Update z-AlphaVersion.xml

Author: SwiftOnSecurity

z-AlphaVersion.xml

@@ -187,6 +187,8 @@
 			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k netsvcs</ParentCommandLine> <!--Microsoft:Windows: Network services: Spawns Consent.exe-->
 			<ParentCommandLine condition="is">C:\Windows\system32\svchost.exe -k localSystemNetworkRestricted</ParentCommandLine> <!--Microsoft:Windows-->
 			<CommandLine condition="is">C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM</CommandLine> <!--Microsoft:Windows: AzureAD device enrollment agent-->
+			<!--SECTION: Microsoft:Edge-->
+			<CommandLine condition="begin with">"C:\Program Files (x86)\Microsoft\Edge Dev\Application\msedge.exe" --type=</CommandLine>
 			<!--SECTION: Microsoft:dotNet-->
 			<CommandLine condition="begin with">C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe</CommandLine> <!--Microsoft:DotNet-->
 			<Image condition="is">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Image> <!--Microsoft:DotNet-->
@@ -837,8 +839,7 @@
 	<!--SYSMON EVENT ID 22 : DNS QUERY [DnsQuery]-->
 		<!--EVENT 22: "Dns query"-->
 
-		<!--NOTE:	Due to the volume of events that DNS queries generate, some orgs may want to remove this section from their configuration to reduce Sysmon log turnover.
-					If you do not collect events centrally yet, definitely remove this section to preserve other events that are much more important. It's okay to come back later. -->
+		<!--NOTE:	Due to the volume of events that DNS queries generate, some orgs may want to remove this section from their configuration to reduce Sysmon log turnover. -->
 
 		<!--COMMENT:	DNS logging is a very nuanced challenge in monitoring due to event volume. Legitimate domains can be used to host malware/C2, but lookup itself is not very informative.
 						It's fine to exclude monitoring these bulk low-value lookups, but at same time, you would not have a full log of how malware communicated, potentially missing C2.
@@ -856,10 +857,7 @@
 		<!--CONFIG:	DNS poisoning is an issue during threat investigations. Try to only exclude ROUTINE system-level queries you know are strongly validated with HTTPS or code signing.-->
 		<!--CONFIG:	If you exclude microsoft.com, someone could register malware-microsoft.com and it wouldn't be logged. Use leading "END WITH" with leading . or "IS" operators.-->
 		<!--CONFIG:	Be very specific in exclusions. Threat actors use legitimate services, too. Dont exclude all of AWS or Azure or Google or CDNs!-->
-
-		<!--NOTE:	Poisoned ad network resolutions due to DNS configuration changes on client is OUT-OF-SCOPE. Detect that in other ways. It's too much noise to include.
-					Research: [ https://blogs.cisco.com/security/dnschanger-outbreak-linked-to-adware-install-base ]
-					Research: [ http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.298.5810&rep=rep1&type=pdf ] -->
+		<!--CONFIG: Popularity data: [ http://s3-us-west-1.amazonaws.com/umbrella-static/index.html ] [ https://better.fyi/trackers/alexa-top-500-news/ ]
 
 		<!--CRITICAL:	Do NOT exclude "wpad" lookups. This is a MitM vector routinely used by attackers. Disable WPAD or enforce client-side DNSSEC for AD domain lookups.-->
 		<!--CRITICAL:	Do NOT exclude IPv6 lookups.-->
@@ -872,84 +870,131 @@
 		<!-- Rejected: .cloudfront.net, customer content -->
 		<!-- Rejected: .windows.net, customer content -->
 		<!-- Rejected: *github.com, customer content-->
-		<!-- Rejected: .zorosrv.com, customer content-->
 
 	<RuleGroup name="Dns" groupRelation="or">
 		<DnsQuery onmatch="exclude">
 			<!--Network noise-->
 			<QueryName condition="end with">.arpa.</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
 			<QueryName condition="end with">.arpa</QueryName> <!--Design decision to not log reverse DNS lookups. You will need to decide.-->
 			<QueryName condition="end with">.msftncsi.com</QueryName> <!--Microsoft proxy detection | Microsoft default exclusion-->
-			<QueryResults condition="is">127.0.0.1;<QueryResults> <!--Localhost result. Caused by Nvidia nvcontainer.exe-->
 			<!--Microsoft-->
-			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
 			<QueryName condition="end with">-pushp.svc.ms</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
-			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.b-msedge.net</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
 			<QueryName condition="end with">.hotmail.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
 			<QueryName condition="end with">.live.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
 			<QueryName condition="end with">.live.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
 			<QueryName condition="end with">.microsoft.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
 			<QueryName condition="end with">.microsoftonline.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
 			<QueryName condition="end with">.microsoftstore.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
+			<QueryName condition="end with">.ms-acdc.office.com</QueryName> <!--Microsoft: Doesn't appear to host customer content or subdomains-->
+			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
 			<QueryName condition="end with">.skype.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
 			<QueryName condition="end with">.skype.net</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.msocdn.com</QueryName> <!--Microsoft-->
 			<QueryName condition="end with">.windows.com</QueryName> <!--Microsoft-->
-			<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
 			<QueryName condition="end with">.windows.net.nsatc.net</QueryName> <!--Microsoft-->
+			<QueryName condition="end with">.windowsupdate.com</QueryName> <!--Microsoft-->
 			<!--Microsoft:Office365/AzureAD-->
+			<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
+			<QueryName condition="end with">.aria.microsoft.com</QueryName> <!--Microsoft: OneDrive/SharePoint-->
 			<QueryName condition="end with">.msauth.net</QueryName>
 			<QueryName condition="end with">.msftauth.net</QueryName>
-			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
-			<QueryName condition="end with">.activedirectory.windowsazure.com</QueryName> <!--Microsoft: AzureAD-->
 			<QueryName condition="end with">.opinsights.azure.com</QueryName> <!--Microsoft: AzureAD/InTune client event monitoring-->
-			<QueryName condition="end with">.aria.microsoft.com</QueryName> <!--Microsoft: OneDrive/SharePoint-->
 			<QueryName condition="is">management.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
+			<QueryName condition="is">outlook.office365.com</QueryName> <!--Microsoft: Protected by HSTS-->
 			<QueryName condition="is">portal.azure.com</QueryName> <!--Microsoft: AzureAD/InTune-->
-			
+		
 			<!--3rd-party applications-->
 			<QueryName condition="end with">.spotify.com</QueryName>
 			<!--Goodlist CDN-->
 			<QueryName condition="is">cdnjs.cloudflare.com</QueryName> <!--Cloudflare: Hosts popular javascript libraries-->
+			<QueryName condition="end with">.netflix.com</QueryName>
+			<QueryName condition="is">ajax.googleapis.com</QueryName>
 			<!--Personal-->
 			<QueryName condition="end with">.steamcontent.com</QueryName> <!--If you seriously host malware in a Steam game, I give up-->
 			<!--Misc-->
+			<QueryName condition="end with">.2mdn.net</QueryName> <!--Ads: Google | Microsoft default exclusion-->
 			<QueryName condition="end with">.adap.tv</QueryName> <!--Ads:AOL | Microsoft default exclusion [ https://www.crunchbase.com/organization/adap-tv ] -->
 			<QueryName condition="end with">.addthis.com</QueryName> <!--Ads:Oracle | Microsoft default exclusion [ https://en.wikipedia.org/wiki/AddThis ] -->
+			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads: AppNexus | Microsoft default exclusion-->
 			<QueryName condition="end with">.adsafeprotected.com</QueryName> <!--Advertising-->
+			<QueryName condition="end with">.adsrvr.org</QueryName> <!--Ads-->
+			<QueryName condition="end with">.adform.net</QueryName> <!--Ads-->
 			<QueryName condition="end with">.advertising.com</QueryName> <!--Advertising | Microsoft default exclusion-->
 			<QueryName condition="end with">.akadns.net</QueryName> <!--AkamaiCDN, extensively used by Microsoft | Microsoft default exclusion-->
 			<QueryName condition="end with">.aol.com</QueryName> <!--Advertising | Microsoft default exclusion -->
+			<QueryName condition="end with">.betrad.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.bidswitch.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.bing.com</QueryName> <!-- Microsoft | Microsoft default exclusion -->
+			<QueryName condition="end with">.casalemedia.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Ads | Microsoft default exclusion [ https://better.fyi/trackers/chartbeat.com/ ]-->
+			<QueryName condition="end with">.cnn.com</QueryName> <!-- Microsoft default exclusion-->
+			<QueryName condition="end with">.criteo.com</QueryName> <!--Ads [ https://better.fyi/trackers/criteo.com/ ] -->
+			<QueryName condition="end with">.crwdcntrl.net</QueryName> <!--Ads: Lotame [ https://better.fyi/trackers/crwdcntrl.net/ ] -->
+			<QueryName condition="end with">.demdex.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.disqus.com</QueryName> <!--Microsoft default exclusion-->
+			<QueryName condition="end with">.dotomi.com</QueryName> <!--Ads | Microsoft default exclusion-->
 			<QueryName condition="end with">.doubleclick.net</QueryName> <!--Ads:Conversant | Microsoft default exclusion [ https://www.crunchbase.com/organization/dotomi ] -->
 			<QueryName condition="end with">.doubleverify.com</QueryName> <!--Ads: [ ] -->
+			<QueryName condition="end with">.fontawesome.com</QueryName>
 			<QueryName condition="end with">.google-analytics.com</QueryName> <!--Ads:Google | Microsoft default exclusion-->
 			<QueryName condition="end with">.googlesyndication.com</QueryName> <!--Ads:Google, sometimes called during malicious ads, but not directly responsible | Microsoft default exclusion [ https://www.hackread.com/wp-content/uploads/2018/06/Bitdefender-Whitepaper-Zacinlo.pdf ]-->
+			<QueryName condition="end with">.googletagmanager.com</QueryName> <!--Google-->
 			<QueryName condition="end with">.googlevideo.com</QueryName> <!--Google | Microsoft default exclusion-->
 			<QueryName condition="end with">.gstatic.com</QueryName> <!--Google | Microsoft default exclusion-->
-			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
-			<QueryName condition="end with">.pardot.com</QueryName>
-			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
-			<QueryName condition="end with">.outbrain.com</QueryName>
-			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
 			<QueryName condition="end with">.gvt1.com</QueryName> <!--Google-->
 			<QueryName condition="end with">.gvt2.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
-			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
-			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="end with">.ib-ibi.com</QueryName> <!--Ads: Offerpath [ https://better.fyi/trackers/ib-ibi.com/ ] -->
 			<QueryName condition="end with">.jivox.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
+			<QueryName condition="end with">.moatads.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.moatpixel.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.msn.com</QueryName> <!--Microsoft | Microsoft default exclusion-->
 			<QueryName condition="end with">.myvisualiq.net</QueryName> <!--Ads-->
+			<QueryName condition="end with">.netmng.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.nexac.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.outbrain.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.pardot.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.phx.gbl</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.pinterest.com</QueryName> <!--Pinerest-->
+			<QueryName condition="end with">.pubmatic.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.quantserve.com</QueryName>
+			<QueryName condition="end with">.revsci.net</QueryName> <!--Ads:Omniture | Microsoft default exclusion-->
+			<QueryName condition="end with">.rfihub.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.rlcdn.com</QueryName> <!--Ads: Rapleaf [ https://better.fyi/trackers/rlcdn.com/ ] -->
+			<QueryName condition="end with">.rubiconproject.com</QueryName> <!--Ads: Rubicon Project | Microsoft default exclusion [ https://better.fyi/trackers/rubiconproject.com/ ] -->
+			<QueryName condition="end with">.scdn.co</QueryName> <!--Spotify-->
+			<QueryName condition="end with">.scorecardresearch.com</QueryName> <!--Ads: Comscore | Microsoft default exclusion-->
+			<QueryName condition="end with">.serving-sys.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.sitescout.com</QueryName> <!--Ads-->
 			<QueryName condition="end with">.smartadserver.com</QueryName> <!--Ads-->
-			<QueryName condition="end with">.adnxs.com</QueryName> <!--Ads | Microsoft default exclusion-->
-			<QueryName condition="is">d29x207vrinatv.cloudfront.net</QueryName> <!--Amazon-developed applications-->
-			<QueryName condition="end with">opps.zorosrv.com</QueryName>
-			<QueryName condition="end with">wf.zorosrv.com</QueryName>
-			<QueryName condition="end with">.taboola.map.fastly.net</QueryName>
-			<QueryName condition="end with">.mathtag.com</QueryName> <!--Microsoft default exclusion-->
+			<QueryName condition="end with">.snapads.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.spotify.map.fastly.net</QueryName> <!--Spotify-->
+			<QueryName condition="end with">.spotxchange.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.taboola.com</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">.taboola.map.fastly.net</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="end with">.trafficmanager.net</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.tremorhub.com</QueryName> <!--Ads-->
+			<QueryName condition="end with">.tribalfusion.com</QueryName> <!--Ads: Exponential [ https://better.fyi/trackers/tribalfusion.com/ ] -->
+			<QueryName condition="end with">.turn.com</QueryName> <!--Ads | Microsoft default exclusion-->
+			<QueryName condition="end with">.twimg.com</QueryName> <!--Ads | Microsoft default exclusion-->
 			<QueryName condition="end with">.ytimg.com</QueryName> <!--Google-->
-			<QueryName condition="end with">.chartbeat.net</QueryName> <!--Microsoft default exclusion-->
-
+			<QueryName condition="end with">.zorosrv.com</QueryName> <!--Ads:Taboola-->
+			<QueryName condition="is">ampcid.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients1.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients2.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients4.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clients6.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">clientservices.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">d29x207vrinatv.cloudfront.net</QueryName> <!--Amazon-developed applications-->
+			<QueryName condition="is">fonts.googleapis.com</QueryName> <!--Google fonts-->
+			<QueryName condition="is">imasdk.googleapis.com</QueryName> <!--Google [ https://developers.google.com/interactive-media-ads/docs/sdks/html5/ ] -->
+			<QueryName condition="is">l.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">mtalk.google.com</QueryName> <!--Google-->
+			<QueryName condition="is">safebrowsing.googleapis.com</QueryName> <!--Google-->
+			<QueryName condition="is">update.googleapis.com</QueryName> <!--Google-->
+			<!--OSCP Common-->
+			<QueryName condition="is">ocsp.digicert.com</QueryName>
 		</DnsQuery>
 	</RuleGroup>