From 119cd60f4e673df52eb922b477723e1adebcb29d Mon Sep 17 00:00:00 2001
From: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Date: Thu, 17 Jun 2021 12:38:27 -0600
Subject: [PATCH] Lock versions for 0.13.1 package

---
 etc/version.lock.json | 184 +++++++++++++++++++++++-------------------
 1 file changed, 102 insertions(+), 82 deletions(-)

diff --git a/etc/version.lock.json b/etc/version.lock.json
index 5d9b54b84..c6c54bc78 100644
--- a/etc/version.lock.json
+++ b/etc/version.lock.json
@@ -111,8 +111,8 @@
   },
   "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
     "rule_name": "Anomalous Windows Process Creation",
-    "sha256": "b23bb13b7dd326ec1974177f034b66193fe903b19d5da1431f558abfce3cdb97",
-    "version": 4
+    "sha256": "9e82b05aeb4575a98f709abc32dedcd6597e85d952b0f635e6e3efa77c34eea1",
+    "version": 5
   },
   "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
     "rule_name": "Peripheral Device Discovery",
@@ -201,8 +201,8 @@
   },
   "143cb236-0956-4f42-a706-814bcaa0cf5a": {
     "rule_name": "RPC (Remote Procedure Call) from the Internet",
-    "sha256": "6e62c6664dea80ac996968a0a7bbc02303f4bd4df96ff39881f6a1fa036289dd",
-    "version": 8
+    "sha256": "7451263e28396036b27ed324111bcec3e9c69fe87505c05b284e835ede9c5ca8",
+    "version": 9
   },
   "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
     "rule_name": "Potential Persistence via Time Provider Modification",
@@ -236,13 +236,13 @@
   },
   "16a52c14-7883-47af-8745-9357803f0d4c": {
     "rule_name": "Component Object Model Hijacking",
-    "sha256": "58327576782adbc39e99e774604472036ec95eed3c5e324fc19288e7d635c8b3",
-    "version": 3
+    "sha256": "210931fff44cff26ff1c6fbb8d16c525ce7956382fb200a989335df36b12c628",
+    "version": 4
   },
   "1781d055-5c66-4adf-9c59-fc0fa58336a5": {
     "rule_name": "Unusual Windows Username",
-    "sha256": "e2e225e21975e985f3b317b2acab96e077fa87cf7e8904354bf8eae3d852b12e",
-    "version": 5
+    "sha256": "fb66f7a21c332b953f8b720d7d2eecff7fd8a3cc54ae26ec09ae2a2231105462",
+    "version": 6
   },
   "1781d055-5c66-4adf-9c71-fc0fa58338c7": {
     "rule_name": "Unusual Windows Service",
@@ -306,8 +306,8 @@
   },
   "1b21abcc-4d9f-4b08-a7f5-316f5f94b973": {
     "rule_name": "Connection to Internal Network via Telnet",
-    "sha256": "82e4e45d80664b9115f0a2e0f4b1e2a43ccb0ec7283e64bc2bdbd70311c54256",
-    "version": 5
+    "sha256": "a6045befcf940787d6b44aca3ba847602c79275a601616a8cb50d66f621907f4",
+    "version": 6
   },
   "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38": {
     "rule_name": "Possible Consent Grant Attack via Azure-Registered Application",
@@ -351,8 +351,8 @@
   },
   "1faec04b-d902-4f89-8aff-92cd9043c16f": {
     "rule_name": "Unusual Linux User Calling the Metadata Service",
-    "sha256": "3c8fba418050d2079a9f223c58298de759b56c0949e7ec330a256ffa6fed65d1",
-    "version": 2
+    "sha256": "d8647d38ddacdcf88500083f0009fe8c6bf67cbfa193518c40becdf8c8120be3",
+    "version": 3
   },
   "1fe3b299-fbb5-4657-a937-1d746f2c711a": {
     "rule_name": "Unusual Network Activity from a Windows System Binary",
@@ -426,8 +426,8 @@
   },
   "26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
     "rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
-    "sha256": "542aade4dc8e6268eee81fb3f4974e882255636a433f7d784d71d1545896fb14",
-    "version": 3
+    "sha256": "4509c990b6afc653b5ce7ee74cd0866f17caf580091b972f31ceca58a26901d8",
+    "version": 4
   },
   "272a6484-2663-46db-a532-ef734bf9a796": {
     "rule_name": "Microsoft 365 Exchange Transport Rule Modification",
@@ -536,8 +536,8 @@
   },
   "32923416-763a-4531-bb35-f33b9232ecdb": {
     "rule_name": "RPC (Remote Procedure Call) to the Internet",
-    "sha256": "04f44bb08ddbb0604f2f8a295fa3ab9107711bf25719957c4b12322148c00be5",
-    "version": 8
+    "sha256": "290eff512616935ff53c5fec73bddbcfb8a68c5cfaa6f403c4de8cbdc732f5b6",
+    "version": 9
   },
   "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
     "rule_name": "Program Files Directory Masquerading",
@@ -581,8 +581,8 @@
   },
   "35f86980-1fb1-4dff-b311-3be941549c8d": {
     "rule_name": "Network Traffic to Rare Destination Country",
-    "sha256": "cc78adc072f0c2c615cf9a3897eeda60bc19fd83e315ebcafbc73eaf9d7f7e0c",
-    "version": 1
+    "sha256": "154eabb2a4e70a6d0e7d51575de9ec07c7eb10055af37c36a9fec5645b76151a",
+    "version": 2
   },
   "36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
     "rule_name": "Suspicious ImagePath Service Creation",
@@ -616,8 +616,8 @@
   },
   "3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
     "rule_name": "Network Connection via Certutil",
-    "sha256": "8036da9336f11b5e4c6381a89a1aca0fbe65d0159b529ca83bc2c985004f4994",
-    "version": 5
+    "sha256": "80cae6ba9f36885936ddc3bfc37d180db9ec37f430b853af1fe21a14311027a0",
+    "version": 6
   },
   "38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
     "rule_name": "Prompt for Credentials with OSASCRIPT",
@@ -651,8 +651,8 @@
   },
   "3ad49c61-7adc-42c1-b788-732eda2f5abf": {
     "rule_name": "VNC (Virtual Network Computing) to the Internet",
-    "sha256": "c8ef7b71bb1059379c1654dd566587b2d9a4611272692fda545242591e2ab456",
-    "version": 8
+    "sha256": "38600c025a0aab30c26b5eb880d9b9e0d1a6e66c9adc6c48361cd0988b1eee30",
+    "version": 9
   },
   "3b382770-efbb-44f4-beed-f5e0a051b895": {
     "rule_name": "Malware - Prevented - Elastic Endgame",
@@ -671,8 +671,8 @@
   },
   "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": {
     "rule_name": "Unusual Linux Network Port Activity",
-    "sha256": "5cc8ad5cd8645964e6128824ebac5c3adbaf8248845a61e423a8d8700e461d3d",
-    "version": 4
+    "sha256": "812b60afbec769e09def857ab8078ccd803d393f5f2fdd30ab043a95574a9df6",
+    "version": 5
   },
   "3e002465-876f-4f04-b016-84ef48ce7e5d": {
     "rule_name": "AWS CloudTrail Log Updated",
@@ -731,8 +731,8 @@
   },
   "445a342e-03fb-42d0-8656-0367eb2dead5": {
     "rule_name": "Unusual Windows Path Activity",
-    "sha256": "20166dce2b7f66d82826f7ee93173a1166fbd36a5e32c73dbc6ca24bddba566f",
-    "version": 4
+    "sha256": "845885ac400eacce386fbf5040713ed065a66b447e5ddf8f450e0939c64bab9a",
+    "version": 5
   },
   "453f659e-0429-40b1-bfdb-b6957286e04b": {
     "rule_name": "Permission Theft - Prevented - Elastic Endgame",
@@ -756,8 +756,8 @@
   },
   "46f804f5-b289-43d6-a881-9387cf594f75": {
     "rule_name": "Unusual Process For a Linux Host",
-    "sha256": "25aef314e7ab742c617ec902978be738afda5d8aeab82edb2072e77ff9f4cae6",
-    "version": 5
+    "sha256": "9a02d2b846f42825b80d06ad5019d0ce19295b546cb1172d033d045345b7182d",
+    "version": 6
   },
   "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": {
     "rule_name": "Execution via Regsvcs/Regasm",
@@ -766,8 +766,8 @@
   },
   "47f76567-d58a-4fed-b32b-21f571e28910": {
     "rule_name": "Apple Script Execution followed by Network Connection",
-    "sha256": "72865db7bc50525258024cbd485983b15e70529f488290fdc041b3b7f3dc6701",
-    "version": 2
+    "sha256": "34086f00f7c81d099a3adb242947eb40dbe6ad2debdf1accf86d786204506af4",
+    "version": 3
   },
   "483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
     "rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
@@ -846,8 +846,8 @@
   },
   "52aaab7b-b51c-441a-89ce-4387b3aea886": {
     "rule_name": "Unusual Network Connection via RunDLL32",
-    "sha256": "7ff0bcfa3881f85e17c3a55b1a9f87403aeda1da00447412024e69307cbae7e8",
-    "version": 9
+    "sha256": "33e7314dd4b45b521415255a0c6fc075f77dba01dac56340b885f8befad43b9b",
+    "version": 10
   },
   "52afbdc5-db15-485e-bc24-f5707f820c4b": {
     "rule_name": "Unusual Linux Network Activity",
@@ -911,8 +911,8 @@
   },
   "5700cb81-df44-46aa-a5d7-337798f53eb8": {
     "rule_name": "VNC (Virtual Network Computing) from the Internet",
-    "sha256": "9c364d024d1238ca509316cb5936f0ed20dd86be940e7ec8902bc1bfc3c112f1",
-    "version": 8
+    "sha256": "8575892e76f9b091979957bb6e78ba24b0d230753a3d74f5c8e0e6f99113ab1b",
+    "version": 9
   },
   "571afc56-5ed9-465d-a2a9-045f099f6e7e": {
     "rule_name": "Credential Dumping - Detected - Elastic Endgame",
@@ -1046,13 +1046,13 @@
   },
   "63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
     "rule_name": "Network Connection via Signed Binary",
-    "sha256": "fe36d773c522704ff2482572c21539cd38821bc22794dbdc12f9bc016145f498",
-    "version": 7
+    "sha256": "ef677da1d6e146d9608c74c535a574cde65a061bdf6949d119c91faea44f90ac",
+    "version": 8
   },
   "647fc812-7996-4795-8869-9c4ea595fe88": {
     "rule_name": "Anomalous Process For a Linux Population",
-    "sha256": "37b73c63d5ac1950496a55b1a66b8fa30f97c7c519632bb5a884962a22a18ffb",
-    "version": 5
+    "sha256": "861f9d3c0e4efc09b144f3f76f6d42e4b80fe2cddbf18ae15577dae6a6654f02",
+    "version": 6
   },
   "6482255d-f468-45ea-a5b3-d3a7de1331ae": {
     "rule_name": "Modification of Safari Settings via Defaults Command",
@@ -1166,13 +1166,13 @@
   },
   "6d448b96-c922-4adb-b51c-b767f1ea5b76": {
     "rule_name": "Unusual Process For a Windows Host",
-    "sha256": "1b02664b15fd31520aca0ef9dae59735d6c260e17aa898a5ed1effdab5f77eb5",
-    "version": 5
+    "sha256": "dae4cd561de5c466bef0df104337dd06946c5cc4cdf3b9a2d64aa0f76b5cd5d4",
+    "version": 6
   },
   "6e40d56f-5c0e-4ac6-aece-bee96645b172": {
     "rule_name": "Anomalous Process For a Windows Population",
-    "sha256": "8c532d5331badf82eb8460f78b9c9743623961cbd11b41ebabc7a040f16e39a4",
-    "version": 5
+    "sha256": "0bfe01e9c90bf2cd3860c241bce55caf5defb909834492b09380bdd05ede5891",
+    "version": 6
   },
   "6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
     "rule_name": "Enumeration of Users or Groups via Built-in Commands",
@@ -1191,8 +1191,8 @@
   },
   "6ea71ff0-9e95-475b-9506-2580d1ce6154": {
     "rule_name": "DNS Activity to the Internet",
-    "sha256": "e17fad5ebc0ca46c5a6d353543b8c3a7ec77d4f37afe29ccd6c1262fd0a3d317",
-    "version": 8
+    "sha256": "b6eaf970237f2fd397a64c592f8d01ede1038f2f3c0d68b7d2ffffcadc7129f3",
+    "version": 9
   },
   "6f1500bc-62d7-4eb9-8601-7485e87da2f4": {
     "rule_name": "SSH (Secure Shell) to the Internet",
@@ -1411,8 +1411,8 @@
   },
   "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
     "rule_name": "Command Prompt Network Connection",
-    "sha256": "8b6406885b7bb2e8a1b923ce1cad697d9b124fbbde62d1f6e8a9d52a87632a1e",
-    "version": 6
+    "sha256": "59a5d1e0d72c62b3fc7912a7067eaaca424cbc50b4e63c75f51fc4ffb4421007",
+    "version": 7
   },
   "89fa6cb7-6b53-4de2-b604-648488841ab8": {
     "rule_name": "Persistence via DirectoryService Plugin Modification",
@@ -1424,6 +1424,11 @@
     "sha256": "d97ec49f15814bfde2f3f6b0603a9cf03bc171cffb3a6004202db2c71153461c",
     "version": 8
   },
+  "8a1d4831-3ce6-4859-9891-28931fa6101d": {
+    "rule_name": "Suspicious Execution from a Mounted Device",
+    "sha256": "e88541a1a011cfb788e031595a6452d932dfb34adde8fb0adb6a87f91abf9c1e",
+    "version": 1
+  },
   "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
     "rule_name": "Attempt to Deactivate an Okta Network Zone",
     "sha256": "39d70757faa0cbb8300bcfe88690a5ab67ac0efe7d33ac72e5975902b1e1b2a4",
@@ -1441,8 +1446,8 @@
   },
   "8c1bdde8-4204-45c0-9e0c-c85ca3902488": {
     "rule_name": "RDP (Remote Desktop Protocol) from the Internet",
-    "sha256": "c332f69b3d3ebd232a3993fbbf6e9433dfb9d5393f91f60e13ecf8821ec69c8e",
-    "version": 8
+    "sha256": "4d93ac2658ab5f45d146f08374be7a656986c2f8b23869ba686cd7ea3380eb34",
+    "version": 9
   },
   "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
     "rule_name": "Unusual Child Process of dns.exe",
@@ -1616,8 +1621,8 @@
   },
   "99239e7d-b0d4-46e3-8609-acafcf99f68c": {
     "rule_name": "macOS Installer Spawns Network Event",
-    "sha256": "984cad1381dd9afa09106634c1dbe9b53fe5827b48812999a26b779a5ebab44b",
-    "version": 1
+    "sha256": "9c685eb3133fc81f65b95648e73cf483f68d8c33378b9af971fdd78349e4d048",
+    "version": 2
   },
   "9a1a2dae-0b5f-4c3d-8305-a268d404c306": {
     "rule_name": "Endpoint Security",
@@ -1691,8 +1696,8 @@
   },
   "9d302377-d226-4e12-b54c-1906b5aec4f6": {
     "rule_name": "Unusual Linux Process Calling the Metadata Service",
-    "sha256": "99083f476f27c715e48e8664229115c61b61b1652bd1be73a0e95b65b31a879a",
-    "version": 2
+    "sha256": "939fb37f3245d63c1e25753987fcf1b542e5e60e2f84d4dc26226d40be958420",
+    "version": 3
   },
   "9f1c4ca3-44b5-481d-ba42-32dc215a2769": {
     "rule_name": "Potential Protocol Tunneling via EarthWorm",
@@ -1826,8 +1831,8 @@
   },
   "abae61a8-c560-4dbd-acca-1e1438bff36b": {
     "rule_name": "Unusual Windows Process Calling the Metadata Service",
-    "sha256": "d47b8762b1d507f3284720ed4081af8bbd7b798e8487c130de597dc6ef7b7527",
-    "version": 2
+    "sha256": "c8bab792d5a0d3d62e1447a105d4446258611cda4cb8a9e4b694a0d514c93728",
+    "version": 3
   },
   "ac412404-57a5-476f-858f-4e8fbb4f48d8": {
     "rule_name": "Potential Persistence via Login Hook",
@@ -1906,8 +1911,8 @@
   },
   "b240bfb8-26b7-4e5e-924e-218144a3fa71": {
     "rule_name": "Spike in Network Traffic",
-    "sha256": "9b4c9eeb5b8b2bceefe216fe315f33c7680b1f19cd1bbff8ed2bc1fcd381c045",
-    "version": 1
+    "sha256": "6ffe245992cf7f7abbd461e915ccffd1dc815fe1d9933bb2e885eb6fa3d0cb3c",
+    "version": 2
   },
   "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
     "rule_name": "Remote File Copy via TeamViewer",
@@ -1916,13 +1921,13 @@
   },
   "b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
     "rule_name": "Network Connection via Compiled HTML File",
-    "sha256": "019133bd004a19b16a85b00dc9cf843ec062679b58d784a3d08ca99fb63ab292",
-    "version": 7
+    "sha256": "5bd892d8ebcb429a2b8a9396f2cefbe7a02a3472326fa95b774f4c4b1a53ab2a",
+    "version": 8
   },
   "b347b919-665f-4aac-b9e8-68369bf2340c": {
     "rule_name": "Unusual Linux Username",
-    "sha256": "8d3fc06101f76d3625158c866245c82c55efaeea5aa68a7998d5f4c2f55b0074",
-    "version": 5
+    "sha256": "0ce8a8c9a7d0c6d52fb5a46182bb04c604688b0ffd63d3bb3ce25e44a3a613dc",
+    "version": 6
   },
   "b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
     "rule_name": "Suspicious Endpoint Security Parent Process",
@@ -1971,8 +1976,8 @@
   },
   "b86afe07-0d98-4738-b15d-8d7465f95ff5": {
     "rule_name": "Network Connection via MsXsl",
-    "sha256": "269ffb5fde08edde888f42bebe0a0954e7f0a82188ae6990f305c33b0a7cc044",
-    "version": 6
+    "sha256": "6569c4c09b7707943f2abd68297581a9b96cda43f2749734235e476c970787d4",
+    "version": 7
   },
   "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
     "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
@@ -1991,8 +1996,8 @@
   },
   "ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
     "rule_name": "Unusual Windows Network Activity",
-    "sha256": "5b1caa506744552a652673d21edc0a4715dd0a771e3ae9b85b6727892cdf35c1",
-    "version": 5
+    "sha256": "a1f661b5265219da28a5be3c55ce6d710c54e00419ac86c23fb891c9bf0fcbc6",
+    "version": 6
   },
   "baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
     "rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
@@ -2051,8 +2056,8 @@
   },
   "bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
     "rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
-    "sha256": "fdf46a65e1d59ef2f2929dace2b97e19784e242565d236456411e53f87c6d774",
-    "version": 1
+    "sha256": "2e2cc6d275afd2b0ad2082fc64d16ff251c7b91b0ad5370583bc7fb460166ee5",
+    "version": 2
   },
   "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
     "rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
@@ -2144,6 +2149,11 @@
     "sha256": "897b7cf567d45aebb4daaaba655d2627aac02b5c883882dad6f9cd26c1243975",
     "version": 4
   },
+  "c7894234-7814-44c2-92a9-f7d851ea246a": {
+    "rule_name": "Unusual Network Connection via DllHost",
+    "sha256": "3e28a8bb55979694d9772245c4b8a44aeb04b4b6ea95f171ba58752e77a128c8",
+    "version": 1
+  },
   "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
     "rule_name": "Unusual File Modification by dns.exe",
     "sha256": "28d8ceeeae367d91ddfcc5654ea7a2a4f188e3914886461d1379da1a9e2a4e48",
@@ -2151,8 +2161,8 @@
   },
   "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": {
     "rule_name": "Spike in Network Traffic To a Country",
-    "sha256": "6774d8dd42a2fb4f9e99da7b446f5cb28437e10cb1d775b9c55d0fbb38e0a10b",
-    "version": 1
+    "sha256": "2e908b7e338192c06491e1fe991b6eae62a1d164a4bc80084ea828f31430f38f",
+    "version": 2
   },
   "c81cefcb-82b9-4408-a533-3c3df549e62d": {
     "rule_name": "Persistence via Docker Shortcut Modification",
@@ -2431,8 +2441,8 @@
   },
   "df197323-72a8-46a9-a08e-3f5b04a4a97a": {
     "rule_name": "Unusual Windows User Calling the Metadata Service",
-    "sha256": "da2ba9b91b45c96faf8b5007dc0ec15693e269318a6203fa90ba2d043f85d3a2",
-    "version": 2
+    "sha256": "40ac13cc950b6d31bbf8793ae0941af4edbaf36dc40070df6f4173775298c968",
+    "version": 3
   },
   "df26fd74-1baa-4479-b42e-48da84642330": {
     "rule_name": "Azure Automation Account Created",
@@ -2451,8 +2461,8 @@
   },
   "e08ccd49-0380-4b2b-8d71-8000377d6e49": {
     "rule_name": "Attempts to Brute Force an Okta User Account",
-    "sha256": "d3a19e30b74d6b53aaae15b0678ea25c922302228cea85dde5aed39d9db25bd3",
-    "version": 4
+    "sha256": "0e7206d6334ee10726bbbf513659b98a614a9b5ab2e916603e598d530ff31e70",
+    "version": 5
   },
   "e0f36de1-0342-453d-95a9-a068b257b053": {
     "rule_name": "Azure Event Hub Deletion",
@@ -2466,8 +2476,8 @@
   },
   "e19e64ee-130e-4c07-961f-8a339f0b8362": {
     "rule_name": "Connection to External Network via Telnet",
-    "sha256": "f1af1671f7dcae7e1678122ed09e278ba84f64df0a6652f3edaf91187117c4ff",
-    "version": 5
+    "sha256": "a45edaf4d918bf73f99e232fcd351f941cfa4f924fd8e1178dc914370f3c706a",
+    "version": 6
   },
   "e2a67480-3b79-403d-96e3-fdd2992c50ef": {
     "rule_name": "AWS Management Console Root Login",
@@ -2556,8 +2566,13 @@
   },
   "e90ee3af-45fc-432e-a850-4a58cf14a457": {
     "rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
-    "sha256": "16c391783d2d3d04c29a353d392764a8aec830daf68db15d29649bb9c067ba12",
-    "version": 4
+    "sha256": "a3589119873fe764082ca62c45709fecf67be62df872d4dc816e0bebc64b5429",
+    "version": 5
+  },
+  "e919611d-6b6f-493b-8314-7ed6ac2e413b": {
+    "rule_name": "AWS EC2 VM Export Failure",
+    "sha256": "b84ca0431b650ae06a30ff5b647c5b67526c1b234a93c8e85d30a26d7d4c1446",
+    "version": 1
   },
   "e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
     "rule_name": "Unusual Executable File Creation by a System Critical Process",
@@ -2586,8 +2601,8 @@
   },
   "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": {
     "rule_name": "Spike in Firewall Denies",
-    "sha256": "65ba8a3c5cb671c8c0f365caf5c11450c484b61eb9ee92645bf4229b10ff2ff2",
-    "version": 1
+    "sha256": "f388ca2c8b8c928235c3197913210b2230cf556ec9fd8573106701a3fb5d07b5",
+    "version": 2
   },
   "eb079c62-4481-4d6e-9643-3ca499df7aaa": {
     "rule_name": "External Alerts",
@@ -2744,6 +2759,11 @@
     "sha256": "a1fab020030d01dfba1dc1c38293f9c6f11877acef2296e84bd9934cb13f0b29",
     "version": 1
   },
+  "f874315d-5188-4b4a-8521-d1c73093a7e4": {
+    "rule_name": "Modification of AmsiEnable Registry Key",
+    "sha256": "b493f546991997e0e6091c99211f7bc4ffd8aa4827ec8c4e75ffa1ae45a0e142",
+    "version": 1
+  },
   "f9590f47-6bd5-4a49-bd49-a2f886476fb9": {
     "rule_name": "Unusual Linux System Network Configuration Discovery",
     "sha256": "e0d27723f14bfc1f2d57f46507f432ac8447aeedaa48ac60222193653c4ea2a8",
@@ -2761,8 +2781,8 @@
   },
   "fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
     "rule_name": "Network Connection via Registration Utility",
-    "sha256": "55b97f236823525ebcdff6607f3ce89dccea9b4d7acc813986d8a35ff65094c7",
-    "version": 8
+    "sha256": "3d038f9ff917769a14a4b725d0b29f1c7cb63e552144f2969e4dff1c77089b75",
+    "version": 9
   },
   "fb9937ce-7e21-46bf-831d-1ad96eac674d": {
     "rule_name": "Auditd Max Failed Login Attempts",
@@ -2796,8 +2816,8 @@
   },
   "ff013cb4-274d-434a-96bb-fe15ddd3ae92": {
     "rule_name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet",
-    "sha256": "fcb59813bb82c4a09e274f7748df5c9dc10d89f50b7466d9f96819dae17b0177",
-    "version": 4
+    "sha256": "b0766c2b5081f2da958a910b2935bf0773cef1af695c072f059551a4a1fee871",
+    "version": 5
   },
   "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
     "rule_name": "Microsoft 365 Exchange Transport Rule Creation",