← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.856
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
AI tooling is compressing the vulnerability exploitation lifecycle while CVE issuance approaches 50,000-70,000 annually, a volume that overwhelms patch management programs built for a lower-throughput world. According to CrowdStrike's 2026 Global Threat Report, attack volume from adversaries with demonstrated AI capabilities has increased significantly, including nation-state and financially motivated actors. This is a structural shift, not a spike: organizations still running CVSS-only prioritization models are operating with a triage framework that was not designed for this environment.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
FANCY BEAR, FAMOUS CHOLLIMA (Nation-state)
TTP Sophistication
HIGH
10 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Enterprise security programs broadly; CrowdStrike Falcon Platform and Charlotte AI referenced as defensive tools; threat actors FANCY BEAR, FAMOUS CHOLLIMA, PUNK SPIDER cited as AI-enabled adversaries
Are You Exposed?
⚠
Your industry is targeted by FANCY BEAR, FAMOUS CHOLLIMA → Heightened risk
⚠
You use products/services from Enterprise security programs broadly; CrowdStrike Falcon Platform and Charlotte AI referenced as defensive tools; threat actors FANCY BEAR → Assess exposure
⚠
10 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
The structural increase in CVE volume and AI-accelerated exploitation timelines creates a direct resourcing and liability problem for security programs: the gap between vulnerability disclosure and exploitation is narrowing at the same moment that the number of disclosures is increasing, compressing the operational window for response. Organizations in sectors targeted by FANCY BEAR (defense, government, energy), FAMOUS CHOLLIMA (financial services, cryptocurrency, defense contractors), or PUNK SPIDER (broad ransomware targeting) face elevated exposure if patch management programs are not modernized. The downstream consequences of exploitation in this environment include operational disruption, regulatory notification obligations, and reputational harm — risks that are compounding as AI lowers the barrier for adversaries while raising it for defenders.
You Are Affected If
Your vulnerability management program relies on CVSS base scores as the primary or sole prioritization signal
Your patch SLA framework was designed for pre-2024 CVE volume and has not been revised
Your organization operates in sectors historically targeted by FANCY BEAR, FAMOUS CHOLLIMA, or PUNK SPIDER — defense, government, financial services, energy, or cryptocurrency
Your internet-facing or privileged systems carry unpatched findings in CWE-20, CWE-119, CWE-269, or CWE-287 vulnerability classes
Your security operations team does not currently integrate EPSS scoring or CISA KEV cross-referencing into triage workflows
Board Talking Points
The number of newly disclosed software vulnerabilities is on track to exceed 50,000 in 2026, and adversaries using AI are exploiting them faster than most patch programs are designed to respond.
The security team should be resourced to evaluate and adopt exploitation-probability-based prioritization tooling by Q3 2026 to replace CVSS-only triage, which was not built for this volume.
Organizations that do not modernize their vulnerability management approach in 2026 will face an increasing probability of exploitation from threat actors who are already operating at AI-accelerated speed.
Technical Analysis
The convergence of two trends is reshaping vulnerability economics.
First, CVE issuance is accelerating.
The 2025 total reached 48,171, already a record, and 2026 projections from CISA and industry analysts place the figure between 50,000 and 70,000.
The volume increase is partly attributable to AI-assisted discovery tooling that lowers the cost of finding and documenting flaws across large codebases. Second, adversaries are absorbing the same technology. Industry threat reporting attributes significant increases in attack volume to threat actors with documented AI capabilities across multiple threat profiles.
The vulnerability classes most frequently surfaced in AI-assisted discovery campaigns map to four CWEs: CWE-20 (improper input validation), CWE-119 (improper restriction of operations within memory bounds), CWE-269 (improper privilege management), and CWE-287 (improper authentication). These are not novel classes; they are the structural weaknesses AI tooling finds efficiently at scale. The MITRE ATT&CK techniques associated with adversary exploitation in this environment span the full kill chain: initial access via phishing (T1566 ) and exploitation of public-facing applications (T1190 ), lateral movement via remote services (T1021 ) and valid accounts (T1078 ), privilege escalation via exploitation (T1068 ) and process injection (T1055 ), and persistence via command execution (T1059 ). Vulnerability acquisition (T1588.006 ) and brute force (T1110 ) round out the pre-compromise and access-maintenance patterns.
The core defensive gap is prioritization methodology. CVSS base scores were designed to communicate severity characteristics of individual vulnerabilities in isolation. They were not designed to rank remediation order across 50,000+ annual disclosures in a threat environment where exploitation timelines are compressing. Organizations without EPSS scoring, threat intelligence enrichment, or asset-context-aware prioritization are effectively working from a sorted list of severity ratings with no exploitation probability signal attached. Security vendors including CrowdStrike reference AI-powered analysis capabilities as defensive tools in this context, though specific technical capabilities should be evaluated through vendor documentation.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate to CISO and convene an emergency program review if any of the following occur: a KEV entry is found open in your environment past its CISA required remediation date on an internet-facing or privileged system; your MTTR for critical findings exceeds the median AI-era exploitation window documented in CrowdStrike's 2026 Global Threat Report; or threat intelligence confirms FANCY BEAR, FAMOUS CHOLLIMA, or PUNK SPIDER has conducted active campaigns against your sector within the prior 90 days.
1
Step 1: Assess prioritization methodology; audit whether your vulnerability management program uses CVSS-only triage; if so, flag this as a structural gap requiring immediate remediation; EPSS scoring and KEV cross-referencing are minimum supplements for 2026 volume
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Establishing IR capability, policies, and tooling before incidents occur
NIST SI-2 (Flaw Remediation) — mandates identifying, reporting, and correcting flaws with tested updates
NIST RA-3 (Risk Assessment) — requires assessing likelihood and impact using contextual threat data, not severity scores alone
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — requires a documented, risk-based process reviewed and updated annually
CIS 7.2 (Establish and Maintain a Remediation Process) — mandates a risk-based remediation strategy with monthly or more frequent reviews
Compensating Control
Export your current open findings from your scanner (Nessus Essentials, OpenVAS, or Tenable free tier) to CSV. Join against the CISA KEV catalog (downloadable as JSON at cisa.gov/known-exploited-vulnerabilities-catalog) using a Python script or Excel VLOOKUP. Pull EPSS scores in bulk via the FIRST EPSS API (api.first.org/graphql) — free, no auth required. Flag any finding with EPSS > 0.10 OR present in KEV as Tier-1 regardless of CVSS. A 2-person team can complete this audit in one sprint using these free data sources.
Preserve Evidence
Before restructuring the program, document the current state as a baseline: export your scanner's open finding list with CVSS scores and first-detected dates; pull your ticketing system's patch closure timestamps to calculate actual mean-time-to-remediate (MTTR) by severity tier; capture any KEV entries that were open in your environment past their CISA required remediation date — these represent the program's prior failure mode and are the primary evidence that CVSS-only triage produced exploitable exposure windows.
2
Step 2: Review patch SLA frameworks; validate that your SLA tiers account for accelerated exploitation timelines; a 30-day remediation window for high-severity findings may be operationally untenable when high-priority vulnerabilities are exploited rapidly after disclosure
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Policies, SLAs, and response capability must be established and validated before exploitation occurs
NIST SI-2 (Flaw Remediation) — requires testing and installing security-relevant updates within organization-defined time periods
NIST IR-8 (Incident Response Plan) — requires the IR plan to include roles, resources, and response timeframes aligned to current threat environment
CIS 7.2 (Establish and Maintain a Remediation Process) — explicitly requires a risk-based remediation strategy with monthly or more frequent review cadence
CIS 7.3 (Perform Automated Operating System Patch Management) — requires OS patching on a monthly or more frequent basis, which sets the ceiling for SLA viability
Compensating Control
Pull CrowdStrike's 2026 Global Threat Report exploitation timeline data (publicly available) and map it against your current SLA tiers in a simple spreadsheet: Column A = SLA tier (Critical/High/Medium), Column B = current window (days), Column C = AI-era median exploitation window from report data. Where Column C is shorter than Column B, flag as SLA gap. For internet-facing assets with KEV entries, draft an emergency 72-hour patch SLA and validate feasibility by timing a test patch cycle on a non-production equivalent system.
Preserve Evidence
Capture current SLA policy documents (version-controlled if possible) and your ticketing system's SLA compliance reports for the prior 12 months; cross-reference these against any CVEs added to the CISA KEV catalog that were also present in your environment — compute the delta between your SLA window and the actual exploitation-in-the-wild date for each to quantify the exposure gap that the 30-day window created.
3
Step 3: Map exposure to high-frequency CWE classes; inventory assets with known CWE-20, CWE-119, CWE-269, and CWE-287 findings; these are the vulnerability classes AI-assisted discovery prioritizes; treat unpatched instances in internet-facing or privileged systems as elevated risk
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: Correlating vulnerability data with asset exposure and threat actor targeting patterns to assess scope and impact
NIST RA-3 (Risk Assessment) — requires assessing threat likelihood in the context of specific vulnerability classes and asset exposure
NIST SI-4 (System Monitoring) — requires monitoring systems for indicators consistent with exploitation of known vulnerability classes
NIST CM-8 (System Component Inventory) — requires maintaining a current inventory of system components to support exposure mapping
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory) — requires an accurate, detailed inventory with internet-exposure and privilege classification
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — requires the process to account for asset criticality and exposure context, not just CVSS
Compensating Control
Query your vulnerability scanner for findings tagged CWE-20 (Improper Input Validation), CWE-119 (Buffer Overflow), CWE-269 (Improper Privilege Management), and CWE-287 (Improper Authentication) — most scanners expose CWE metadata in their finding details or export. Filter results to internet-facing assets using your network segmentation documentation or a Shodan Community (free) search of your IP ranges. For privilege context, run: Get-LocalGroupMember -Group 'Administrators' on Windows endpoints via PowerShell remoting, or 'getent group sudo' on Linux, to identify privileged systems where CWE-269/CWE-287 findings carry elevated blast radius.
Preserve Evidence
For CWE-20 and CWE-119 exploitation attempts on internet-facing services, collect: web server access logs (Apache /var/log/apache2/access.log or IIS %SystemDrive%\inetpub\logs\LogFiles) filtered for unusually long URI strings, binary content in GET parameters, or HTTP 400/500 response spikes indicative of fuzzing; for CWE-269 and CWE-287, collect Windows Security Event Log Event ID 4672 (Special Privileges Assigned to New Logon) and Event ID 4625 (Failed Logon) filtered to privileged accounts, and Linux /var/log/auth.log for sudo escalation attempts — these are the artifact classes AI-assisted exploitation of these CWE families would generate.
4
Step 4: Evaluate threat actor relevance; determine whether known advanced persistent threat actors targeting your sector, geography, or technology stack have demonstrated AI-enhanced capabilities; incorporate corresponding TTPs into detection engineering priorities
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: Integrating cyber threat intelligence to prioritize detection coverage and assess adversary relevance to the organization
NIST IR-4 (Incident Handling) — requires detection and analysis capability that incorporates threat intelligence to contextualize adverse events
NIST SI-4 (System Monitoring) — requires monitoring aligned to known threat actor TTPs, not only signature-based detection
NIST RA-3 (Risk Assessment) — requires threat source identification including specific adversary groups with demonstrated targeting of your sector
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — requires the process to incorporate threat intelligence as a prioritization input
Compensating Control
Pull MITRE ATT&CK Navigator (free, browser-based at mitre.org/attacknav) and load the public group profiles for FANCY BEAR (G0007), FAMOUS CHOLLIMA (G1013), and PUNK SPIDER (G0119) — compare their technique layers against your current detection coverage. For T1190 (Exploit Public-Facing Application): deploy Sigma rules (github.com/SigmaHQ/sigma, search 'T1190') against your web server logs using sigmac or the free Uncoder.io converter. For T1068 (Exploitation for Privilege Escalation): configure Sysmon Event ID 1 (Process Creation) with a rule filtering for unexpected parent-child process relationships on privileged systems. For T1055 (Process Injection): Sysmon Event ID 8 (CreateRemoteThread) and Event ID 10 (ProcessAccess) cover the primary injection artifact classes these actors use.
Preserve Evidence
Before tuning detections, collect a baseline snapshot of current process creation logs (Sysmon Event ID 1) and network connection logs (Sysmon Event ID 3) for internet-facing systems to establish a normal parent-child process baseline; capture authentication logs for Event ID 4624 (Successful Logon) with Logon Type 3 (Network) and Type 10 (RemoteInteractive) to identify T1078 (Valid Accounts) abuse patterns; for T1055, pull any existing Sysmon Event ID 8 or 10 logs and cross-reference against known legitimate process pairs — anomalies here are the primary artifact of FAMOUS CHOLLIMA and FANCY BEAR post-exploitation tradecraft documented in their ATT&CK profiles.
5
Step 5: Brief leadership with volume framing; present CVE volume trajectory (48,171 in 2025, projected 50,000-70,000 in 2026) as a resourcing argument; the patch management program that was adequately staffed in 2023 is not adequately staffed for 2026 volume without tooling or process changes
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Securing organizational commitment, resources, and authority for the IR and vulnerability management capability
NIST IR-8 (Incident Response Plan) — requires the IR plan to address resources, personnel, and organizational support necessary to sustain the capability
NIST IR-2 (Incident Response Training) — requires personnel to be trained consistent with roles and the actual threat environment
NIST PM-9 (Risk Management Strategy) — requires a risk management strategy that senior leadership reviews and approves, including resourcing decisions
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — requires the vulnerability management process to be documented and resourced appropriately for the organization's asset and threat profile
Compensating Control
Build a one-page brief using publicly verifiable figures: NVD CVE statistics (nvd.nist.gov/general/nvd-dashboard) for 2023-2025 volume, CISA KEV entry count growth (filterable on cisa.gov/known-exploited-vulnerabilities-catalog), and CrowdStrike's 2026 Global Threat Report's 89% attack volume increase figure. Plot your team's current patch closure rate (from ticketing data) against the 2026 projected volume to show the arithmetic gap without editorializing — the numbers make the resourcing argument without requiring vendor tool advocacy.
Preserve Evidence
Gather your organization's historical patch metrics before the briefing: mean-time-to-remediate by severity tier for 2023, 2024, and year-to-date 2025 from your ticketing system; total open finding count at each quarter-end to show backlog growth; and the ratio of KEV-listed findings that were remediated within CISA's required timeframe versus those that exceeded it — these internal metrics paired with external CVE volume data constitute the evidentiary basis for the resourcing argument and double as program maturity documentation under NIST IR-8 (Incident Response Plan).
6
Step 6: Monitor CISA KEV additions and official guidance; track KEV additions weekly as the authoritative exploitation-confirmed signal; official CISA commentary on prioritization methodology should inform any program modernization roadmap
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Integrating external intelligence and lessons learned to improve detection capability and prioritization methodology on an ongoing basis
NIST SI-5 (Security Alerts, Advisories, and Directives) — requires receiving and acting on security alerts from external organizations including CISA on an ongoing basis
NIST IR-4 (Incident Handling) — requires continuous improvement of incident handling capability incorporating new threat data
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — requires regular review of audit data for indications of anomalous activity, including newly KEV-listed vulnerabilities present in environment
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — requires the vulnerability management process to be reviewed and updated to reflect current threat intelligence
CIS 7.2 (Establish and Maintain a Remediation Process) — requires monthly or more frequent review of the remediation strategy, which KEV additions directly inform
Compensating Control
Automate KEV monitoring for free: use the CISA KEV JSON feed (cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json) with a weekly cron job or GitHub Actions workflow that diffs the current feed against last week's snapshot and emails your team new additions. Cross-reference new KEV entries against your open vulnerability findings using a Python script joining on CVE ID — when a match is found, auto-generate a Tier-1 ticket. For VulnCon26 guidance, monitor the CISA events page and NVD blog (nvd.nist.gov/general/news) for published proceedings and incorporate any updated prioritization guidance into your documented process under NIST SI-2 (Flaw Remediation) within 30 days of publication.
Preserve Evidence
Maintain a KEV delta log — a versioned record of each week's new KEV additions cross-referenced against your asset inventory and open findings; this log serves as both an operational trigger for emergency patching and as post-incident documentation demonstrating that the organization acted on CISA exploitation-confirmed signals in accordance with NIST SI-5 (Security Alerts, Advisories, and Directives); additionally, retain any scanner or ticketing records showing remediation action taken within the CISA-required timeframe for each KEV match, as these constitute compliance evidence for CISA BOD 22-01 if your organization is a federal agency or FCEB system.
Recovery Guidance
Because this threat is structural rather than a discrete incident, recovery is defined as achieving a sustainable prioritization posture: verify that EPSS and KEV cross-referencing are operationalized in your scanner workflow and producing Tier-1 tickets within 24 hours of KEV additions matching open findings. Monitor your KEV delta log and MTTR metrics weekly for 90 days following program changes to confirm the new SLA tiers are achievable at current staffing levels. If backlog growth continues despite process changes, escalate the tooling gap to leadership using the resourcing evidence compiled in Step 5.
Key Forensic Artifacts
CISA KEV JSON feed delta logs (weekly snapshots showing new exploitation-confirmed entries) cross-referenced against your open vulnerability findings by CVE ID — primary evidence that AI-accelerated exploitation timelines are outpacing your current SLA framework
Vulnerability scanner finding exports with first-detected timestamps and closure timestamps, segmented by CVSS severity tier — enables MTTR calculation that quantifies the gap between your program's actual performance and the AI-era exploitation windows documented in CrowdStrike's 2026 Global Threat Report
Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logs from internet-facing systems filtered for T1190 and T1068 technique patterns associated with FANCY BEAR (G0007) and FAMOUS CHOLLIMA (G1013) post-exploitation tradecraft — the primary host-based artifact class for AI-assisted exploitation of CWE-119 and CWE-269 findings
Windows Security Event Log Event ID 4625 (Failed Logon), 4672 (Special Privileges Assigned), and 4688 (Process Creation) from privileged systems, and Linux /var/log/auth.log sudo escalation entries — artifact classes covering T1078 (Valid Accounts) and T1055 (Process Injection) TTPs mapped to all three named threat actors
Web server access logs (Apache access.log or IIS W3C logs) from internet-facing applications filtered for anomalous URI length, binary GET parameters, and HTTP 400/500 spike patterns — the network-layer artifact signature of AI-assisted fuzzing and exploitation attempts against CWE-20 and CWE-119 vulnerable endpoints that PUNK SPIDER and FANCY BEAR have demonstrated capability to conduct at scale
Detection Guidance
Detection in this threat environment requires behavioral signal over signature matching, given the breadth of vulnerability classes involved.
For CWE-20 and CWE-119 exploitation attempts: monitor WAF and IDS logs for anomalous input patterns targeting API endpoints and web-facing applications; oversized payloads, malformed headers, and unexpected parameter types are consistent with fuzzing and exploitation of input validation failures.
For CWE-269 and CWE-287 exploitation: hunt for privilege escalation events (T1068 ) and authentication anomalies (T1110 , T1078 ); specifically, accounts authenticating outside established baselines, service account activity inconsistent with normal behavior, and token manipulation or impersonation chains.
EDR telemetry should be reviewed for process injection patterns (T1055 ) following any authentication anomaly.
For lateral movement indicators: T1021 (remote services) and T1078 (valid accounts) are the primary post-access patterns; look for unusual RDP, SMB, or SSH activity from workstation-class systems, and service accounts authenticating interactively.
For exploitation of public-facing applications (T1190 ): correlate web server error logs with vulnerability scanner signatures and payload patterns consistent with the CWE classes above; sequential probing across multiple endpoints from a single source is a hunting hypothesis worth operationalizing.
For AI-assisted reconnaissance signatures: monitor for unusually high-velocity, low-noise scanning activity; log this activity and correlate with vulnerability disclosure patterns rather than treating it as a confirmed indicator.
Log sources to prioritize: EDR process telemetry, authentication logs (AD, Entra ID, Okta), WAF and IDS/IPS alerts, vulnerability scanner findings tagged by CWE class, and firewall egress logs for C2 pattern detection.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 tool
Type Value Enrichment Context Conf.
⚙ TOOL
Pending — refer to CrowdStrike 2026 Global Threat Report for published indicators
CrowdStrike's 2026 Global Threat Report references AI-enabled adversary campaigns by FANCY BEAR, FAMOUS CHOLLIMA, and PUNK SPIDER; specific IOC values (C2 infrastructure, payload hashes, tooling signatures) were not published in the source material available for this story
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: AI Is Rewriting Vulnerability Economics: What the Vuln-Pocalypse Means for Secur
// Attack tool: Pending — refer to CrowdStrike 2026 Global Threat Report for published indicators
// Context: CrowdStrike's 2026 Global Threat Report references AI-enabled adversary campaigns by FANCY BEAR, FAMOUS CHOLLIMA, and PUNK SPIDER; specific IOC values (C2 infrastructure, payload hashes, tooling signa
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "Pending — refer to CrowdStrike 2026 Global Threat Report for published indicators"
or ProcessCommandLine has "Pending — refer to CrowdStrike 2026 Global Threat Report for published indicators"
or InitiatingProcessCommandLine has "Pending — refer to CrowdStrike 2026 Global Threat Report for published indicators"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (7)
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Lateral movement via RDP / SMB / WinRM
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (3389, 5985, 5986, 445, 135)
| where LocalIP != RemoteIP
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName
| where ConnectionCount > 10 or TargetDevices > 3
| sort by TargetDevices desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
Sentinel rule: Password spray / brute force
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType in ("50126", "50053", "50055")
| summarize FailedAttempts = count(), DistinctUsers = dcount(UserPrincipalName) by IPAddress, bin(TimeGenerated, 1h)
| where FailedAttempts > 10 or DistinctUsers > 5
| sort by FailedAttempts desc
Sentinel rule: Process injection / hollowing
KQL Query Preview
Read-only — detection query only
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "WriteToLsassProcessMemory", "NtAllocateVirtualMemoryApiCall", "NtMapViewOfSectionRemoteApiCall")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, ActionType
| sort by Timestamp desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1566
T1021
T1078
T1588.006
T1059
T1203
+4
AT-2
CA-7
SC-7
SI-3
SI-4
SI-8
+15
A07:2021
A01:2021
A03:2021
6.3
6.4
6.5
5.4
6.8
16.10
+2
MITRE ATT&CK Mapping
T1566
Phishing
initial-access
T1021
Remote Services
lateral-movement
T1078
Valid Accounts
defense-evasion
T1588.006
Vulnerabilities
resource-development
T1059
Command and Scripting Interpreter
execution
T1203
Exploitation for Client Execution
execution
T1068
Exploitation for Privilege Escalation
privilege-escalation
T1190
Exploit Public-Facing Application
initial-access
T1110
Brute Force
credential-access
T1055
Process Injection
defense-evasion
Guidance Disclaimer
