 was added to the BOTsink rule set.

Vendor: PhishMe Data Source: PhishMe Triage Affected Versions: ESM 9.5.1 and above Parsing rule 1069103 was added to the PhishMe Triage data source.

Modified Rules Vendor: Unix Data Source: Linux (ASP) Affected Versions: ESM 9.1.0 and above The regular expression for parsing rule 1025057 was updated to improve matching for logs that were previously unparsed. Duplicate rule 1054475 was deprecated.

Vendor: STEALTHbits Data Source: StealthINTERCEPT Affected Versions: ESM 9.4.0 and above Parsing rules 1056566 through 1056571 were updated to handle an additional time format in the log.

September 15, 2016 Modified Rules Vendor: Aruba Networks Data Source: ClearPass (ASP) Affected Versions: ESM 9.5.1 and above Parsing rules 1046107 and 1046108 were updated to prevent them from matching CEF formatted logs.

New Rules Vendor: Aruba Networks Data Source: ClearPass (ASP) Affected Versions: ESM 9.5.1 and above Parsing rules 1069104 through 1069107 were added to the ClearPass (ASP) rule set to parse specific CEF formatted logs.

Vendor: Aruba Networks Data Source: ClearPass (ASP) Affected Versions: ESM 9.5.1 and above Data source rules 465-3172836525, 465-2670855048, 465-3105812804, 465-3112560060, 465-2964857595, 465-2062101402, 465-2934321378, 465- 2755150032, 465-3733475255, 465-2141708101, 465-3504859385, 465-2566107805, 465-3568337151, 465-3152996588, 465-2321965288, 465- 2205290893, 465-2848710351, 465-2750466264, 465-2860277828, 465-2124826802, 465-3333703049, 465-2007291433, 465-2113144658, 465- 2108181927, 465-2828310543, 465-3029497000, 465-3478111534, 465-2345778352, 465-3213445169, 465-2265868490, 465-2178993584, 465- 2481318708, 465-2540546969, 465-3323529474, 465-2359259948, 465-2886342946, 465-2681363744, 465-3808383751, 465-3794678124, 465- 3284048573, 465-2185649474, 465-2993316923, 465-3208138604, 465-2202995122, 465-2336894523, 465-2940786301, 465-2932630954, 465- 2802186261, 465-2514278658, 465-3183157313, 465-3790252838, 465-3503934525, 465-3589338436, 465-2000038971, 465-2905675119, 465- 2041046925, 465-3280552083, 465-2453212473, 465-3920211009, 465-3781375127, 465-3085941001, 465-2966634593, and 465-2613872364 were added to the ClearPass (ASP) rule set.

September 19, 2016 Modified Rules Vendor: VMware Data Source:AirWatch Affected Versions: ESM 9.4.0 and above Updated parsing rule 1068362 through 1068367 for the AirWatch data source were updated to map the Event Source from the log to the Object_Type field in the ESM.

Vendor: UNIX Data Source:Linux (ASP) Affected Versions: ESM 9.4.0 and above Updated the regular expression for parsing rule 1054512 to minimize the chance of it matching unintended logs. Updated rule 1006259 and set the action to failure instead of error. Updated rule 1006255 to capture the hostname from the rhost field in the log, when its value is a hostname instead of an IP address, and mapped it to the hostname field in the ESM.

September 23, 2016 Modified Rules

Vendor: Microsoft Data Source:Windows Event Log - WMI Affected Versions: ESM 9.4.0 and above Updated rule 43-263047690 for the Windows Event Log - WMI data source to retain the Event Subtype sent by Windows.

26 September 26, 2016 Modified Rules Vendor: McAfee Data Source: ePolicy Orchestrator (SiteAdvisor) Affected Versions: ESM 9.4.1 and above Parsing rule 1047503 was updated. The regular expression matches for action and severity were updated. The action and severity maps were updated to include more values. Additional regular expressions were added to map the HostName, HostIP, Rating, and ContentFuncGroup fields from the log to the Hostname, Source IP, Status, and URL_Category fields in the ESM. The mapping for ReasonType to Category was updated to prepend the ListType if the Reason is list.

Vendor: Bit9 Data Source: Bit9 Security Platform / Parity Suite (ASP) Affected Versions: ESM 9.4.0 and above The regular expressions for parsing rules 1036235 through 1036241, 1036247, 1036250, 1036256, 1036290 through 1036292, 1036360, 1036446, 1036469, and 1036470 were updated to match various versions of the logs.

October 5, 2016 Modified Rules Vendor: McAfee Data Source: Network Security Manager - SQL Pull (ASP) Affected Versions: ESM 9.6.0 and above Parsing rules 1034529, 1067507, 1067508, 1067509, and 1067510 were updated to better handle event reporting for environments running multiple stand-alone installations of NSM. Events reported in ESM for Standard NSM Signatures will have an ESM signature ID based on NSM's Attack ID. Events reported in ESM for User Defined NSM Signatures will have an ESM signature ID calculated based on NSM's signature name. ESM rule names have been updated to include L7 for rules that parse Layer 7 information if it is present. Field mappings were added for the Attack ID Reference and Rule Set Type fields from the log to the Message_ID and Event_Class fields within ESM. Rules 1067507 and 1067510 were modified to map the NetBIOS Action and FTP Action fields from the log to the Request_Type field in ESM. New Rules Vendor: McAfee Data Source: Network Security Manager - SQL Pull (ASP) Affected Versions: ESM 9.6.0 and above Parsing rule 1069108 was added to the Network Security Manager - SQL Pull (ASP) rule set.

October 12, 2016 New Rules Vendor: Fortscale Data Source: Fortscale UEBA Affected Versions: ESM 9.5.0 and above Parsing rule 1069109 was added to the Fortscale UEBA rule set.

Modified Rules Vendor: Check Point Data Source:Check Point (ASP) Affected Versions: ESM 9.4.0 and above Updated parsing rule 1047557, and 1047556 for the Check Point (ASP) data source.

October 13, 2016 New Rules Vendor: ThreatConnect Data Source: ThreatConnect Threat Intelligence Platform Affected Versions: ESM 9.5.0 and above Parsing rule 1069110 was created to the ThreatConnect Threat Intelligence Platform rule set.

Vendor: Microsoft Data Source: Windows Event Log - WMI Affected Versions: ESM 9.4.1 and above Parsing rules 43-432002990,43-432003070,43-432003240,43-432004030,43-432004040,43-432004100,43-432004120,43-432004130,43- 432004310,43-432005000,43-432005010,43-432005100,43-432010220,43-432010230,43-432010240,43-432011020,43-432001110,43-432001430,43- 432001560,43-432001570,43-432001980,43-432002000,43-432002070,43-432002090,43-432002220,43-432002240,43-432002300,43-432002450,43- 432002520,43-432003250,43-432003420,43-432003640,43-432003860,43-432003890,43-432003910,43-432003960,43-432003990,43-432004220,43- 432005010,43-432010000 were added to the Windows Event Log - WMI rule set to parse events from AD FS and AD FS Auditing Events.

October 25, 2016 Modified Rules Vendor: Cisco Data Source:IOS IPS (SDEE protocol) Affected Versions: ESM 9.4.0 and above Updated parsing rule 1067511 for the IOS IPS (SDEE protocol) data source.

Vendor: Check Point Data Source:Check Point (ASP) Affected Versions: ESM 9.4.0 and above Added Bytes_Sent, Bytes_Received, and Total_Bytes to parsing rule 1047552 through 1047558 for the Check Point (ASP) data source.

October 28, 2016 Modified Rules Vendor: Blue Coat Data Source: Reporter Affected Versions: ESM 9.5.0 and above Parsing rule 1068990 was updated to match the new Cloud Access Log format changed in Reporter version 6.8.1.63.

November 2, 2016 Modified Rules Vendor: Juniper Networks Data Source: Juniper Secure Access/MAG (ASP) Affected Versions: ESM 9.4.0 and above Updated parsing rule 1057102 for the Juniper Secure Access/MAG (ASP) data source. 27 Vendor: McAfee Data Source:Next Generation Firewall - Stonesoft (ASP) Affected Versions: ESM 9.4.0 and above Updated parsing rule 1036002 for the Next Generation Firewall - Stonesoft (ASP) data source.

November 7, 2016 Modified Rules Vendor: McAfee Data Source: ePolicy Orchestrator (ASP) Affected Versions: ESM 9.5.0 and above Parsing rules 1039681 and 1039682 were updated to map Endpoint Security events reported in ePO to the Endpoint Security data sources on SIEM.

November 9, 2016 Modified Rules Vendor: Websense Data Source: Websense - CEF, Key Value Pair (ASP) Affected Versions: ESM 9.4.0 and above Updated the parsing rules 1042183 and 1042179 for the Websense - CEF, Key Value Pair (ASP) data source.

New Rules Vendor: Websense Data Source: Websense - CEF, Key Value Pair (ASP) Affedted Versions: ESM 9.4.1 and above Parsing rule 1069111, was added to the Websense - CEF, Key Value Pair (ASP) data source.

November 10, 2016 New Rules Vendor: Oracle Data Source: Oracle Audit - SQL Pull (ASP) Affected Versions: ESM 9.4.2 and above Parsing rule 1069112 was added to the Oracle Audit - SQL Pull (ASP) rule set to parse events specifically collected from the Unified Audit Trail.

Modified Rules Vendor: Oracle Data Source: Oracle Audit (ASP) Affected Versions: ESM 9.2.1 and above Parsing rule 1047589 was updated to map additional messages for DECLARE, BEGIN, and CONNECT which were added in Oracle Unified Auditing.

Vendor: Oracle Data Source: Oracle Audit - XML File Pull (ASP) Affected Versions: ESM 9.2.1 and above Parsing rule 1054452 was updated to map additional messages for DECLARE, BEGIN, and CONNECT which were added in Oracle Unified Auditing.

November 11, 2016 Modified Rules Vendor: McAfee Data Source: ePolicy Orchestrator (ASP) Affected Versions: ESM 9.4.1 and above Parsing rule 1039683 was updated to map the LocalPort and RemotePort from the HIPS log, to the Source Port and Destination Port fields in the ESM.

December 2, 2016 Modified Rules

Vendor: ThreatConnect Data Source: ThreatConnect Threat Intelligence Platform Affected Versions: ESM 9.5.0 and above Parsing rule 1069110 was updated to map the IP Indicator field from the log to the Destination IP field in the ESM, allowing the indicator to be optionally appended to an IP Watchlist.

December 5, 2016 Modified Rules Vendor: Infoblox Data Source: NIOS Affected Versions: ESM 9.5.0 and above Parsing rules 1016575, 1016598, 1016703, 1016706, 1016733, 1046074, 1046075, 1046076 and 1064622 were updated to account for optional items in the log header, and to parse IPv6 addresses from the logs.

Vendor: Symantec Data Source: Endpoint Protection (ASP) Affected Versions: ESM 9.4.1 and above Parsing rules 1049062 and 1064406 through 1064409 were updated to map the parameter field from the log to the Destination_Filename field in the ESM.

Vendor: Fortscale Data Source: Fortscale UEBA Affected Versions: ESM 9.5.0 and above Parsing rule 1069109 was updated to map the AlertID from the URL in the log, to the External_SessionID field in the ESM.

December 14, 2016 Modified Rules Vendor: F5 Networks Data Source: BIG-IP Application Security Manager - CEF (ASP) Affected Versions: ESM 9.4.0 and above Parsing rule 1037454 was updated to account for a potentially blank device version field in the CEF header. 28 Vendor: Trend Micro Data Source: Deep Discovery - CEF (ASP) Affected Versions: ESM 9.2.0 and above The message for data source rule 473-200120 was updated from Blacklist Change to Deny List Updated to reflect the current event description.

Vendor: Microsoft Data Source:Internet Information Services - FTP (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rule 1029035 to account for IPv6 addresses.

Vendor: Microsoft Data Source:Internet Information Services (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rules 1046244 and 1046245 to account for IPv6 addresses.

Vendor: Microsoft Data Source:Internet Information Services - SMTP (ASP) Affected Versions: ESM 9.2.0 and above Updated parsing rule 1056295 to account for IPv6 addresses.

December 15, 2016 Modified Rules Vendor: McAfee Data Source: McAfee VirusScan Enterprise Affected Versions: ESM 9.5.0 and above Parsing rule 1051893 was updated to map just the file name, excluding the path, from the TargetFileName field in the log, to the Filename field in the ESM.

Vendor: McAfee Data Source: MOVE AntiVirus (ePO) Affected Versions: ESM 9.5.0 and above Parsing rules 1039681 and 1039682 were updated to map the new MOVE product family names, enabling the events to be listed under the MOVE data source instead of the parent ePO data source

December 16, 2016 Modified Rules

Vendor: Postfix Data Source:Postfix (ASP) Affected Versions: ESM 9.5.0 and above Parsing rules 1012357, 1012358, 1012359, 1012361, 1012362, 1012363, 1012365, 1012367, 1012368, 1012369, 1012371, 1012372, 1012373, 1012391, 1012394, 1012409, 1012414, 1012440, 1012441, 1012443, 1012444, 1012445, 1016125, 1016126, 1016127, 1016128, 1016129, 1017710, 1017728, 1033738, 1033759, 1033777, 1033778, 1033779, 1033780, 1033781, 1033782, and 1033783 were updated to map the Queue ID from the log to the Mail_ID field in the ESM. Rules 1012359 and 1012391 were updated to map the message-ID from the log to the Message_ID field instead of the Object field in ESM. Rules 1012357, 1012367, 1012368, 1012369, 1012371, 1012372, 1012373, 1012409, 1012443, 1012444, and 1012445 were updated to account for queue ids containing underscores in the logs. Rules 1012357, 1012367, 1012368, 1012369, 1012371, 1012372, 1012373, and 1012409 were updated to map the SMTP response code from the log to the Response_Code field instead the Command field in ESM. The content for parsing rule 1012359 was updated to account for different queue manager process names.

29 Content Packs

February 3, 2016 Updated Content Packs Content Pack Name:Windows Authentication Content Pack Content Pack Version: 1.2.0 Updates in this version: - Added view, "Windows Accounts Created", to monitor newly created accounts - Updated filter on correlation rule "Windows Authentication - Admin Logon From Non-Company Geolocation on Vista-2008 or Later" Affected Version: ESM 9.5.0 and above Use this content pack to: - Monitor Microsoft Windows authentication events. - Identify actionable intelligence within a network on correlated Windows-specific events.

February 4, 2016 New Content Packs Content Pack Name:Windows Content Pack Content Pack Version: 1.0.0 Affected Version: ESM 9.5.0 and above Use this content pack to: - Monitor Windows system errors and events.

Updated Content Packs Content Pack Name:Domain Policy Content Pack Content Pack Version: 1.3.0 Updates in this version: - Added view to monitor for group policy errors. Affected Version: ESM 9.5.0 and above Use this content pack to: - Track changes related to Microsoft Windows policy in your environment.

February 18, 2016 Updated Content Packs Content Pack Name:Recon Content Pack Content Pack Version: 1.3.0 Updates in this version: - Added rule to monitor stealth scan activity. Affected Version: ESM 9.5.0 and above Use this content pack to: - Monitor possible reconnaissance events, such as network sweeps and unusual use of specific protocols from external sources.

April 13, 2016 New Content Packs Content Pack Name:Vormetric Content Pack Content Pack Version: 1.0.0 Affected Version: ESM 9.5.0 and above Use this content pack to: - Monitor Vormetric events and provide metrics to investigate key events from external sources.

April 18, 2016 Updated Content Packs

Content Pack Name:Database Content Pack Content Pack Version: 1.2.0 Affected Version: ESM 9.5.0 and above Updates in this version: - Updated rules and reports. Use this content pack to: - Monitor database authentication events. - Monitor successful and potential database exploit activity. - Monitor SQL events by language type. - Monitor general database events.

30 May 20, 2016 Updated Content Packs Content Pack Name:Windows Content Pack Content Pack Version: 1.1.0 Affected Version: ESM 9.5.0 and above Updates in this version: - Added correlation rules, views, and alarms to monitor application crashes and external media usage. Use this content pack to: - Monitor failed Windows system errors. - Monitor service errors in Windows. - Monitor application crashes and hangs. - Monitor system blue screens caused by applications.

Content Pack Name:Exfiltration Content Pack Content Pack Version: 1.2.0 Affected Version: ESM 9.5.0 Updates in this version: - Updated all components interacting with the High Value Hosts watchlist. Use this content pack to: - Monitor methods of network uploads used for data exfiltration. - Detect tampering of confidential data. - Detect leakage of digital information via printing physical copies. - Analyze suspicious user behavior and their access to specific resources, gauging how often they access sensitive resources on the network.

Content Pack Name:Exfiltration Content Pack Content Pack Version: 2.1.0 Affected Version: ESM 9.5.1 and above Updates in this version: - Updated all components interacting with the High Value Hosts watchlist. Use this content pack to: - Monitor methods of network uploads used for data exfiltration. - Detect tampering of confidential data. - Detect leakage of digital information via printing physical copies. - Analyze suspicious user behavior and their access to specific resources, gauging how often they access sensitive resources on the network.

May 31, 2016 Updated Content Packs Content Pack Name:Windows Content Pack Content Pack Version: 1.2.0 Affected Version: ESM 9.5.0 and above Updates in this version: - Added correlation rules and views to monitor Windows Applocker events. Use this content pack to: - Monitor failed Windows system errors. - Monitor service errors in Windows. - Monitor application crashes and hangs. - Monitor system blue screens caused by applications. - Monitor Applocker events.

June 2, 2016 New Content Packs Content Pack Name:Interset Content Pack Content Pack Version: 1.0.0 Affected Version: ESM 9.5.0 and above Use this content pack to: - Monitor Interset User Story events.

July 12, 2016 Updated Content Packs

Content Pack Name:Malware Content Pack Content Pack Version: 2.0.0 Affected Version: ESM 9.5.1 and above Use this content pack to: - Track known infections and malware-related events and their visual representation in the views. - A logical workflow for reviewing malware events including: who is triggering these events, which threats are triggering these events, which resources are being compromised and which corporate locations are being affected. - Insight into trending malware infections in specific zones or geolocations. This allows for swift action to perform security assessments.

August 9, 2016 Updated Content Packs Content Pack Name:Authentication Content Pack Content Pack Version: 1.2.0 Affected Version: ESM 9.5.0 and above Use this content pack to: - Monitor authentication events. - View failed and successful logons, as well as specific administrator logons. - Track system default privileged user names.

September 15, 2016 New Content Packs Content Pack Name:Aruba Content Pack Content Pack Version: 1.0.0 Affected Version: ESM 9.5.0 and above Use this content pack to: - This content pack helps monitor Aruba events.

31 September 27, 2016 Updated Content Packs Content Pack Name:Windows Content Pack Content Pack Version: 1.3.0 - Added Windows PowerShell Activity view. Affected Version: ESM 9.5.0 and above Use this content pack to: - Monitor Windows system errors and events.

September 30, 2016 New Content Packs Content Pack Name:PhishMe Content Pack Content Pack Version: 1.0.0 Affected Version: ESM 9.5.0 and above Use this content pack to: - This content pack helps monitor PhishMe events.

November 2, 2016 New Content Packs Content Pack Name:ThreatConnect Content Pack Content Pack Version: 1.0.0 Affected Version: ESM 9.5.0 and above Use this content pack to: - This content pack helps monitor ThreatConnect events.

32 IPS Rules

January 12, 2016 New Rules Microsoft Scripting Engine CVE-2016-0002 Memory Corruption Vulnerability Rule 1068368 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists in the way that the VBScript engine renders when handling objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0003 Memory Corruption Vulnerability Rule 1068369 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory.

Microsoft Office CVE-2016-0012 ASLR Bypass Vulnerability Rules 1068370 through 1068371 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A security feature bypass exists when Microsoft Office fails to use the Address Space Layout Randomization (ASLR) security feature, allowing an attacker to more reliably predict the memory offsets of specific instructions in a given call stack. An attacker who successfully exploited it could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass in conjunction with another vulnerability, such as a remote code execution vulnerability, to more reliably run arbitrary code on a target system. In a web-browsing scenario, successful exploitation of the ASLR bypass requires a user to be logged on and running an affected version of Microsoft Office. The user would then need to browse to a malicious site. Therefore, any systems where a web browser is used frequently, such as workstations or terminal servers, are at the most risk from this ASLR bypass. Servers could be at more risk if administrators allow users to browse and read email on servers. However, best practices strongly discourage allowing this. The update addresses the ASLR bypass by helping to ensure that affected versions of Microsoft Office properly implement the ASLR security feature.

MS Windows CVE-2016-0014 feclient.dll Insecure Library Loading Elevation of Privilege Rules 1068372 through 1068376 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. An elevation of privilege vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited the vulnerability could elevate their privileges on a targeted system. To exploit the vulnerability, an attacker would first have to log on to the target system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system.

Microsoft DirectShow CVE-2016-0015 Heap Corruption Remote Code Execution Vulnerability Rules 1068377 through 1068378 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when DirectShow improperly validates user input. An attacker who successfully exploited this vulnerability could cause arbitrary code to execute in the context of the current user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. For an attack to be successful, this vulnerability requires that a user open a specially crafted file. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted link to the user and by convincing the user to open it. The security update addresses the vulnerability by modifying how DirectShow validates user input. Microsoft received information about the vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Microsoft CVE-2016-0016 DLL Loading Remote Code Execution Vulnerability Rules 1068379 through 1068387 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would first have to log on to the target system and then run a specially crafted application.

Microsoft CVE-2016-0018 DLL Loading Remote Code Execution Vulnerability Rules 1068388 through 1068394 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would first have to log on to the target system and then run a 33 users who operate with administrative user rights. To exploit the vulnerability, an attacker would first have to log on to the target system and then run a specially crafted application.

Microsoft MAPI CVE-2016-0020 mapi32x.dll Insecure Library Loading Code Execution Rules 1068395 through 1068399 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. An elevation of privilege vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited the vulnerability could elevate their privileges on a targeted system. To exploit the vulnerability, an attacker would first have to log on to the target system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system.

Microsoft Edge Scripting Engine CVE-2016-0024 Memory Corruption Vulnerability Rule 1068400 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists in the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft .NET Framework CVE-2016-0033 Stack Overflow DoS Vulnerability Rules 1068401 through 1068404 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A denial of service vulnerability exists when .NET Framework improperly handles certain extensible stylesheet language transformations (XSLT). An attacker who successfully exploited this vulnerability could cause the server to consistently crash with uncatchable exception errors (stack overflow). To exploit the vulnerability, an attacker would insert specially crafted XSLT into a client-side XML web part, causing the server to recursively compile XSLT transforms. The security update addresses the vulnerability by correcting how .NET Framework handles XSLT.

January 14, 2016 New Rules Microsoft Office CTaskSymbol Use After Free Rule 1068407 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A Use-After-Free vulnerability has been reported in Microsoft Office. The vulnerability is due to improper handling of a CTaskSymbol object in memory when parsing a specially crafted Office document that loads certain ActiveX controls. Remote, unauthenticated attackers could exploit this vulnerability by enticing a target user to open a specially crafted Office file. Successful exploitation allows the attacker to execute arbitrary code in the context of the current user.

CoDeSys Gateway Server Opcode 0x3ef Heap Buffer Overflow Rule 1068408 was added to the CoDeSys category in the BASE rule set. The default usage was set to Alert,Block,Reset. A heap buffer overflow vulnerability exists in 3S Smart Software CoDeSys. The vulnerability is due to insufficient input validation when parsing requests with opcode 0x3ef. A remote unauthenticated attacker could exploit this vulnerability by sending a crafted request message to the vulnerable service. Successful exploitation could result in code execution in the security context of the process. Unsuccessful attack attempts could cause the affected service to terminate abnormally, causing a denial of service (DoS) condition.

Unitronics VisiLogic OPLC TeeCommander ChartLink ActiveX Control Memory Corruption Rules 1068409 through 1068410 were added to the Unitronics category in the BASE rule set. The default usage was set to Alert. A memory corruption vulnerability exists in Unitronics VisiLogic OPLC. The vulnerability is due to untrusted pointer dereference on the ChartLink parameter of the TeeChart.TeeCommander ActiveX control. A remote attacker could exploit this vulnerability by enticing a vulnerable user to open a crafted web page. Successful exploitation could lead to code execution in the context of the target user.

Unitronics UniDownloader and VisiLogic OPLC IDE IPWorksSSL.HTTPS Memory Corruption Rules 1068411 through 1068412 were added to the Unitronics category in the BASE rule set. The default usage was set to Alert. A memory corruption vulnerability exists in Unitronics, VisiLogic OPLC IDE and UniDownloader. The vulnerability is due to untrusted pointer dereference on the SSLCertHandle parameter of the IPWorksSSL.HTTPS ActiveX control. A remote attacker could exploit this vulnerability by enticing a vulnerable user to open a crafted web page. Successful exploitation could lead to code execution in the context of the target user.

OpenSSL RSA PSS Absent Mask Generation Parameter Denial of Service Rules 1068413 through 1068414 were added to the OpenSSL category in the BASE rule set. The default usage was set to Alert,Block,Reset. A denial-of- service vulnerability exists in OpenSSL. The vulnerability is due to a NULL pointer dereference when an OpenSSL application receives and processes a crafted certificate containing an invalid RSA PSS parameter. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted client certificate to a vulnerable server application that requests it. Successful exploitation will cause the server application to crash, resulting in a denial-of- service condition.

Schneider Electric ProClima F1BookView CopyAll Memory Corruption Rules 1068415 through 1068416 were added to the Schneider category in the BASE rule set. The default usage was set to Alert,Block,Reset. A memory corruption vulnerability has been reported in Schneider Electric ProClima. The vulnerability is due to a flaw in the CopyAll() method of the F1BookView ActiveX control, in which a user-supplied integer is interpreted as a memory address. A remote, unauthenticated attacker could exploit this vulnerability by enticing a victim user to browse to a malicious Web page. Successful exploitation could lead to arbitrary code execution under context of the user.

ManageEngine Desktop Central FileUploadServlet connectionId Arbitrary File Upload Rule 1068417 was added to the ManageEngine category in the BASE rule set. The default usage was set to Alert,Block,Reset. An arbitrary file upload vulnerability has been reported in ManageEngine Desktop Central. The vulnerability is due to a failure to sanitize connectionId HTTP parameter within the FileUploadServlet servlet. A remote, unauthenticated attacker could exploit this vulnerability by crafting a malicious file and uploading it onto the target system. Successful exploitation would allow the attacker to execute code in SYSTEM context.

Samba LDAP Server libldb Infinite Loop Denial of Service Rule 1068418 was added to the Samba category in the BASE rule set. The default usage was set to Alert. A denial-of-service vulnerability has been reported in the Samba LDAP server. The vulnerability is due to a error in processing certain LDAP requests by the libldb library used by the Samba daemon. A remote, authenticated attacker could exploit this vulnerability by sending malicious packets to cause the samba daemon to become unresponsive. Successful exploitation could lead to a denial-of-service and exhaustion of CPU resources.

Unitronics VisiLogic OPLC TeeChart ActiveX RemoveSeries Out of Bounds Array Indexing Rules 1068419 through 1068420 were added to the Unitronics category in the BASE rule set. The default usage was set to Alert,Block,Reset. An out of bounds array indexing vulnerability exists in Unitronics VisiLogic OPLC. The vulnerability is due to use of user supplied value to calculate array index in the RemoveSeries method of the TeeChart.TChart ActiveX control. A remote attacker could exploit this vulnerability by enticing a vulnerable user to open a crafted web page. Successful exploitation could lead to code execution in the context of the target user.

34 January 15, 2016 New Rules MIT Kerberos 5 build_principal_va Denial of Service Rules 1068421 through 1068432 were added to the MIT category in the BASE rule set. The default usage was set to Alert,Block,Reset. A denial-of- service vulnerability exists in the MIT Kerberos 5. The vulnerability occurs in build_principal_va() when a realm name containing a NULL byte is received: a buffer of only up to the NULL byte is allocated whereas the complete ASN.1 length of the realm name is used as the length of the buffer. This can lead to memory access violation. A remote, authenticated attacker can exploit this vulnerability by sending a malicious TGS message to the target server. Successful exploitation will cause the vulnerable process to terminate.

Samsung SmartViewer STWAxConfig Memory Corruption Rules 1068433 through 1068435 were added to the Samsung category in the BASE rule set. The default usage was set to Alert. A memory corruption vulnerability exists in Samsung SmartViewer, specifically, the DVRSetupSave method in the STWAxConfig ActiveX control. The vulnerability is due to untrusted pointer dereference. A remote attacker may exploit this vulnerability by enticing a victim to visit a maliciously crafted page. Successful exploitation could lead to execution of arbitrary code under the security context of the process.

Apache ActiveMQ Shutdown Command Denial of Service Rule 1068436 was added to the Apache category in the BASE rule set. The default usage was set to Alert,Block,Reset. A denial of service vulnerability exists in Apache ActiveMQ. The vulnerability is due to missing authentication for the undocumented shutdown command. A remote, unauthenticated attacker may exploit this vulnerability by sending crafted packets to the server. Successful exploitation could lead to a denial of service condition.

IBM WebSphere Application Server Commons-Collections Library Remote Code Execution Rules 1068437 through 1068445 were added to the IBM category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability has been reported in IBM WebSphere Application Server. The vulnerability is due deserialization of untrusted data while having the vulnerable version of Apache Commons-Collections library in the code path. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted serialized object. Successful exploitation can result in arbitrary code execution in the security context of the System user.

PowerDNS Authoritative Server DNS Packet Processing Denial of Service Rules 1068446 through 1068447 were added to the PowerDNS category in the BASE rule set. The default usage was set to Alert,Block,Reset. A denial- of-service vulnerability exists in PowerDNS Authoritative Server. The vulnerability is due to an input validation error in PowerDNS while processing crafted DNS packets. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted DNS packet to the target application. A successful attack could lead to system crash resulting in a denial of service condition.

Kaspersky Internet Security HTTPS Inspection Insecure Certificate Validation Rules 1068448 through 1068450 were added to the Kaspersky category in the BASE rule set. The default usage was set to Alert,Block,Reset. A code execution vulnerability has been reported in Kaspersky Internet Security. This vulnerability is due to improper validation of a temporary certificate name. Specifically, Kaspersky does not sanitize the Common Name attribute of the X.509 certificates before creating a temporary certificate. A remote, unauthenticated attacker can exploit these vulnerabilities by sending the user a crafted certificate which is then scanned by the vulnerable anti-virus to validate the certificate. Successful exploitation leads to a directory traversal situation and can be result in a code execution.

Oracle WebLogic Server Commons-Collections Library Insecure Deserialization Rules 1068451 through 1068459 were added to the Oracle category in the BASE rule set. The default usage was set to Alert. An insecure deserialization vulnerability has been reported in Oracle WebLogic Server. This vulnerability is due to deseralization of untrusted data while having the vulnerable version of Apache Commons-Collections library in the code path. A remote, unauthenticated attacker can exploit this vulnerability by sending a request message that contains a specially crafted serialized object. Successful exploitation can result in arbitrary code execution in the security context of the System user.

Jenkins CI Server Commons-Collections Library Insecure Deserialization Rules 1068460 through 1068468 were added to the Jenkins category in the BASE rule set. The default usage was set to Alert. An insecure deserialization vulnerability has been reported in Jenkins CI Server. This vulnerability is due to deserialization of untrusted data while having the vulnerable version of Apache Commons-Collections library in the code path. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted serialized object. Successful exploitation can result in arbitrary code execution in the security context of the System user.

Autodesk Design Review GIF GlobalColorTable DataSubBlock Buffer Overflow Rules 1068469 through 1068472 were added to the Autodesk category in the BASE rule set. The default usage was set to Alert,Block,Reset. A heap buffer overflow vulnerability exists in Autodesk Design Review. The vulnerability is due to an error when processing GlobalColorTable flag and DataSubBlock size fields inside a GIF file. In order to exploit the vulnerability, the remote attacker needs to entice the target user to open a malicious file using the vulnerable application. Successful exploitation would allow the attacker to execute arbitrary code.

Schneider Electric ProClima F1BookView AttachToSS Memory Corruption Rules 1068473 through 1068474 were added to the Schneider category in the BASE rule set. The default usage was set to Alert,Block,Reset. A memory corruption vulnerability has been reported in Schneider Electric ProClima. The vulnerability is due to a flaw in the AttachToSS() method of the F1BookView ActiveX control, in which a user-supplied integer is interpreted as a memory address. A remote, unauthenticated attacker could exploit this vulnerability by enticing a victim to browse to a malicious web page. Successful exploitation could lead to arbitrary code execution under context of the user.

Apache Subversion svn Protocol Parser Integer Overflow Rules 1068475 through 1068478 were added to the Apache category in the BASE rule set. The default usage was set to Alert,Block,Reset. An integer overflow vulnerability exists in Apache Subversion. The vulnerability is due to a flaw in the svn:// protocol parser. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted requests that will be processed by the svnserve svn:// protocol. Successful exploitation could allow the attacker to cause a denial-of-service or execute arbitrary code under context of the targeted process.

ISC BIND db.c Assertion Failure Denial of Service Rules 1068479 through 1068486 were added to the ISC category in the BASE rule set. The default usage was set to Alert,Block,Reset. A denial-of- service vulnerability has been reported in BIND. The vulnerability is due to improper parsing of incoming responses, allowing malformed records to be accepted by BIND when they should not be accepted. A remote, unauthenticated attacker could exploit this vulnerability against DNS servers that perform recursive queries by crafting responses with an improper class attribute. Successful exploitation could lead to denial-of-service.

February 9, 2016 New Rules Microsoft Office CVE-2016-0022 Memory Corruption Vulnerability Rules 1068556 through 1068557 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to 35 software. In an email attack scenario an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file.

Microsoft .NET CVE-2016-0033 Stack Overflow DoS Vulnerability Rules 1068558 through 1068559 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A security feature bypass vulnerability for Microsoft Edge exists as a result of how exceptions are handled when dispatching certain window messages, allowing an attacker to probe the layout of the address space and thereby bypassing Address Space Layout Randomization (ASLR). By itself, the ASLR bypass vulnerability does not allow arbitrary code execution. However, an attacker could use the ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, to run arbitrary code on a target system. Successful exploitation of the ASLR bypass vulnerability requires a user to be logged on and running an affected version of Microsoft Edge. The user would then need to browse to a malicious site.

Windows CVE-2016-0041 DLL Loading Remote Code Execution Vulnerability Rules 1068560 through 1068573 were added to the Windows category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would first have to log on to the target system and then run a specially crafted application.

MS Windows CVE-2016-0042 DLL Loading Remote Code Execution Vulnerability Rules 1068574 through 1068589 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would first have to log on to the target system and then run a specially crafted application.

Microsoft Office CVE-2016-0053 Memory Corruption Vulnerability Rules 1068590 through 1068591 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file.

IE CVE-2016-0060 Memory Corruption Vulnerability Rule 1068592 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0061 Memory Corruption Vulnerability Rules 1068593 through 1068594 were added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0063 Memory Corruption Vulnerability Rules 1068595 through 1068598 were added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

36 IE CVE-2016-0067 Memory Corruption Vulnerability Rule 1068599 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0068 Elevation of Privilege Rule 1068600 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. An elevation of privilege vulnerability exists when Internet Explorer does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain. In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site. An attacker who successfully exploited the vulnerability could elevate privileges in affected versions of Internet Explorer. The vulnerability alone do not allow arbitrary code to be run. However, the vulnerability could be used in conjunction with another vulnerability (for example, a remote code execution vulnerability) that could take advantage of the elevated privileges when running arbitrary code. For example, an attacker could exploit another vulnerability to run arbitrary code through Internet Explorer, but due to the context in which processes are launched by Internet Explorer, the code might be restricted to run at a low integrity level (very limited permissions). However, an attacker could, in turn, exploit this vulnerability to cause the arbitrary code to run at a medium integrity level (permissions of the current user).

March 8, 2016 New Rules Microsoft Office CVE-2016-0021 Memory Corruption Vulnerability - Excel Rules 1068619 through 1068622 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. Note that the Preview Pane is not an attack vector for this vulnerability. In an email attack scenario an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file.

Windows Media Player CVE-2016-0098 Parsing Remote Code Execution Vulnerability Rule 1068623 was added to the Windows category in the BASE rule set. The default usage was set to Alert,Block,Reset. A vulnerability exists in Microsoft Windows. The vulnerability could allow remote code execution if a user opens specially crafted media content that is hosted on a website. An attacker could host media content on a website or send an attachment in an email and then convince user to open it. An attacker who successfully exploited this vulnerability could take control of an affected system remotely. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Browser CVE-2016-0102 Memory Corruption Vulnerability Rule 1068624 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0104 Memory Corruption Vulnerability Rule 1068625 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

37 Microsoft Browser CVE-2016-0105 Memory Corruption Vulnerability Rule 1068626 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0106 Memory Corruption Vulnerability Rule 1068627 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0107 Memory Corruption Vulnerability Rule 1068628 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0108 Memory Corruption Vulnerability Rule 1068629 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Browser CVE-2016-0109 Memory Corruption Vulnerability Rule 1068630 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Browser CVE-2016-0110 Memory Corruption Vulnerability Rule 1068631 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

38 Microsoft Browser CVE-2016-0111 Memory Corruption Vulnerability Rule 1068632 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0112 Memory Corruption Vulnerability Rule 1068633 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0113 Memory Corruption Vulnerability Rule 1068634 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0114 Memory Corruption Vulnerability Rule 1068635 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0123 Memory Corruption Vulnerability Rule 1068636 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0124 Memory Corruption Vulnerability Rule 1068637 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Adobe Reader CVE-2016-1008 updaternotifications.dll Insecure Library Loading Code Execution - WebDAV Rules 1068638 through 1068642 were added to the Adobe category in the BASE rule set. The default usage was set to Alert,Block,Reset. This vulnerability is an instance of a code injection vulnerability, in particular when an application dynamically loads a dynamic-link library without specifying a fully qualified path name, Windows attempts to locate the DLL by searching a well-defined set of directories, one of the elements of that is the current document directory. In this case, the current SMB share directory may contain a malicious DLL, that has special meaning for Acrobat.

March 17, 2016 New Rules SSLv2 Session Negotiation - Server Hello Rules 1068769 through 1068777 were added to the SSLv2 category3 i9n the BASE rule set. The default usage was set to Alert. DROWN is a serious Rules 1068769 through 1068777 were added to the SSLv2 category in the BASE rule set. The default usage was set to Alert. DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication. DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Attackers can gain any communication between users and the server. This typically includes, but is not limited to, usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.

March 23, 2016 New Rules MS Windows OLE CVE-2016-0092 Remote Code Execution CFB Rules 1068792 through 1068797 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A code execution vulnerability exists in Microsoft Windows OLE. The vulnerability is due to improper validation of user input. A remote attacker can exploit this vulnerability by enticing the target user to open a specially crafted web page, an email message, or a document containing an OLE object. Successful exploitation could lead to arbitrary code execution in the security context of the target user.

MS Windows OLE CVE-2016-0091 Remote Code Execution CFB Rules 1068798 through 1068803 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A code execution vulnerability exists in Microsoft Windows OLE. The vulnerability is due to improper validation of user input. A remote attacker can exploit this vulnerability by enticing the target user to open a specially crafted web page, an email message, or a document containing an OLE object. Successful exploitation could lead to arbitrary code execution in the security context of the target user.

April 13, 2016 New Rules Microsoft Office CVE-2016-0127 Memory Corruption Vulnerability Rule 1068857 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. Note that where the severity is indicated as Critical in the Affected Software and Vulnerability Severity Ratings table, the Preview Pane is an attack vector for CVE-2016-0127. In an email attack scenario an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file.

Microsoft MSXML 3.0 CVE-2016-0147 Remote Code Execution Vulnerability Rules 1068858 through 1068859 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when the Microsoft XML Core Services (MSXML) parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the user's system. To exploit the vulnerability, an attacker could host a specially-crafted website that is designed to invoke MSXML through Internet Explorer. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or a link in an Instant Messenger request that would then take the user to the website. When the user's browser parses the XML content, an attacker could run malicious code remotely to take control of the user's system.

Microsoft .NET Framework CVE-2016-0148 Remote Code Execution Vulnerability ascii Rules 1068860 through 1068861 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when the .NET Framework fails to properly validate input before loading libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would first need to have access to the local system and have the ability to execute a malicious application.

Microsoft Browser CVE-2016-0154 Memory Corruption Vulnerability Rules 1068862 through 1068863 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0155 Memory Corruption Vulnerability Rule 1068864 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0156 Memory Corruption Vulnerability Rule 1068865 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 40 or create new accounts with full user rights.

Microsoft Edge CVE-2016-0157 Memory Corruption Vulnerability Rule 1068866 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0158 Memory Corruption Vulnerability Rule 1068867 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. An elevation of privilege vulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain. In a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker could not force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site. An attacker who successfully exploited this vulnerability could elevate privileges in affected versions of Microsoft Edge. The vulnerability by itself does not allow arbitrary code to be run. However, the vulnerability could be used in conjunction with another vulnerability (for example, a remote code execution vulnerability) that could take advantage of the elevated privileges when running arbitrary code. For example, an attacker could exploit another vulnerability to run arbitrary code through Microsoft Edge, but due to the context in which processes are launched by Microsoft Edge, the code might be restricted to run at a low integrity level (very limited permissions). However, an attacker could, in turn, exploit this vulnerability to cause the arbitrary code to run at a medium integrity level (the permissions of the current user).

IE CVE-2016-0159 Memory Corruption Vulnerability Rule 1068868 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0160 DLL Loading Code Execution - WebDAV Rules 1068869 through 1068873 were added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0161 Elevation of Privilege Vulnerability Rule 1068874 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. An elevation of privilege vulnerability exists when Microsoft Edge does not properly validate JavaScript under specific conditions, potentially allowing a script to be run with elevated privileges. In a web-based attack scenario, an attacker could host a website in an attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site. An attacker who successfully exploited the vulnerability could elevate privileges in affected versions of Microsoft Edge. An attacker could then leverage these privileges with another vulnerability to run arbitrary code with medium integrity level privileges (permissions of the current user). This vulnerability by itself does not allow arbitrary code to be run. However, this vulnerability could be used in conjunction with another vulnerability (for example, a remote code execution vulnerability) that could take advantage of the elevated privileges when running arbitrary code. For example, an attacker could exploit another vulnerability to run arbitrary code through Microsoft Edge, but because of the context in which processes are launched by Internet Explorer, the code might be restricted to run at a low integrity level (very limited permissions). However, an attacker could, in turn, exploit this vulnerability to cause the arbitrary code to run at a medium integrity level (permissions of the current user).

IE CVE-2016-0164 Memory Corruption Vulnerability Rule 1068875 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Adobe Flash oleacc.dll Insecure Library Loading Code Execution - WebDAV Rules 1068876 through 1068935 were added to the Adobe category in the BASE rule set. The default usage was set to Alert,Block,Reset. Adobe Flash loads external code via Dynamic Link Libraries (DLLs). Malicious code can be planted using a DLL with the same name as the one Flash normally uses. Flash will look in the through a set of predefined directories, one of which is the installation directory.

May 20, 2016 New Rules Microsoft Graphics Component CVE-2016-0168 Information Disclosure Vulnerability ANSI Rules 1068936 through 1068937 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. An information disclosure vulnerability exists when the Windows GDI component improperly discloses contents of its memory. An attacker who successfully 41 exploited the vulnerability could obtain information to further compromise the user's system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

Microsoft Scripting Engine CVE-2016-0187 Memory Corruption Vulnerability Rule 1068938 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists in the way that the VBScript engine renders when handling objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0189 Scripting Engine Memory Corruption Vulnerability Rule 1068939 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists in the way that the VBScript engine renders when handling objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0191 Memory Corruption Vulnerability Rule 1068940 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists in the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

Microsoft Browser CVE-2016-0192 Memory Corruption Vulnerability Rules 1068941 through 1068942 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-generated content or advertisements, by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by an enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Scripting Engine CVE-2016-0193 Memory Corruption Vulnerability Rule 1068943 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability exists in the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

42 The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance.

McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and 2821 Mission College Boulevard other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and Santa Clara, CA 95054 descriptions herein are provided for information only and subject to change without notice, and are provided without warranty 888 847 8766 of any kind, express or implied. Copyright © 2015 McAfee, Inc. www.intelsecurity.com