diff --git a/_tools/rules-updater/update.sh b/_tools/rules-updater/update.sh
index b7fbad1..544c20e 100755
--- a/_tools/rules-updater/update.sh
+++ b/_tools/rules-updater/update.sh
@@ -11,7 +11,7 @@
 # Example: ./update.sh 1.2.5
 #
 
-set -e
+set -eux
 
 [ $# -ne 1 ] && echo "Usage: $0 \"version\"" >&2 && exit 1
 
diff --git a/appsec/rules.go b/appsec/rules.go
index c3f25f5..de7da13 100644
--- a/appsec/rules.go
+++ b/appsec/rules.go
@@ -5,10 +5,10 @@
 
 package appsec
 
-import _ "embed" // Blank import comment for golint compliance
+import _ "embed"
 
-// StaticRecommendedRules holds the recommended AppSec security rules (v1.5.1)
-// Source: https://github.com/DataDog/appsec-event-rules/blob/1.5.1/build/recommended.json
+// StaticRecommendedRules holds the recommended AppSec security rules (v1.7.1)
+// Source: https://github.com/DataDog/appsec-event-rules/blob/1.7.1/build/recommended.json
 //
 //go:embed rules.json
 var StaticRecommendedRules string
diff --git a/appsec/rules.json b/appsec/rules.json
index 9af1788..ba65c5c 100644
--- a/appsec/rules.json
+++ b/appsec/rules.json
@@ -1,7 +1,7 @@
 {
   "version": "2.2",
   "metadata": {
-    "rules_version": "1.5.1"
+    "rules_version": "1.7.1"
   },
   "rules": [
     {
@@ -58,10 +58,11 @@
       "id": "crs-913-110",
       "name": "Acunetix",
       "tags": {
-        "type": "security_scanner",
+        "type": "commercial_scanner",
         "crs_id": "913110",
         "category": "attack_attempt",
-        "confidence": "1"
+        "tool_name": "Acunetix",
+        "confidence": "0"
       },
       "conditions": [
         {
@@ -1351,16 +1352,11 @@
               "etc/timezone",
               "etc/modules",
               "etc/passwd",
-              "etc/passwd~",
-              "etc/passwd-",
               "etc/shadow",
-              "etc/shadow~",
-              "etc/shadow-",
               "etc/fstab",
               "etc/motd",
               "etc/hosts",
               "etc/group",
-              "etc/group-",
               "etc/alias",
               "etc/crontab",
               "etc/crypttab",
@@ -1871,11 +1867,8 @@
               "dev/tcp/",
               "dev/udp/",
               "dev/zero",
-              "etc/group",
               "etc/master.passwd",
-              "etc/passwd",
               "etc/pwd.db",
-              "etc/shadow",
               "etc/shells",
               "etc/spwd.db",
               "proc/self/",
@@ -2706,7 +2699,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|lert|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
+            "regex": "\\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate|function)|p?open|exec)|tr(?:eam_(?:context_create|socket_client)|ipc?slashes|rev)|implexml_load_(?:string|file)|ocket_c(?:onnect|reate)|h(?:ow_sourc|a1_fil)e|pl_autoload_register|ystem)|p(?:r(?:eg_(?:replace(?:_callback(?:_array)?)?|match(?:_all)?|split)|oc_(?:(?:terminat|clos|nic)e|get_status|open)|int_r)|o(?:six_(?:get(?:(?:e[gu]|g)id|login|pwnam)|mk(?:fifo|nod)|ttyname|kill)|pen)|hp(?:_(?:strip_whitespac|unam)e|version|info)|g_(?:(?:execut|prepar)e|connect|query)|a(?:rse_(?:ini_file|str)|ssthru)|utenv)|r(?:unkit_(?:function_(?:re(?:defin|nam)e|copy|add)|method_(?:re(?:defin|nam)e|copy|add)|constant_(?:redefine|add))|e(?:(?:gister_(?:shutdown|tick)|name)_function|ad(?:(?:gz)?file|_exif_data|dir))|awurl(?:de|en)code)|i(?:mage(?:createfrom(?:(?:jpe|pn)g|x[bp]m|wbmp|gif)|(?:jpe|pn)g|g(?:d2?|if)|2?wbmp|xbm)|s_(?:(?:(?:execut|write?|read)ab|fi)le|dir)|ni_(?:get(?:_all)?|set)|terator_apply|ptcembed)|g(?:et(?:_(?:c(?:urrent_use|fg_va)r|meta_tags)|my(?:[gpu]id|inode)|(?:lastmo|cw)d|imagesize|env)|z(?:(?:(?:defla|wri)t|encod|fil)e|compress|open|read)|lob)|a(?:rray_(?:u(?:intersect(?:_u?assoc)?|diff(?:_u?assoc)?)|intersect_u(?:assoc|key)|diff_u(?:assoc|key)|filter|reduce|map)|ssert(?:_options)?|tob)|h(?:tml(?:specialchars(?:_decode)?|_entity_decode|entities)|(?:ash(?:_(?:update|hmac))?|ighlight)_file|e(?:ader_register_callback|x2bin))|f(?:i(?:le(?:(?:[acm]tim|inod)e|(?:_exist|perm)s|group)?|nfo_open)|tp_(?:nb_(?:ge|pu)|connec|ge|pu)t|(?:unction_exis|pu)ts|write|open)|o(?:b_(?:get_(?:c(?:ontents|lean)|flush)|end_(?:clean|flush)|clean|flush|start)|dbc_(?:result(?:_all)?|exec(?:ute)?|connect)|pendir)|m(?:b_(?:ereg(?:_(?:replace(?:_callback)?|match)|i(?:_replace)?)?|parse_str)|(?:ove_uploaded|d5)_file|ethod_exists|ysql_query|kdir)|e(?:x(?:if_(?:t(?:humbnail|agname)|imagetype|read_data)|ec)|scapeshell(?:arg|cmd)|rror_reporting|val)|c(?:url_(?:file_create|exec|init)|onvert_uuencode|reate_function|hr)|u(?:n(?:serialize|pack)|rl(?:de|en)code|[ak]?sort)|b(?:(?:son_(?:de|en)|ase64_en)code|zopen|toa)|(?:json_(?:de|en)cod|debug_backtrac|tmpfil)e|var_dump)(?:\\s|/\\*.*\\*/|//.*|#.*|\\\"|')*\\((?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?,)*(?:(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:\\$\\w+|[A-Z\\d]\\w*|\\w+\\(.*\\)|\\\\?\"(?:[^\"]|\\\\\"|\"\"|\"\\+\")*\\\\?\"|\\\\?'(?:[^']|''|'\\+')*\\\\?')(?:\\s|/\\*.*\\*/|//.*|#.*)*(?:(?:::|\\.|->)(?:\\s|/\\*.*\\*/|//.*|#.*)*\\w+(?:\\(.*\\))?)?)?\\)",
             "options": {
               "case_sensitive": true,
               "min_length": 5
@@ -2915,7 +2908,8 @@
         }
       ],
       "transformers": [
-        "removeNulls"
+        "removeNulls",
+        "urlDecodeUni"
       ]
     },
     {
@@ -2965,7 +2959,8 @@
         }
       ],
       "transformers": [
-        "removeNulls"
+        "removeNulls",
+        "urlDecodeUni"
       ]
     },
     {
@@ -3015,7 +3010,8 @@
         }
       ],
       "transformers": [
-        "removeNulls"
+        "removeNulls",
+        "urlDecodeUni"
       ]
     },
     {
@@ -3062,7 +3058,8 @@
         }
       ],
       "transformers": [
-        "removeNulls"
+        "removeNulls",
+        "urlDecodeUni"
       ]
     },
     {
@@ -3096,8 +3093,7 @@
               ".parentnode",
               ".innerhtml",
               "window.location",
-              "-moz-binding",
-              "<![cdata["
+              "-moz-binding"
             ]
           },
           "operator": "phrase_match"
@@ -3553,7 +3549,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)\\s*\\([^\\)]",
+            "regex": "\\b(?i:eval|settimeout|setinterval|new\\s+Function|alert|prompt)[\\s+]*\\([^\\)]",
             "options": {
               "case_sensitive": true,
               "min_length": 5
@@ -4090,9 +4086,7 @@
               "java.lang.number",
               "java.lang.object",
               "java.lang.process",
-              "java.lang.processbuilder",
               "java.lang.reflect",
-              "java.lang.runtime",
               "java.lang.string",
               "java.lang.stringbuilder",
               "java.lang.system",
@@ -4392,6 +4386,256 @@
       ],
       "transformers": []
     },
+    {
+      "id": "dog-913-001",
+      "name": "BurpCollaborator OOB domain",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "tool_name": "BurpCollaborator",
+        "confidence": "1"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "\\b(?:burpcollaborator\\.net|oastify\\.com)\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "dog-913-002",
+      "name": "Qualys OOB domain",
+      "tags": {
+        "type": "commercial_scanner",
+        "category": "attack_attempt",
+        "tool_name": "Qualys",
+        "confidence": "0"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "\\bqualysperiscope\\.com\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "dog-913-003",
+      "name": "Probely OOB domain",
+      "tags": {
+        "type": "commercial_scanner",
+        "category": "attack_attempt",
+        "tool_name": "Probely",
+        "confidence": "0"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "\\bprbly\\.win\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "dog-913-004",
+      "name": "Known malicious out-of-band interaction domain",
+      "tags": {
+        "type": "security_scanner",
+        "category": "attack_attempt",
+        "confidence": "1"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "\\b(?:webhook\\.site|\\.canarytokens\\.com|vii\\.one|act1on3\\.ru|gdsburp\\.com)\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "dog-913-005",
+      "name": "Known suspicious out-of-band interaction domain",
+      "tags": {
+        "type": "security_scanner",
+        "category": "attack_attempt",
+        "confidence": "0"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "\\b(?:\\.ngrok\\.io|requestbin\\.com|requestbin\\.net)\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "dog-913-006",
+      "name": "Rapid7 OOB domain",
+      "tags": {
+        "type": "commercial_scanner",
+        "category": "attack_attempt",
+        "tool_name": "Rapid7",
+        "confidence": "0"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "\\bappspidered\\.rapid7\\."
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "dog-913-007",
+      "name": "Interact.sh OOB domain",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "tool_name": "interact.sh",
+        "confidence": "1"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
+              }
+            ],
+            "regex": "\\b(?:interact\\.sh|oast\\.(?:pro|live|site|online|fun|me))\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "dog-931-001",
       "name": "RFI: URL Payload to well known RFI target",
@@ -4456,27 +4700,65 @@
       "transformers": []
     },
     {
-      "id": "nfd-000-001",
-      "name": "Detect common directory discovery scans",
+      "id": "dog-942-001",
+      "name": "Blind XSS callback domains",
       "tags": {
-        "type": "security_scanner",
+        "type": "xss",
         "category": "attack_attempt",
         "confidence": "1"
       },
       "conditions": [
         {
-          "operator": "match_regex",
           "parameters": {
             "inputs": [
               {
-                "address": "server.response.status"
+                "address": "server.request.query"
+              },
+              {
+                "address": "server.request.body"
+              },
+              {
+                "address": "server.request.path_params"
+              },
+              {
+                "address": "server.request.headers.no_cookies"
+              },
+              {
+                "address": "grpc.server.request.message"
               }
             ],
-            "regex": "^404$",
+            "regex": "https?:\\/\\/(?:.*\\.)?(?:bxss\\.in|xss\\.ht|js\\.rip)",
             "options": {
-              "case_sensitive": true
+              "case_sensitive": false
             }
-          }
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "nfd-000-001",
+      "name": "Detect common directory discovery scans",
+      "tags": {
+        "type": "security_scanner",
+        "category": "attack_attempt",
+        "confidence": "1"
+      },
+      "conditions": [
+        {
+          "operator": "match_regex",
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.response.status"
+              }
+            ],
+            "regex": "^404$",
+            "options": {
+              "case_sensitive": true
+            }
+          }
         },
         {
           "operator": "phrase_match",
@@ -5083,36 +5365,6 @@
         "removeNulls"
       ]
     },
-    {
-      "id": "sqr-000-007",
-      "name": "NoSQL: Detect common exploitation strategy",
-      "tags": {
-        "type": "nosql_injection",
-        "category": "attack_attempt"
-      },
-      "conditions": [
-        {
-          "parameters": {
-            "inputs": [
-              {
-                "address": "server.request.query"
-              },
-              {
-                "address": "server.request.body"
-              },
-              {
-                "address": "server.request.path_params"
-              }
-            ],
-            "regex": "^\\$(eq|ne|(l|g)te?|n?in|not|(n|x|)or|and|regex|where|expr|exists)$"
-          },
-          "operator": "match_regex"
-        }
-      ],
-      "transformers": [
-        "keys_only"
-      ]
-    },
     {
       "id": "sqr-000-008",
       "name": "Windows: Detect attempts to exfiltrate .ini files",
@@ -5312,7 +5564,7 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/.*)?$"
+            "regex": "^(jar:)?(http|https):\\/\\/((\\[)?[:0-9a-f\\.x]{2,}(\\])?)(:[0-9]{1,5})?(\\/[^:@]*)?$"
           },
           "operator": "match_regex"
         }
@@ -5349,14 +5601,12 @@
                 "address": "grpc.server.request.message"
               }
             ],
-            "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click)"
+            "regex": "(http|https):\\/\\/(?:.*\\.)?(?:burpcollaborator\\.net|localtest\\.me|mail\\.ebc\\.apple\\.com|bugbounty\\.dod\\.network|.*\\.[nx]ip\\.io|oastify\\.com|oast\\.(?:pro|live|site|online|fun|me)|sslip\\.io|requestbin\\.com|requestbin\\.net|hookbin\\.com|webhook\\.site|canarytokens\\.com|interact\\.sh|ngrok\\.io|bugbounty\\.click|prbly\\.win|qualysperiscope\\.com|vii.one|act1on3.ru)"
           },
           "operator": "match_regex"
         }
       ],
-      "transformers": [
-        "lowercase"
-      ]
+      "transformers": []
     },
     {
       "id": "sqr-000-015",
@@ -5431,14 +5681,17 @@
           "operator": "match_regex"
         }
       ],
-      "transformers": []
+      "transformers": [
+        "unicode_normalize"
+      ]
     },
     {
       "id": "ua0-600-0xx",
       "name": "Joomla exploitation tool",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Joomla exploitation tool",
         "confidence": "1"
       },
       "conditions": [
@@ -5463,8 +5716,9 @@
       "id": "ua0-600-10x",
       "name": "Nessus",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Nessus",
         "confidence": "1"
       },
       "conditions": [
@@ -5489,8 +5743,9 @@
       "id": "ua0-600-12x",
       "name": "Arachni",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Arachni",
         "confidence": "1"
       },
       "conditions": [
@@ -5515,8 +5770,9 @@
       "id": "ua0-600-13x",
       "name": "Jorgee",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Jorgee",
         "confidence": "1"
       },
       "conditions": [
@@ -5541,9 +5797,10 @@
       "id": "ua0-600-14x",
       "name": "Probely",
       "tags": {
-        "type": "security_scanner",
+        "type": "commercial_scanner",
         "category": "attack_attempt",
-        "confidence": "1"
+        "tool_name": "Probely",
+        "confidence": "0"
       },
       "conditions": [
         {
@@ -5567,8 +5824,9 @@
       "id": "ua0-600-15x",
       "name": "Metis",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Metis",
         "confidence": "1"
       },
       "conditions": [
@@ -5593,8 +5851,9 @@
       "id": "ua0-600-16x",
       "name": "SQL power injector",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "SQLPowerInjector",
         "confidence": "1"
       },
       "conditions": [
@@ -5619,8 +5878,9 @@
       "id": "ua0-600-18x",
       "name": "N-Stealth",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "N-Stealth",
         "confidence": "1"
       },
       "conditions": [
@@ -5645,8 +5905,9 @@
       "id": "ua0-600-19x",
       "name": "Brutus",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Brutus",
         "confidence": "1"
       },
       "conditions": [
@@ -5697,9 +5958,10 @@
       "id": "ua0-600-20x",
       "name": "Netsparker",
       "tags": {
-        "type": "security_scanner",
+        "type": "commercial_scanner",
         "category": "attack_attempt",
-        "confidence": "1"
+        "tool_name": "Netsparker",
+        "confidence": "0"
       },
       "conditions": [
         {
@@ -5712,7 +5974,7 @@
                 ]
               }
             ],
-            "regex": "(?i)(<script>netsparker\\(0x0|ns:netsparker.*=vuln)"
+            "regex": "\\bnetsparker\\b"
           },
           "operator": "match_regex"
         }
@@ -5723,8 +5985,9 @@
       "id": "ua0-600-22x",
       "name": "JAASCois",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "JAASCois",
         "confidence": "1"
       },
       "conditions": [
@@ -5745,64 +6008,13 @@
       ],
       "transformers": []
     },
-    {
-      "id": "ua0-600-23x",
-      "name": "PMAFind",
-      "tags": {
-        "type": "security_scanner",
-        "category": "attack_attempt",
-        "confidence": "1"
-      },
-      "conditions": [
-        {
-          "parameters": {
-            "inputs": [
-              {
-                "address": "server.request.headers.no_cookies",
-                "key_path": [
-                  "user-agent"
-                ]
-              }
-            ],
-            "regex": "(?i)\\bpmafind\\b"
-          },
-          "operator": "match_regex"
-        }
-      ],
-      "transformers": []
-    },
-    {
-      "id": "ua0-600-25x",
-      "name": "Webtrends",
-      "tags": {
-        "type": "security_scanner",
-        "category": "attack_attempt",
-        "confidence": "1"
-      },
-      "conditions": [
-        {
-          "parameters": {
-            "inputs": [
-              {
-                "address": "server.request.headers.no_cookies",
-                "key_path": [
-                  "user-agent"
-                ]
-              }
-            ],
-            "regex": "webtrends security analyzer"
-          },
-          "operator": "match_regex"
-        }
-      ],
-      "transformers": []
-    },
     {
       "id": "ua0-600-26x",
       "name": "Nsauditor",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Nsauditor",
         "confidence": "1"
       },
       "conditions": [
@@ -5827,8 +6039,9 @@
       "id": "ua0-600-27x",
       "name": "Paros",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Paros",
         "confidence": "1"
       },
       "conditions": [
@@ -5853,8 +6066,9 @@
       "id": "ua0-600-28x",
       "name": "DirBuster",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "DirBuster",
         "confidence": "1"
       },
       "conditions": [
@@ -5879,8 +6093,9 @@
       "id": "ua0-600-29x",
       "name": "Pangolin",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Pangolin",
         "confidence": "1"
       },
       "conditions": [
@@ -5905,9 +6120,10 @@
       "id": "ua0-600-2xx",
       "name": "Qualys",
       "tags": {
-        "type": "security_scanner",
+        "type": "commercial_scanner",
         "category": "attack_attempt",
-        "confidence": "1"
+        "tool_name": "Qualys",
+        "confidence": "0"
       },
       "conditions": [
         {
@@ -5931,8 +6147,9 @@
       "id": "ua0-600-30x",
       "name": "SQLNinja",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "SQLNinja",
         "confidence": "1"
       },
       "conditions": [
@@ -5957,8 +6174,9 @@
       "id": "ua0-600-31x",
       "name": "Nikto",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Nikto",
         "confidence": "1"
       },
       "conditions": [
@@ -5979,38 +6197,13 @@
       ],
       "transformers": []
     },
-    {
-      "id": "ua0-600-32x",
-      "name": "WebInspect",
-      "tags": {
-        "type": "security_scanner",
-        "category": "attack_attempt",
-        "confidence": "1"
-      },
-      "conditions": [
-        {
-          "parameters": {
-            "inputs": [
-              {
-                "address": "server.request.headers.no_cookies",
-                "key_path": [
-                  "user-agent"
-                ]
-              }
-            ],
-            "regex": "(?i)\\bwebinspect\\b"
-          },
-          "operator": "match_regex"
-        }
-      ],
-      "transformers": []
-    },
     {
       "id": "ua0-600-33x",
       "name": "BlackWidow",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "BlackWidow",
         "confidence": "1"
       },
       "conditions": [
@@ -6035,8 +6228,9 @@
       "id": "ua0-600-34x",
       "name": "Grendel-Scan",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Grendel-Scan",
         "confidence": "1"
       },
       "conditions": [
@@ -6061,8 +6255,9 @@
       "id": "ua0-600-35x",
       "name": "Havij",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Havij",
         "confidence": "1"
       },
       "conditions": [
@@ -6087,8 +6282,9 @@
       "id": "ua0-600-36x",
       "name": "w3af",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "w3af",
         "confidence": "1"
       },
       "conditions": [
@@ -6113,8 +6309,9 @@
       "id": "ua0-600-37x",
       "name": "Nmap",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Nmap",
         "confidence": "1"
       },
       "conditions": [
@@ -6139,8 +6336,9 @@
       "id": "ua0-600-39x",
       "name": "Nessus Scripted",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Nessus",
         "confidence": "1"
       },
       "conditions": [
@@ -6154,7 +6352,7 @@
                 ]
               }
             ],
-            "regex": "(?i)^'?[a-z0-9]+\\.nasl'?$"
+            "regex": "(?i)^'?[a-z0-9_]+\\.nasl'?$"
           },
           "operator": "match_regex"
         }
@@ -6165,8 +6363,9 @@
       "id": "ua0-600-3xx",
       "name": "Evil Scanner",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "EvilScanner",
         "confidence": "1"
       },
       "conditions": [
@@ -6191,8 +6390,9 @@
       "id": "ua0-600-40x",
       "name": "WebFuck",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "WebFuck",
         "confidence": "1"
       },
       "conditions": [
@@ -6217,8 +6417,9 @@
       "id": "ua0-600-42x",
       "name": "OpenVAS",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "OpenVAS",
         "confidence": "1"
       },
       "conditions": [
@@ -6243,8 +6444,9 @@
       "id": "ua0-600-43x",
       "name": "Spider-Pig",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Spider-Pig",
         "confidence": "1"
       },
       "conditions": [
@@ -6269,8 +6471,9 @@
       "id": "ua0-600-44x",
       "name": "Zgrab",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Zgrab",
         "confidence": "1"
       },
       "conditions": [
@@ -6295,8 +6498,9 @@
       "id": "ua0-600-45x",
       "name": "Zmeu",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Zmeu",
         "confidence": "1"
       },
       "conditions": [
@@ -6317,39 +6521,14 @@
       ],
       "transformers": []
     },
-    {
-      "id": "ua0-600-46x",
-      "name": "Crowdstrike",
-      "tags": {
-        "type": "security_scanner",
-        "category": "attack_attempt",
-        "confidence": "1"
-      },
-      "conditions": [
-        {
-          "parameters": {
-            "inputs": [
-              {
-                "address": "server.request.headers.no_cookies",
-                "key_path": [
-                  "user-agent"
-                ]
-              }
-            ],
-            "regex": "(?i)\\bcrowdstrike\\b"
-          },
-          "operator": "match_regex"
-        }
-      ],
-      "transformers": []
-    },
     {
       "id": "ua0-600-47x",
       "name": "GoogleSecurityScanner",
       "tags": {
-        "type": "security_scanner",
+        "type": "commercial_scanner",
         "category": "attack_attempt",
-        "confidence": "1"
+        "tool_name": "GoogleSecurityScanner",
+        "confidence": "0"
       },
       "conditions": [
         {
@@ -6373,8 +6552,9 @@
       "id": "ua0-600-48x",
       "name": "Commix",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Commix",
         "confidence": "1"
       },
       "conditions": [
@@ -6399,8 +6579,9 @@
       "id": "ua0-600-49x",
       "name": "Gobuster",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Gobuster",
         "confidence": "1"
       },
       "conditions": [
@@ -6425,8 +6606,9 @@
       "id": "ua0-600-4xx",
       "name": "CGIchk",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "CGIchk",
         "confidence": "1"
       },
       "conditions": [
@@ -6451,8 +6633,9 @@
       "id": "ua0-600-51x",
       "name": "FFUF",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "FFUF",
         "confidence": "1"
       },
       "conditions": [
@@ -6477,8 +6660,9 @@
       "id": "ua0-600-52x",
       "name": "Nuclei",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Nuclei",
         "confidence": "1"
       },
       "conditions": [
@@ -6503,8 +6687,9 @@
       "id": "ua0-600-53x",
       "name": "Tsunami",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Tsunami",
         "confidence": "1"
       },
       "conditions": [
@@ -6529,8 +6714,9 @@
       "id": "ua0-600-54x",
       "name": "Nimbostratus",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Nimbostratus",
         "confidence": "1"
       },
       "conditions": [
@@ -6557,6 +6743,7 @@
       "tags": {
         "type": "security_scanner",
         "category": "attack_attempt",
+        "tool_name": "Datadog Canary Test",
         "confidence": "1"
       },
       "conditions": [
@@ -6576,7 +6763,7 @@
                 ]
               }
             ],
-            "regex": "^dd-test-scanner-log$"
+            "regex": "^dd-test-scanner-log(?:$|/|\\s)"
           },
           "operator": "match_regex"
         }
@@ -6587,8 +6774,9 @@
       "id": "ua0-600-56x",
       "name": "Datadog test scanner - blocking version: user-agent",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Datadog Canary Test",
         "confidence": "1"
       },
       "conditions": [
@@ -6608,7 +6796,7 @@
                 ]
               }
             ],
-            "regex": "^dd-test-scanner-log-block$"
+            "regex": "^dd-test-scanner-log-block(?:$|/|\\s)"
           },
           "operator": "match_regex"
         }
@@ -6618,12 +6806,94 @@
         "block"
       ]
     },
+    {
+      "id": "ua0-600-57x",
+      "name": "AlertLogic",
+      "tags": {
+        "type": "commercial_scanner",
+        "category": "attack_attempt",
+        "tool_name": "AlertLogic",
+        "confidence": "0"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "\\bAlertLogic-MDR-"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "ua0-600-58x",
+      "name": "wfuzz",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "tool_name": "wfuzz",
+        "confidence": "1"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "\\bwfuzz\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "ua0-600-59x",
+      "name": "Detectify",
+      "tags": {
+        "type": "commercial_scanner",
+        "category": "attack_attempt",
+        "tool_name": "Detectify",
+        "confidence": "0"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "\\bdetectify\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "ua0-600-5xx",
       "name": "Blind SQL Injection Brute Forcer",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "BSQLBF",
         "confidence": "1"
       },
       "conditions": [
@@ -6644,9 +6914,90 @@
       ],
       "transformers": []
     },
+    {
+      "id": "ua0-600-60x",
+      "name": "masscan",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "tool_name": "masscan",
+        "confidence": "1"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "^masscan/"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "ua0-600-61x",
+      "name": "WPScan",
+      "tags": {
+        "type": "attack_tool",
+        "category": "attack_attempt",
+        "tool_name": "WPScan",
+        "confidence": "1"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "^wpscan\\b"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
+    {
+      "id": "ua0-600-62x",
+      "name": "Aon pentesting services",
+      "tags": {
+        "type": "commercial_scanner",
+        "category": "attack_attempt",
+        "tool_name": "Aon",
+        "confidence": "0"
+      },
+      "conditions": [
+        {
+          "parameters": {
+            "inputs": [
+              {
+                "address": "server.request.headers.no_cookies",
+                "key_path": [
+                  "user-agent"
+                ]
+              }
+            ],
+            "regex": "^Aon/"
+          },
+          "operator": "match_regex"
+        }
+      ],
+      "transformers": []
+    },
     {
       "id": "ua0-600-6xx",
-      "name": "Suspicious user agent",
+      "name": "Stealthy scanner",
       "tags": {
         "type": "security_scanner",
         "category": "attack_attempt",
@@ -6674,8 +7025,9 @@
       "id": "ua0-600-7xx",
       "name": "SQLmap",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "SQLmap",
         "confidence": "1"
       },
       "conditions": [
@@ -6700,8 +7052,9 @@
       "id": "ua0-600-9xx",
       "name": "Skipfish",
       "tags": {
-        "type": "security_scanner",
+        "type": "attack_tool",
         "category": "attack_attempt",
+        "tool_name": "Skipfish",
         "confidence": "1"
       },
       "conditions": [