security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prep for Release 8.18 (#4288)

Browse Source
This commit is contained in:
shashank-elastic
2024-12-09 18:25:13 +05:30
committed by GitHub
parent 511c108ba1
commit 2c848c5111
105 changed files with 4485 additions and 862 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/lock-versions.yml
+1 -1
View File
@@ -6,7 +6,7 @@ on:
description: 'List of branches to lock versions (ordered, comma separated)'
required: true
# 7.17 was intentionally skipped because it was added late and was bug fix only
default: '8.11,8.12,8.13,8.14,8.15,8.16'
default: '8.12,8.13,8.14,8.15,8.16,8.17'
jobs:
pr:
detection_rules/etc/api_schemas/8.17/8.17.base.json
+412
View File
@@ -0,0 +1,412 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"revision": {
"min_compat": "8.8",
"type": "integer"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query",
"saved_query",
"machine_learning",
"eql",
"esql",
"threshold",
"threat_match",
"new_terms"
],
"enumNames": [],
"type": "string"
},
"version": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.17/8.17.eql.json
+490
View File
@@ -0,0 +1,490 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"event_category_override": {
"min_compat": "8.0",
"type": "string"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql"
],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"revision": {
"min_compat": "8.8",
"type": "integer"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"tiebreaker_field": {
"min_compat": "8.0",
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"type": "string"
},
"timestamp_field": {
"min_compat": "8.0",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"eql"
],
"type": "string"
},
"version": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.17/8.17.esql.json
+478
View File
@@ -0,0 +1,478 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"esql"
],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"revision": {
"min_compat": "8.8",
"type": "integer"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"esql"
],
"type": "string"
},
"version": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.17/8.17.machine_learning.json
+476
View File
@@ -0,0 +1,476 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"anomaly_threshold": {
"type": "integer"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"license": {
"type": "string"
},
"machine_learning_job_id": {
"anyOf": [
{
"type": "string"
},
{
"items": {
"type": "string"
},
"type": "array"
}
]
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"revision": {
"min_compat": "8.8",
"type": "integer"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"machine_learning"
],
"type": "string"
},
"version": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
}
},
"required": [
"anomaly_threshold",
"author",
"description",
"machine_learning_job_id",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.17/8.17.new_terms.json
+533
View File
@@ -0,0 +1,533 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"type": "string"
},
"new_terms": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"history_window_start": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"value": {
"description": "NewTermsFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
}
},
"required": [
"field",
"history_window_start",
"value"
],
"type": "object"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"revision": {
"min_compat": "8.8",
"type": "integer"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"new_terms"
],
"type": "string"
},
"version": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"new_terms",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.17/8.17.query.json
+482
View File
@@ -0,0 +1,482 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"revision": {
"min_compat": "8.8",
"type": "integer"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query"
],
"type": "string"
},
"version": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.17/8.17.threat_match.json
+573
View File
@@ -0,0 +1,573 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"concurrent_searches": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"items_per_search": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"revision": {
"min_compat": "8.8",
"type": "integer"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threat_filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"threat_index": {
"items": {
"type": "string"
},
"type": "array"
},
"threat_indicator_path": {
"type": "string"
},
"threat_language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"threat_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"entries": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"enum": [
"mapping"
],
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"type",
"value"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"entries"
],
"type": "object"
},
"type": "array"
},
"threat_query": {
"type": "string"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threat_match"
],
"type": "string"
},
"version": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threat_index",
"threat_mapping",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.17/8.17.threshold.json
+508
View File
@@ -0,0 +1,508 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
}
},
"required": [
"duration"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"revision": {
"min_compat": "8.8",
"type": "integer"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threshold": {
"additionalProperties": false,
"properties": {
"cardinality": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"value": {
"description": "ThresholdValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"field": {
"description": "CardinalityFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"type": "array"
},
"value": {
"description": "ThresholdValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threshold"
],
"type": "string"
},
"version": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threshold",
"type"
],
"type": "object"
}
detection_rules/etc/attack-technique-redirects.json
+1 -1
View File
@@ -132,5 +132,5 @@
"T1536": "T1578.004",
"T1547.011": "T1647"
},
"saved_date": "Thu Nov 7 12:14:04 2024"
"saved_date": "Mon Dec 9 14:04:15 2024"
}
detection_rules/etc/attack-v16.0.0.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/attack-v16.1.0.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/beats_schemas/main.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/beats_schemas/v8.16.1.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz → detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_9.0.0-dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/packages.yaml
+3 -3
View File
@@ -3,7 +3,7 @@ package:
maturity:
- production
log_deprecated: true
name: '8.17'
name: '8.18'
registry_data:
categories:
- security
@@ -12,7 +12,7 @@ package:
capabilities:
- security
subscription: basic
kibana.version: ^8.17.0
kibana.version: ^8.18.0
description: Prebuilt detection rules for Elastic Security
format_version: 3.0.0
icons:
@@ -27,5 +27,5 @@ package:
license: Elastic-2.0
title: Prebuilt Security Detection Rules
type: integration
version: 8.17.0-beta.1
version: 8.18.0-beta.1
release: true
detection_rules/etc/stack-schema-map.yaml
+14 -9
View File
@@ -82,12 +82,12 @@
# ecs: "8.10.0"
# endgame: "8.4.0"
## Supported
# "8.11.0":
# beats: "8.11.2"
# ecs: "8.11.0"
# endgame: "8.4.0"
"8.11.0":
beats: "8.11.2"
ecs: "8.11.0"
endgame: "8.4.0"
## Supported
"8.12.0":
beats: "8.12.2"
@@ -110,11 +110,16 @@
endgame: "8.4.0"
"8.16.0":
beats: "8.15.3"
ecs: "8.11.0"
beats: "8.16.1"
ecs: "8.16.0"
endgame: "8.4.0"
"8.17.0":
beats: "8.15.3"
ecs: "8.11.0"
beats: "8.16.1"
ecs: "8.16.0"
endgame: "8.4.0"
"8.18.0":
beats: "8.16.1"
ecs: "8.16.0"
endgame: "8.4.0"
detection_rules/etc/version.lock.json
+450 -753
View File
@@ -2,10 +2,10 @@
"000047bb-b27a-47ec-8b62-ef1a5d2c9e19": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Attempt to Modify an Okta Policy Rule",
"sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11",
"sha256": "2b1d6cbdeadcd4ff4265d6af38ef3978c87c1ebde1bf2c84522ba5cbc8883d11",
"type": "query",
"version": 210
}
@@ -18,7 +18,7 @@
"00140285-b827-4aee-aa09-8113f58a08f3": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Potential Credential Access via Windows Utilities",
"sha256": "853c0119b884740c18884bf5ff39f6f2ed3a5fa2edac34c1664737716be93587",
@@ -41,7 +41,7 @@
"0022d47d-39c7-4f69-a232-4fe9dc7a3acd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "System Shells via Services",
"sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783",
@@ -86,16 +86,6 @@
"version": 7
},
"01c49712-25bc-49d2-a27d-d7ce52f5dc49": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "adb33991bc7e05efa461ee20ccaa7ac960c540154ae482921c711a1e850b06cf",
"type": "new_terms",
"version": 3
}
},
"rule_name": "First Occurrence of GitHub User Interaction with Private Repo",
"sha256": "095c16605c5fbf8541e9458048d6b266d1019f1daa27e2292b8c6882a0595e28",
"type": "new_terms",
@@ -104,7 +94,7 @@
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Potential Cookies Theft via Browser Debugging",
"sha256": "0ae709b171f47f1273c0e0cdc34fd30e5b64862da6d9840ff006ba59d85f9b10",
@@ -118,16 +108,6 @@
"version": 207
},
"0294f105-d7af-4a02-ae90-35f56763ffa2": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "5c428cb19c48c4a48a019d8275c5361269f5caba6736aec0a5304d2790f5789c",
"type": "new_terms",
"version": 3
}
},
"rule_name": "First Occurrence of GitHub Repo Interaction From a New IP",
"sha256": "3510266d54dc4cce4d79160e2fcdff9c2750cc8c0fe8b7f1e54b255096f8916e",
"type": "new_terms",
@@ -142,7 +122,7 @@
"02a4576a-7480-4284-9327-548a806b5e48": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Potential Credential Access via DuplicateHandle in LSASS",
"sha256": "08ccb0b77ba1240408e1418cf800f0677b541367930b3cb9a986a4adfcbe2dac",
@@ -176,7 +156,7 @@
"035889c4-2686-4583-a7df-67f89c292f2c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "High Number of Process and/or Service Terminations",
"sha256": "a07d1cef609011df0d31be52648a89dcf9ffdad1282b8910ccba67298c5c15a1",
@@ -234,7 +214,7 @@
"043d80a3-c49e-43ef-9c72-1088f0c7b278": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Potential Escalation via Vulnerable MSI Repair",
"sha256": "c033b9b9cf89ada890efbe4f3d50749d62d412f4f4649252be0cde9f15bab174",
@@ -261,7 +241,6 @@
"version": 102
},
"04e65517-16e9-4fc4-b7f1-94dc21ecea0d": {
"min_stack_version": "8.12",
"rule_name": "User Added to the Admin Group",
"sha256": "018ed4ea49d89558cfa618d30dec9b266a2926894b75e434ede0254443d6bab9",
"type": "eql",
@@ -270,7 +249,7 @@
"053a0387-f3b5-4ba5-8245-8002cca2bd08": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable",
"sha256": "e4bf9920903785a4d419c63645c7e09513aac5d799ecd7dbebd52664884af5e0",
@@ -292,7 +271,7 @@
"0564fb9d-90b9-4234-a411-82a546dc1343": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Microsoft IIS Service Account Password Dumped",
"sha256": "b50fa9f171fe0197eb2ebc36ca1e71976b33fd5b0e5ae691bd8757f0a5433e7e",
@@ -308,7 +287,7 @@
"05b358de-aa6d-4f6c-89e6-78f74018b43b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Conhost Spawned By Suspicious Parent Process",
"sha256": "0437ed81150e42654cb33e6ad318152edb266126d44225341bc12cc678bc578e",
@@ -343,7 +322,7 @@
"0635c542-1b96-4335-9b47-126582d2c19a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Remote System Discovery Commands",
"sha256": "b86728d65216af8f9dfa8912908f8a4225fdff95bd52dd63c2483d7bdd8385b4",
@@ -359,7 +338,7 @@
"06568a02-af29-4f20-929c-f3af281e41aa": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "System Time Discovery",
"sha256": "6c4426a3866d01d267968dd2a284598d30d2c3b9e9c7caa7cc6ed10ec46ec261",
@@ -381,7 +360,7 @@
"06a7a03c-c735-47a6-a313-51c354aef6c3": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Enumerating Domain Trusts via DSQUERY.EXE",
"sha256": "826697069ae29aadaacdd84897a741e47446903296eba95adab0ba771cfdbe5a",
@@ -404,7 +383,7 @@
"06dceabf-adca-48af-ac79-ffdf4c3b1e9a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Potential Evasion via Filter Manager",
"sha256": "b4231cb6409668adc787176da9f432d5d9c835cff96c03363e9ce8745301edd1",
@@ -420,7 +399,7 @@
"074464f9-f30d-4029-8c03-0ed237fffec7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh",
"sha256": "a22920bafaad8e23ba5d6eebfc838d200a2d39ff0987bc849ff03110e9fe7ba3",
@@ -441,16 +420,6 @@
"version": 312
},
"07639887-da3a-4fbf-9532-8ce748ff8c50": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 104,
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "21560cd77773e80fae169bfd655882afac47171cf7a2fc8057d3ffd28c537333",
"type": "eql",
"version": 5
}
},
"rule_name": "GitHub Protected Branch Settings Changed",
"sha256": "34997606e39596f070e68485f7d9feac3e3f8ce1c336aecbb8f98afb3b1e1b91",
"type": "eql",
@@ -465,7 +434,7 @@
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Local Account TokenFilter Policy Disabled",
"sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d",
@@ -512,7 +481,7 @@
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "First Time Seen Removable Device",
"sha256": "aec36fbd3822bf9e12b866c619574507647dfdec52725d3f77d00b7be3d4aaef",
@@ -557,16 +526,6 @@
"version": 110
},
"095b6a58-8f88-4b59-827c-ab584ad4e759": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "Member Removed From GitHub Organization",
"sha256": "425013c02e030ebacc0fd4c5249f59222b5afe82c2e8f03b6a1cc1139bdf917a",
"type": "eql",
"version": 3
}
},
"rule_name": "Member Removed From GitHub Organization",
"sha256": "2c13e8235f2ccb01b6e8191742db632dd78914afd8d4305a6445d06b907d6bf7",
"type": "eql",
@@ -605,19 +564,12 @@
"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14",
"type": "query",
"version": 6
},
"8.12": {
"max_allowable_version": 207,
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
"sha256": "c9e9c7d9aeb625a2ff827174aa3e775a8396562727ff6250c64dbc0a9e2fe28e",
"type": "query",
"version": 108
}
},
"rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM",
@@ -634,7 +586,7 @@
"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Anomalous Windows Process Creation",
"sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c",
@@ -650,7 +602,7 @@
"0b2f3da5-b5ec-47d1-908b-6ebb74814289": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "User account exposed to Kerberoasting",
"sha256": "219b0df8371df6ea7c07119bc2f066c86112814dc9620531ceb2ad40ea8c9cc0",
@@ -712,7 +664,7 @@
"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Peripheral Device Discovery",
"sha256": "d9d7783a57c30c4bb51fcc2f714e5ac5db80978cf14629962b24be7503ee539b",
@@ -770,16 +722,6 @@
"version": 111
},
"0e4367a0-a483-439d-ad2e-d90500b925fd": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "87d0a19367e8add592f2100c95bd1076e0a1aea6b46d62bc39297eb59dffb3b8",
"type": "new_terms",
"version": 3
}
},
"rule_name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)",
"sha256": "87c53fc8cfc1a77be0a4e4e1323b5d6bb753604636a2e9bdeaa4910ebdf536ce",
"type": "new_terms",
@@ -800,7 +742,7 @@
"0e79980b-4250-4a50-a509-69294c14e84b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "MsBuild Making Network Connections",
"sha256": "dde434b8d763db265a284e83d3a6b88cf8b88da05acec8a4ef9f325b9c2ec960",
@@ -834,7 +776,7 @@
"0f93cb9a-1931-48c2-8cd0-f173fd3e5283": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Potential LSASS Memory Dump via PssCaptureSnapShot",
"sha256": "47d7607c096aab4bd73fbeb257e8746ed0ebb08d3f0e1cf65c62bc978d545735",
@@ -880,7 +822,7 @@
"1160dcdb-0a0a-4a79-91d8-9b84616edebd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Potential DLL Side-Loading via Trusted Microsoft Programs",
"sha256": "d2e9275f49d79f985078f90b204c71c5cc8da39f4545ee151878e99517456602",
@@ -896,7 +838,7 @@
"1178ae09-5aff-460a-9f2f-455cd0ac4d8e": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "UAC Bypass via Windows Firewall Snap-In Hijack",
"sha256": "a2621f0e17b9625bfe787a3805bcca24cff11520ce44286c5c5c49488561f7fd",
@@ -931,7 +873,7 @@
"11dd9713-0ec6-4110-9707-32daae1ee68c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 113,
"rule_name": "PowerShell Script with Token Impersonation Capabilities",
"sha256": "6df7d5c060e8d61e90cfec0609cf1ff20b5d00a9a9710cad398debcbd37532d2",
@@ -947,7 +889,7 @@
"11ea6bec-ebde-4d71-a8e9-784948f8e3e9": {
"min_stack_version": "8.13",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Third-party Backup Files Deleted via Unexpected Process",
"sha256": "ee76235d5b6aa99a7637cf85a3aa081f0e5a037d0d480e0ea6da5743bbb38967",
@@ -975,7 +917,7 @@
"1224da6c-0326-4b4f-8454-68cdc5ae542b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a User",
"sha256": "cb2a69fa201dd3ff5dce343a170be369ad36f706783f357da48c68a5642d8c0b",
@@ -1003,7 +945,7 @@
"128468bf-cab1-4637-99ea-fdf3780a4609": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Suspicious Lsass Process Access",
"sha256": "5c2585fe5a2a7819a271da84ecd01be9aae6dd102b4b648aba3170d710547554",
@@ -1031,7 +973,7 @@
"12de29d4-bbb0-4eef-b687-857e8a163870": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential Exploitation of an Unquoted Service Path Vulnerability",
"sha256": "cfc3f15827b9bb563753aa681d0ca6558f43be24b76a68468ff0df98e1f80d7a",
@@ -1054,7 +996,7 @@
"12f07955-1674-44f7-86b5-c35da0a6f41a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Suspicious Cmd Execution via WMI",
"sha256": "9615cede41c17c4dfa309ed0a2cede4a5fa23734c8f00ec7f88b4bafd96f0177",
@@ -1077,7 +1019,7 @@
"1327384f-00f3-44d5-9a8c-2373ba071e92": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Persistence via Scheduled Job Creation",
"sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29",
@@ -1106,7 +1048,7 @@
"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Potential Ransomware Behavior - High count of Readme files by System",
"sha256": "39c607c5899fa2a4b06f20c10675605931045838a883996b8978c1a623348ea7",
@@ -1153,7 +1095,7 @@
"14dab405-5dd9-450c-8106-72951af2391f": {
"min_stack_version": "8.13",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Office Test Registry Persistence",
"sha256": "b2c192b0f4c41a2de5c1f96b495002c57338a58a1e385275e8ea17208673bda2",
@@ -1175,7 +1117,7 @@
"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Potential Persistence via Time Provider Modification",
"sha256": "2536e138a13316b962ee6f5eb296c024e757f735e0e882e0c547eb4364066937",
@@ -1198,7 +1140,7 @@
"1502a836-84b2-11ef-b026-f661ea17fbcc": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Successful Application SSO from Rare Unknown Client Device",
"sha256": "0e96c8cce04c0740655bdfdfb2ceafe48d7c5566b2841541dc102b046984bf7e",
@@ -1226,7 +1168,7 @@
"15a8ba77-1c13-4274-88fe-6bd14133861e": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Scheduled Task Execution at Scale via GPO",
"sha256": "5a835be130b2d7d504bdf643f6c5b59025ee40eea781463a3ad0526d0dcdea26",
@@ -1242,7 +1184,7 @@
"15c0b7a7-9c34-4869-b25b-fa6518414899": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Remote File Download via Desktopimgdownldr Utility",
"sha256": "82b0a8a50a3ffeea555a5a4f4e12a8c825c7289a6d7e27a59e68bffc4c6d1863",
@@ -1283,7 +1225,7 @@
"166727ab-6768-4e26-b80c-948b228ffc06": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "File Creation Time Changed",
"sha256": "97689ef71b5c442a2f7ab44c32a163607b4189beb06ee6d37b4563b34ddedd0c",
@@ -1317,7 +1259,7 @@
"16fac1a1-21ee-4ca6-b720-458e3855d046": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Startup/Logon Script added to Group Policy Object",
"sha256": "30c1e02f8b5df888465f9f773cce6911948dbf981fe5e6478cf53dad158c8671",
@@ -1346,7 +1288,7 @@
"1781d055-5c66-4adf-9c59-fc0fa58336a5": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Unusual Windows Username",
"sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600",
@@ -1362,7 +1304,7 @@
"1781d055-5c66-4adf-9c71-fc0fa58338c7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Service",
"sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55",
@@ -1378,7 +1320,7 @@
"1781d055-5c66-4adf-9d60-fc0fa58337b6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Suspicious Powershell Script",
"sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192",
@@ -1394,7 +1336,7 @@
"1781d055-5c66-4adf-9d82-fc0fa58449c8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows User Privilege Elevation Activity",
"sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251",
@@ -1410,7 +1352,7 @@
"1781d055-5c66-4adf-9e93-fc0fa69550c9": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Remote User",
"sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad",
@@ -1432,7 +1374,7 @@
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Renamed Utility Executed with Short Program Name",
"sha256": "a898efb0f299871b59ba7adba9ad0da35c45be4f24097e4675a62d23663a67e7",
@@ -1454,7 +1396,7 @@
"181f6b23-3799-445e-9589-0018328a9e46": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Script Execution via Microsoft HTML Application",
"sha256": "8dcccb5d5071b3afa1eb7c8745394d66ab6fb8c1e33298891aea992e882930a5",
@@ -1543,7 +1485,7 @@
"1a6075b0-7479-450e-8fe7-b8b8438ac570": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Execution of COM object via Xwizard",
"sha256": "d5330b96f928f7e7a7a2cc531152af5ce8c6a2e9ed52235ce07ca406f8dda1be",
@@ -1572,7 +1514,7 @@
"1aa9181a-492b-4c01-8b16-fa0735786b2b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "User Account Creation",
"sha256": "51fbad167264e7d23b84626ae0142b5735da83770e53dbafaf844c6266b1f9b7",
@@ -1641,16 +1583,6 @@
"version": 102
},
"1ca62f14-4787-4913-b7af-df11745a49da": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "New GitHub App Installed",
"sha256": "02e98cecd6d72a19ba1f1961d35d14774632ecb42f89c7fc7f1e162b60bc89fe",
"type": "eql",
"version": 3
}
},
"rule_name": "New GitHub App Installed",
"sha256": "897ec14e1bc894e259a83272e939ee09fe5fa4d799ddec75b08a89e185b6bcec",
"type": "eql",
@@ -1659,7 +1591,7 @@
"1cd01db9-be24-4bef-8e7c-e923f0ff78ab": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Incoming Execution via WinRM Remote Shell",
"sha256": "c2dcf9dc41b1c7835b791709f6bae17ad8765e7d39f7ab93d95f5368f5330f3a",
@@ -1675,7 +1607,7 @@
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "6825b3b6f59f3739140778e442c12ae1438e63c45a99fd1d4ff94bda28de1b2e",
@@ -1691,7 +1623,7 @@
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Remote File Download via Script Interpreter",
"sha256": "3afe36281fd5b755b076bbb9801c4924e40bd5ea64954a50fc5bc408c7ddabed",
@@ -1719,7 +1651,7 @@
"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "PowerShell Script with Encryption/Decryption Capabilities",
"sha256": "bebecc71ea78fc04d87220b72ed8450adc877e7430358cbb0634a5f9ff266344",
@@ -1735,7 +1667,7 @@
"1dcc51f6-ba26-49e7-9ef4-2655abb2361e": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "UAC Bypass via DiskCleanup Scheduled Task Hijack",
"sha256": "7dd8220ed8a7e8190861088dcf735ec663fdc118c9226fe5a0cbd711ba56e81f",
@@ -1764,7 +1696,7 @@
"1defdd62-cd8d-426e-a246-81a37751bb2b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Execution of File Written or Modified by PDF Reader",
"sha256": "b1632c3ea7afb58a44d388ad05920751d22614d6714b65ffeb29af66d7ebf70d",
@@ -1786,19 +1718,12 @@
"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06",
"type": "query",
"version": 6
},
"8.12": {
"max_allowable_version": 208,
"rule_name": "PowerShell Script with Discovery Capabilities",
"sha256": "84304c49d97dfd2c29bf2dac4eab3f95bd8ec1c210dde0c3c55dffb087436df1",
"type": "query",
"version": 109
}
},
"rule_name": "PowerShell Script with Discovery Capabilities",
@@ -1815,7 +1740,7 @@
"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Creation of a DNS-Named Record",
"sha256": "1b392cf50fd5083faedc5e84700d71550e9da1adcd4b2de26a285e88c8bf84e3",
@@ -1831,7 +1756,7 @@
"1e6363a6-3af5-41d4-b7ea-d475389c0ceb": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Creation of SettingContent-ms Files",
"sha256": "a70ff9e091484d965ff3685d7e196ddebed427ccb1b700563fad5c6a47880a39",
@@ -1845,16 +1770,6 @@
"version": 106
},
"1e9b271c-8caa-4e20-aed8-e91e34de9283": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "c4f772b100c3877e71a485342787e5f29775002ef02710d07bffd3db397230d0",
"type": "new_terms",
"version": 3
}
},
"rule_name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)",
"sha256": "3fbd0a6e68860fbf412958b71752c7ba5a4c24d66e5a49b41c27c17021ab596b",
"type": "new_terms",
@@ -1869,7 +1784,7 @@
"1f0a69c0-3392-4adf-b7d5-6012fd292da8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell",
"sha256": "dac35e0c6992ca7c37e472c37d77eaf0c2e9f17c74efd5f6531194cc4a769762",
@@ -1892,7 +1807,7 @@
"1f460f12-a3cf-4105-9ebb-f788cc63f365": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Unusual Process Execution on WBEM Path",
"sha256": "5e69bca88bf1a332578110580989822ab6a36beaee0c2a1278161135f3785eb8",
@@ -1914,7 +1829,7 @@
"1fe3b299-fbb5-4657-a937-1d746f2c711a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Unusual Network Activity from a Windows System Binary",
"sha256": "065d31dda5018a121026016d00d6c7245d1656c3ef25f36665984764f64a2e74",
@@ -1936,7 +1851,7 @@
"201200f1-a99b-43fb-88ed-f65a45c4972c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Suspicious .NET Code Compilation",
"sha256": "db2f8575c9e60cf49f9d13b3a8fba24af09922368ddad48fe7a80d1dda9519f0",
@@ -1965,7 +1880,7 @@
"203ab79b-239b-4aa5-8e54-fc50623ee8e4": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Creation or Modification of Root Certificate",
"sha256": "3f84e82e7eeac167ba639d999edb121e0b7b2d9ccae3655a4d3d543667794332",
@@ -2000,7 +1915,7 @@
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Werfault ReflectDebugger Persistence",
"sha256": "b892d4534c1a5905601ccc529ccaedbf3f944ac4e46b8475f4ac04d2752af982",
@@ -2023,7 +1938,7 @@
"208dbe77-01ed-4954-8d44-1e5751cb20de": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "LSASS Memory Dump Handle Access",
"sha256": "13217b6a2a8a60bd16c88f972c5a154d41523241776c401344cd37421eaf13ef",
@@ -2063,7 +1978,7 @@
"220be143-5c67-4fdb-b6ce-dd6826d024fd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Full User-Mode Dumps Enabled System-Wide",
"sha256": "1cc91703e211a89bc8b1f0519649e4e3958193ad7f77cdd75d2aed5b9c6e1a1b",
@@ -2141,16 +2056,6 @@
"version": 103
},
"24401eca-ad0b-4ff9-9431-487a8e183af9": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 104,
"rule_name": "New GitHub Owner Added",
"sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764",
"type": "eql",
"version": 5
}
},
"rule_name": "New GitHub Owner Added",
"sha256": "115ea41b985ec203d083a037d276871783e3c8917b61ec08f272363ccfdf91d6",
"type": "eql",
@@ -2159,7 +2064,7 @@
"25224a80-5a4a-4b8a-991e-6ab390465c4f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Lateral Movement via Startup Folder",
"sha256": "b8f39d602ba7bf7b7f9c6c542137ef20c80ade3c7f0d9b301172e371a1458381",
@@ -2182,7 +2087,7 @@
"2553a9af-52a4-4a05-bb03-85b2a479a0a0": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Potential PowerShell HackTool Script by Author",
"sha256": "73577478f9ddc1f86f6e593172107b94cb54d7aa9ae3d818dd6196eaf5dd05f4",
@@ -2216,7 +2121,7 @@
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "7a3d426a1ac2b37234e68f5e0a483090a417880f2918593a15ecb6dd691ffc5a",
@@ -2238,7 +2143,7 @@
"263481c8-1e9b-492e-912d-d1760707f810": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Potential Relay Attack against a Domain Controller",
"sha256": "a6d31b2e82a80eb8609b1bb25461fd5d2588fdfba77a75c4df407666b1f6dce2",
@@ -2260,7 +2165,7 @@
"265db8f5-fc73-4d0d-b434-6483b56372e2": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Persistence via Update Orchestrator Service Hijack",
"sha256": "b97eb034c01d5415f2b4529e1b4aeacb6d1b5858e035d9f7b16071f08a107800",
@@ -2301,7 +2206,7 @@
"26f68dba-ce29-497b-8e13-b4fde1db5a2d": {
"min_stack_version": "8.13",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempts to Brute Force a Microsoft 365 User Account",
"sha256": "d99f8d2a53313d1324ea4635f6235c36145f3ce8bb4f95324fa5e25e09a6d5a4",
@@ -2317,19 +2222,12 @@
"27071ea3-e806-4697-8abc-e22c92aa4293": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f",
"type": "query",
"version": 5
},
"8.12": {
"max_allowable_version": 207,
"rule_name": "PowerShell Script with Archive Compression Capabilities",
"sha256": "6bf709b275145a7968784c0cad4cc126d1032ae778c4d23e18d5502e0c430d95",
"type": "query",
"version": 108
}
},
"rule_name": "PowerShell Script with Archive Compression Capabilities",
@@ -2352,7 +2250,7 @@
"2772264c-6fb9-4d9d-9014-b416eed21254": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Incoming Execution via PowerShell Remoting",
"sha256": "115702bf56a63d8b0495b440b3bc5f48f161657df80ecb5dd778177cad8cf99b",
@@ -2380,7 +2278,7 @@
"2820c9c2-bcd7-4d6e-9eba-faf3891ba450": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 215,
"rule_name": "Account Password Reset Remotely",
"sha256": "dbf803fd05859ae76bda5f4e085129d4a5f840731285774dfae887a28a0e6799",
@@ -2403,7 +2301,7 @@
"2856446a-34e6-435b-9fb5-f8f040bfa7ed": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Account Discovery Command via SYSTEM Account",
"sha256": "7395e4f0038f91caff80f8f82fb7a573cc2e3be731008e546f8e2f2738da7397",
@@ -2473,7 +2371,7 @@
"290aca65-e94d-403b-ba0f-62f320e63f51": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "UAC Bypass Attempt via Windows Directory Masquerading",
"sha256": "5cfe971491ae9ff4d1d7dfd27691dc0cdebf5a8553599712008e0504e0d7cc4c",
@@ -2496,7 +2394,7 @@
"2917d495-59bd-4250-b395-c29409b76086": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Web Shell Detection: Script Process Child of Common Web Processes",
"sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609",
@@ -2519,19 +2417,12 @@
"291a0de9-937a-4189-94c0-3e847c8b13e4": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d",
"type": "new_terms",
"version": 211
},
"8.12": {
"max_allowable_version": 414,
"rule_name": "Enumeration of Privileged Local Groups Membership",
"sha256": "d286b03f6c891c4896afed86b560e97a72abef0f4f7984b2038916c0f9ef4ba4",
"type": "new_terms",
"version": 315
}
},
"rule_name": "Enumeration of Privileged Local Groups Membership",
@@ -2542,7 +2433,7 @@
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "820c807bc5e8308b926a9cc3e3b84579b2b3877122e8c4d8426431805a1a4c47",
@@ -2588,7 +2479,7 @@
"2bf78aa2-9c56-48de-b139-f169bf99cf86": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Adobe Hijack Persistence",
"sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe",
@@ -2611,7 +2502,7 @@
"2c17e5d7-08b9-43b2-b58a-0270d65ac85b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Windows Defender Exclusions Added via PowerShell",
"sha256": "b95385a7d952e6ebfbd2f2ae7bbe30b6d5de147c62e65cd3d41cef860b2b13b1",
@@ -2634,7 +2525,7 @@
"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Suspicious Microsoft Diagnostics Wizard Execution",
"sha256": "afff98a0b90a5aae640601eba5921162ce7572b6838da100bc6c1a0be27e6f22",
@@ -2650,7 +2541,7 @@
"2c6a6acf-0dcb-404d-89fb-6b0327294cfa": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Potential Foxmail Exploitation",
"sha256": "a4f0739152df6e638b21a5eac1cc7cf12b94d145b6cccfb04e27fdce391b2f91",
@@ -2673,7 +2564,7 @@
"2d62889e-e758-4c5e-b57e-c735914ee32a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Suspicious PowerShell Execution via Windows Scripts",
"sha256": "809e425e3a5be9a9800b6d14b48f314124436ff849b26df4baf4ff68b0da5cbf",
@@ -2702,7 +2593,7 @@
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "Suspicious Process Access via Direct System Call",
"sha256": "aaba8635a16d40c33ab3f1e45cdefdd5afa1682b6b46e0a9e59bb5714053e328",
@@ -2730,7 +2621,7 @@
"2de87d72-ee0c-43e2-b975-5f0b029ac600": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Wireless Credential Dumping using Netsh Command",
"sha256": "7e5b7e7f86dcf4fbb6d5372775029f3abd32e945f33ed157e27d84917858b727",
@@ -2753,7 +2644,7 @@
"2e1e835d-01e5-48ca-b9fc-7a61f7f11902": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Renamed AutoIt Scripts Interpreter",
"sha256": "c9fca874ba0aea66a0b05cce3eff5be4bec6fd71adbcdabb89b538dfe2294d8b",
@@ -2769,7 +2660,7 @@
"2e29e96a-b67c-455a-afe4-de6183431d0d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Potential Process Injection via PowerShell",
"sha256": "5b87e1ff673e96046b8a94a9a5aa5135f3d5993a7c6cb7cbb27f420605413029",
@@ -2785,7 +2676,7 @@
"2e311539-cd88-4a85-a301-04f38795007c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Accessing Outlook Data Files",
"sha256": "a0b1ea8add4c4ec61339a2fcb49fe3d78db9aafb5f670e041383d82edaedb473",
@@ -2801,7 +2692,7 @@
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc",
@@ -2830,7 +2721,7 @@
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "79fe2f7b518213d1f446515f7a7b768af9118e6217220e52e9e106464cc3c478",
@@ -2859,7 +2750,7 @@
"2f2f4939-0b34-40c2-a0a3-844eb7889f43": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "PowerShell Suspicious Script with Audio Capture Capabilities",
"sha256": "c854f417e250f05be348cb5bd38338d7abaf467dc4b5ab1ef0fd15c0fe00d652",
@@ -2893,7 +2784,7 @@
"2ffa1f1e-b6db-47fa-994b-1512743847eb": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 214,
"rule_name": "Windows Defender Disabled via Registry Modification",
"sha256": "3a93523d026c5a673617ab034e9aacbeef768ba67239b7db35fd13d4082ed83b",
@@ -2957,7 +2848,7 @@
"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Bypass UAC via Event Viewer",
"sha256": "6803ee7c44e816c648b5cb1c7638f63b9a8952d06dc27673a10931537edcc6c7",
@@ -3004,7 +2895,7 @@
"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Program Files Directory Masquerading",
"sha256": "258a6e5c72a134ab06314270a0d8709dc02f850f08ae059cb9eb2467a30befef",
@@ -3033,7 +2924,7 @@
"32f4675e-6c49-4ace-80f9-97c9259dca2e": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Suspicious MS Outlook Child Process",
"sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172",
@@ -3084,16 +2975,6 @@
"version": 1
},
"345889c4-23a8-4bc0-b7ca-756bd17ce83b": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 101,
"rule_name": "GitHub Repository Deleted",
"sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744",
"type": "eql",
"version": 2
}
},
"rule_name": "GitHub Repository Deleted",
"sha256": "e9e82f5d7ee55a265684b97bea6518e4cefa09ffbe5466a156316ba98ba8c744",
"type": "eql",
@@ -3120,7 +3001,7 @@
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Port Forwarding Rule Addition",
"sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d",
@@ -3156,7 +3037,7 @@
"35df0dd8-092d-4a83-88c1-5151a804f31b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Unusual Parent-Child Relationship",
"sha256": "914d7f53a2ee88fb24cd106ea8100b9f3a6f609a3e4eab9c8ca6de797f755dd0",
@@ -3197,7 +3078,7 @@
"36a8e048-d888-4f61-a8b9-0f9e2e40f317": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious ImagePath Service Creation",
"sha256": "7c1d04e302bd0cc733f293024b81bb5d74dbde9e0d8fe8b71b07db53d4157eeb",
@@ -3262,7 +3143,7 @@
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Attempted Bypass of Okta MFA",
"sha256": "436f9223ccab6fbb608cefb2a5a48747ed6134e25ee80358b92152f4fb0ba1f4",
@@ -3278,7 +3159,7 @@
"3838e0e3-1850-4850-a411-2e8c5ba40ba8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 214,
"rule_name": "Network Connection via Certutil",
"sha256": "abedf8ad3f6cbec189082eb584ef1af665eec659cf86b4d8f4c76e7aefa8e1be",
@@ -3336,7 +3217,7 @@
"397945f3-d39a-4e6f-8bcb-9656c2031438": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Persistence via Microsoft Outlook VBA",
"sha256": "552ee91e75f7ccd44773852337f72d88a83bf6868aa5afbefe6ff4634db9fff3",
@@ -3365,7 +3246,7 @@
"3a59fc81-99d3-47ea-8cd6-d48d561fca20": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Potential DNS Tunneling via NsLookup",
"sha256": "6000c31bea360c0d9b1d37463b62aaa348ae174cd150d753a365830bfab75447",
@@ -3394,7 +3275,7 @@
"3a657da0-1df2-11ef-a327-f661ea17fbcc": {
"min_stack_version": "8.13",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Rapid7 Threat Command CVEs Correlation",
"sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1",
@@ -3426,16 +3307,6 @@
"version": 103
},
"3af4cb9b-973f-4c54-be2b-7623c0e21b2b": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "4d1bb8c98fc64a88e74bb4e5379ca7a368d1223b9cfd87c6711e8cdb55b2e93a",
"type": "new_terms",
"version": 3
}
},
"rule_name": "First Occurrence of IP Address For GitHub User",
"sha256": "b7131b6f584015bb7679a12da45a1e4fffb66f5030d7fb222c39607df18a2c54",
"type": "new_terms",
@@ -3450,7 +3321,7 @@
"3b47900d-e793-49e8-968f-c90dc3526aa1": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Unusual Parent Process for cmd.exe",
"sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b",
@@ -3473,7 +3344,7 @@
"3bc6deaa-fbd4-433a-ae21-3e892f95624f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "NTDS or SAM Database File Copied",
"sha256": "69c5c662633b3e2c7294f38dc1d1f983aa3bd4d8861b680baea696b37b0c4686",
@@ -3502,7 +3373,7 @@
"3d00feab-e203-4acc-a463-c3e15b7e9a73": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "ScreenConnect Server Spawning Suspicious Processes",
"sha256": "644088f8272495a09f98f2e60b82bdc7e491488962026c367645213608a99d86",
@@ -3525,19 +3396,12 @@
"3d3aa8f9-12af-441f-9344-9f31053e316d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0",
"type": "query",
"version": 5
},
"8.12": {
"max_allowable_version": 207,
"rule_name": "PowerShell Script with Log Clear Capabilities",
"sha256": "8d47f5eaa5c9f058fdbe3f27d372e37c1166e236a41a1ba4383f97faa18e2972",
"type": "query",
"version": 108
}
},
"rule_name": "PowerShell Script with Log Clear Capabilities",
@@ -3566,7 +3430,7 @@
"3e0eeb75-16e8-4f2f-9826-62461ca128b7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Suspicious Execution via Windows Subsystem for Linux",
"sha256": "8a6f3d4d6d2ab609c03f95537b72d713e9810f920db111edecb52d9d38d8f6de",
@@ -3607,7 +3471,7 @@
"3ecbdc9e-e4f2-43fa-8cca-63802125e582": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Privilege Escalation via Named Pipe Impersonation",
"sha256": "07b7a1afa550e1df6cbbf323c40b3819f4f1cdbd327efeabd9ad0efac059d864",
@@ -3630,7 +3494,7 @@
"3ed032b2-45d8-4406-bc79-7ad1eabb2c72": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Suspicious Process Creation CallTrace",
"sha256": "198d879bb094b81e6bb30e836abf7c7c2a2d4b08cf6f8de140a531126de8f927",
@@ -3688,7 +3552,7 @@
"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a User",
"sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134",
@@ -3702,16 +3566,6 @@
"version": 107
},
"4030c951-448a-4017-a2da-ed60f6d14f4f": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "GitHub User Blocked From Organization",
"sha256": "6f42e7b01599241829e9077f402bbf6ff1ee20d99e201fb4416aeb827edbcce6",
"type": "eql",
"version": 3
}
},
"rule_name": "GitHub User Blocked From Organization",
"sha256": "5256174243858a4702bd8a6c302eec9e92971c529fa90cf3d14016b0f8e7af2e",
"type": "eql",
@@ -3720,7 +3574,7 @@
"403ef0d3-8259-40c9-a5b6-d48354712e49": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Unusual Persistence via Services Registry",
"sha256": "9124fc2a6d76be52cfaaa7edfd6b3c4272290e8964d42e59d8f1d1fba215848a",
@@ -3755,7 +3609,7 @@
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Control Panel Process with Unusual Arguments",
"sha256": "0ec964d19b677c5a3602725e1d6954220c23d9d952c16ff1b6da2eea29a44e72",
@@ -3776,16 +3630,6 @@
"version": 313
},
"41761cd3-380f-4d4d-89f3-46d6853ee35d": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "a9f5a86fb7a36ee7d65d9e567514f2f7240710d978434b414df63e8a2255365d",
"type": "new_terms",
"version": 3
}
},
"rule_name": "First Occurrence of User-Agent For a GitHub User",
"sha256": "430f2a7d89f054dd07b65a39c6bc2206d60a54d4cf60987016ddc2ad868e8952",
"type": "new_terms",
@@ -3825,7 +3669,7 @@
"42bf698b-4738-445b-8231-c834ddefd8a0": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "Okta Brute Force or Password Spraying Attack",
"sha256": "8cb82022ca04ad306c8f666ca1ebda971f41e8fb038555e01889eb1ffa9140f8",
@@ -3841,7 +3685,7 @@
"42eeee3d-947f-46d3-a14d-7036b962c266": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Process Creation via Secondary Logon",
"sha256": "525c2144bf947ec8f46831b5237798e93320e6a3b2913ac51d2c48ec4c21c257",
@@ -3875,7 +3719,7 @@
"440e2db4-bc7f-4c96-a068-65b78da59bde": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Startup Persistence by a Suspicious Process",
"sha256": "5baf6e3486c22a80384b9ddf3b38bad2c2d273785cd3fddd585a2a2fdbf24d77",
@@ -3898,7 +3742,7 @@
"445a342e-03fb-42d0-8656-0367eb2dead5": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Unusual Windows Path Activity",
"sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94",
@@ -3920,7 +3764,7 @@
"44fc462c-1159-4fa8-b1b7-9b6296ab4f96": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 110,
"rule_name": "Multiple Vault Web Credentials Read",
"sha256": "c1d407b17617d847a235c98e3d883e34fbac8e998edb79f15b1691b8a196691a",
@@ -3954,7 +3798,7 @@
"45ac4800-840f-414c-b221-53dd36a5aaf7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Windows Event Logs Cleared",
"sha256": "5b47360215d43475d7848120c7ed6f96afd5484ad1f0c017dae282578f91ae27",
@@ -3970,7 +3814,7 @@
"45d273fb-1dca-457d-9855-bcb302180c21": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Encrypting Files with WinRar or 7z",
"sha256": "290b151b10a6eaef87bb1d4a1dd273bd7a7c6b9c9c883d653da3bc809f159060",
@@ -3986,7 +3830,7 @@
"4630d948-40d4-4cef-ac69-4002e29bc3db": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Adding Hidden File Attribute via Attrib",
"sha256": "7a07d3a3c11d1364d2b213517c43cc9fab8aab4adc8c2f3595c4bedba3f5765f",
@@ -4009,7 +3853,7 @@
"4682fd2c-cfae-47ed-a543-9bed37657aa6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Potential Local NTLM Relay via HTTP",
"sha256": "8c08daa0c05dcee4ed2250136b61ff79be87b9d5b3145a67e7b5aa0114bb3b8e",
@@ -4056,7 +3900,7 @@
"47e22836-4a16-4b35-beee-98f6c4ee9bf2": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Suspicious Remote Registry Access via SeBackupPrivilege",
"sha256": "db3a65169012dac186a9754967eed11718d796fb3ef2dd13f033532b7c786a40",
@@ -4084,7 +3928,7 @@
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Microsoft Exchange Server UM Spawning Suspicious Processes",
"sha256": "e00daf78742e5d25f05f11ec86efbda6a185e2b45e5738e6abd73e6795530c1f",
@@ -4119,7 +3963,7 @@
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Multiple Logon Failure from the same Source Address",
"sha256": "36369b787180e53e8d9a0921e177975ce33ac03e4c3e101837cc43faa0aba56f",
@@ -4177,7 +4021,7 @@
"4982ac3e-d0ee-4818-b95d-d9522d689259": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Process Discovery Using Built-in Tools",
"sha256": "35cd1983ce5cf5a7d22b79416e565bed4c3f3295030450046ee07050ee83efb1",
@@ -4217,7 +4061,7 @@
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Disable Windows Firewall Rules via Netsh",
"sha256": "d18f0d4efc2ad5ade11890ab3e5f0a54d4521162528adffcd92bd7c037fb44de",
@@ -4258,7 +4102,7 @@
"4bd1c1af-79d4-4d37-9efa-6e0240640242": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Unusual Process Execution Path - Alternate Data Stream",
"sha256": "8cd12a854dbd43e2cd0db12f9515413ced21fa11fbc405bf87983c4e4635ae45",
@@ -4281,7 +4125,7 @@
"4c59cff1-b78a-41b8-a9f1-4231984d1fb6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 110,
"rule_name": "PowerShell Share Enumeration Script",
"sha256": "95583fef64f6c5454d616320d43ceda2a467cb8e217231374faa423e8363fdf1",
@@ -4315,7 +4159,7 @@
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Disable Windows Event and Security Logs Using Built-in Tools",
"sha256": "fb9bb254f0e60ed51d8d4e297aad53df545a43f086e4549a1c1f54743463a299",
@@ -4338,7 +4182,7 @@
"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 110,
"rule_name": "Multiple Logon Failure Followed by Logon Success",
"sha256": "bf31596123965d48e9aa656e0e935a6038395a1f7aa60a94aca3e18d72b79dc8",
@@ -4360,7 +4204,7 @@
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Execution via MSSQL xp_cmdshell Stored Procedure",
"sha256": "759a649928bcc0a0a2cfa9af0084ced15bad00665e20e163f96e50d748c6cf97",
@@ -4383,7 +4227,7 @@
"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious Script Object Execution",
"sha256": "ff51979abf90a96b0ab21324887f4c1b54fce14ba48a37fa78f1350865e6b77f",
@@ -4399,7 +4243,7 @@
"4edd3e1a-3aa0-499b-8147-4d2ea43b1613": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Unauthorized Access to an Okta Application",
"sha256": "95e0cd3a2a3bc15c0bbbd9e22b5a372804d997f19dadf55ebf29acb592d16269",
@@ -4422,7 +4266,7 @@
"4fe9d835-40e1-452d-8230-17c147cafad8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Execution via TSClient Mountpoint",
"sha256": "13f5cc6ad0ceb744bd444965dad8371e0611a07853e0a95e644693752311fef2",
@@ -4445,7 +4289,7 @@
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy",
"sha256": "896180c01cd25b69f007c4d08fd62ffe4932d008921e11caacaa7ba40718cbdb",
@@ -4467,7 +4311,7 @@
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Windows System Information Discovery",
"sha256": "bb14ae17071b97cd7b9fe8499c6dcdda0096740071a0341b6782765f3d928155",
@@ -4489,7 +4333,7 @@
"513f0ffd-b317-4b9c-9494-92ce861f22c7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Registry Persistence via AppCert DLL",
"sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d",
@@ -4524,7 +4368,7 @@
"5188c68e-d3de-4e96-994d-9e242269446f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Service DACL Modification via sc.exe",
"sha256": "9c5a9c19d4b67840dde2145064352324b6f1374a3fb8b77016e69e70c047fb9d",
@@ -4553,7 +4397,7 @@
"51ce96fb-9e52-4dad-b0ba-99b54440fc9a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Incoming DCOM Lateral Movement with MMC",
"sha256": "7592f24cbedd399be83dd10921cadbae21a7f07859288848bc34cce173c9a03a",
@@ -4593,7 +4437,7 @@
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Unusual Network Connection via RunDLL32",
"sha256": "30b9af8ec0f1c7c96bfc668ec005cc11e6b68a9d649ea1270b7f576bc393b37b",
@@ -4657,7 +4501,7 @@
"53a26770-9cbd-40c5-8b57-61d01a325e14": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Suspicious PDF Reader Child Process",
"sha256": "189fc5da545a292982fe7c5e2d385b615084e5e802f77adec7944ec327009f12",
@@ -4680,7 +4524,7 @@
"53dedd83-1be7-430f-8026-363256395c8b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Binary Content Copy via Cmd.exe",
"sha256": "72677413c70aa85a2e7dedc6fd503e8b8a5d600f704cc1d1be1b63bb8f82b67b",
@@ -4696,7 +4540,7 @@
"54902e45-3467-49a4-8abc-529f2c8cfb80": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Uncommon Registry Persistence Change",
"sha256": "b18ae237ecf1195a3a18d5e282ebbd4f5b841f81e0b4589c75029d4e2509468a",
@@ -4712,19 +4556,12 @@
"54a81f68-5f2a-421e-8eed-f888278bb712": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2",
"type": "query",
"version": 8
},
"8.12": {
"max_allowable_version": 209,
"rule_name": "Exchange Mailbox Export via PowerShell",
"sha256": "e09d7504c58220644bf1c098939cbcec1d55363c7d058a31754ae18efb66dc74",
"type": "query",
"version": 110
}
},
"rule_name": "Exchange Mailbox Export via PowerShell",
@@ -4735,7 +4572,7 @@
"54c3d186-0461-4dc3-9b33-2dc5c7473936": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Network Logon Provider Registry Modification",
"sha256": "9838e651bcc3ca696c8bbe02db34f5ab98e93e30ff733022c2f835f995de5698",
@@ -4751,7 +4588,7 @@
"55c2bf58-2a39-4c58-a384-c8b1978153c2": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Windows Service Installed via an Unusual Client",
"sha256": "98cb1835def5a7a494d229dd5fe558e75afce8c5dfa2aa0f39ff9e0f71871347",
@@ -4767,7 +4604,7 @@
"55d551c6-333b-4665-ab7e-5d14a59715ce": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "PsExec Network Connection",
"sha256": "b8614692008af5d487ed9f78c60675e92dacc3a24fce20a66b3c3b9fd0567f66",
@@ -4789,7 +4626,7 @@
"56004189-4e69-4a39-b4a9-195329d226e9": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a Host",
"sha256": "288753c0acbb4ead22f3c4e6457bb3ea4019d812147816fc00c1b4c855ae4098",
@@ -4805,7 +4642,7 @@
"5610b192-7f18-11ee-825b-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset",
"sha256": "97cd8c1494717168fc997e2a29f7c928e6c0998706201fe3ff2715b05271179a",
@@ -4821,7 +4658,7 @@
"56557cde-d923-4b88-adee-c61b3f3b5dc3": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)",
"sha256": "0e87c9e449804be35d7c6b0b54a4b6dac4a0c973fdf92f2645b9f7c3ab8c20f7",
@@ -4855,19 +4692,12 @@
"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "PowerShell PSReflect Script",
"sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179",
"type": "query",
"version": 110
},
"8.12": {
"max_allowable_version": 312,
"rule_name": "PowerShell PSReflect Script",
"sha256": "aad7b1f375e681f444c68f70ea1f4d7e576d7026cb010039451c1d68a5511d7d",
"type": "query",
"version": 213
}
},
"rule_name": "PowerShell PSReflect Script",
@@ -4902,7 +4732,7 @@
"577ec21e-56fe-4065-91d8-45eb8224fe77": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "PowerShell MiniDump Script",
"sha256": "e3e3e2fe5144a3499378aee5b2b69396812d7753cec0e05000a5910187f5684b",
@@ -4918,7 +4748,7 @@
"57bccf1d-daf5-4e1a-9049-ff79b5254704": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "File Staged in Root Folder of Recycle Bin",
"sha256": "314fd493ccc29a7d204cbc4bd9b1fee4617aab19751fa9b6d304348f028bc6eb",
@@ -4934,7 +4764,7 @@
"57bfa0a9-37c0-44d6-b724-54bf16787492": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "DNS Global Query Block List Modified or Disabled",
"sha256": "fbf28db5104a48b0e0d2f1bab198d6d68917d37647526eb57c33227ecca28773",
@@ -4957,7 +4787,7 @@
"581add16-df76-42bb-af8e-c979bfb39a59": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Deleting Backup Catalogs with Wbadmin",
"sha256": "26f2805142740943d3a337737f94aa2adb368dc09f37ec38fe749edf716118e2",
@@ -4980,7 +4810,7 @@
"58aa72ca-d968-4f34-b9f7-bea51d75eb50": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "RDP Enabled via Registry",
"sha256": "cc3b7feb0e1ccaa779028782f8c1ca3d74ab3205d07bed48fd41e36f7a0e35a1",
@@ -5051,7 +4881,7 @@
"5a14d01d-7ac8-4545-914c-b687c2cf66b3": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface",
"sha256": "de3f257cc742ca2b940857157f38cb15c99e74a1a22250b9dff96d6e8a1685c4",
@@ -5098,7 +4928,7 @@
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Potential Secure File Deletion via SDelete Utility",
"sha256": "b6aed219192c8865a107b6529d4d67d837edb4ed446fb8d026683108c4fbcd30",
@@ -5145,7 +4975,7 @@
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
"sha256": "f8b5d6b8dcd9ba7c0a8a5e3c777145a5ab964529eb766fbf5cab16a47349ead2",
@@ -5180,7 +5010,7 @@
"5c602cba-ae00-4488-845d-24de2b6d8055": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "PowerShell Script with Veeam Credential Access Capabilities",
"sha256": "c0587692912a44911b8bcee6cdac91e78ac6b0129e9fbb395e8b9c0381312ad0",
@@ -5196,7 +5026,7 @@
"5c6f4c58-b381-452a-8976-f1b1c6aa0def": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 112,
"rule_name": "FirstTime Seen Account Performing DCSync",
"sha256": "e8f2e9d239fe934d39d2496d41056a475a491501fc1284c105d1ec26357a2106",
@@ -5236,7 +5066,7 @@
"5cd55388-a19c-47c7-8ec4-f41656c2fded": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Outbound Scheduled Task Activity via PowerShell",
"sha256": "5ada5aa4950b558d35b6ee6b887c4c5d19357e656ab559a8be06723f99df0b80",
@@ -5252,7 +5082,7 @@
"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "User Added to Privileged Group",
"sha256": "d38fab04d93fbbb1473131509d9b6cd0bd610885369860d4fbc428e46abb34de",
@@ -5268,7 +5098,7 @@
"5cf6397e-eb91-4f31-8951-9f0eaa755a31": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Persistence via PowerShell profile",
"sha256": "63c2a0fb94471a31f7240d9055c159236c52f32dc1da1e3e4487dbf3479a6b60",
@@ -5297,7 +5127,7 @@
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious Execution via Scheduled Task",
"sha256": "8770d2c4c9b63e14c6650ff49d6189b56e44b26eb7c08a64542b185c65a01e75",
@@ -5313,7 +5143,7 @@
"5d676480-9655-4507-adc6-4eec311efff8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Unsigned DLL loaded by DNS Service",
"sha256": "6cb0f50b9083f11e35a528ca1c9f073dcef46992d57b6a063637ff826dca43d7",
@@ -5366,7 +5196,7 @@
"5f2f463e-6997-478c-8405-fb41cc283281": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Potential File Download via a Headless Browser",
"sha256": "07bc7d436acd1fee6bb5095ececc82cea05e2662cc4170c6c4101acad12bd670",
@@ -5413,7 +5243,7 @@
"610949a1-312f-4e04-bb55-3a79b8c95267": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Unusual Process Network Connection",
"sha256": "be0a23cd5db1b1e9744ba6f8cfcbf419e70e2759108952394b4fd53a17da615c",
@@ -5427,16 +5257,6 @@
"version": 208
},
"61336fe6-c043-4743-ab6e-41292f439603": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "New User Added To GitHub Organization",
"sha256": "90e535bf6daf394c14fb7d463f3a44120bd3a7a8df82406b1481123c490c23e8",
"type": "eql",
"version": 3
}
},
"rule_name": "New User Added To GitHub Organization",
"sha256": "2c3b9ea33c3871c5cd9de7aa8d9393e10da0eae719587560cacb5d0c445e6dd4",
"type": "eql",
@@ -5445,7 +5265,7 @@
"61766ef9-48a5-4247-ad74-3349de7eb2ad": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Interactive Logon by an Unusual Process",
"sha256": "bf2b28b3ee264bd7593059a42fb95b93b34b79c0296e85ea353384200ca44764",
@@ -5461,19 +5281,12 @@
"61ac3638-40a3-44b2-855a-985636ca985e": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e",
"type": "query",
"version": 113
},
"8.12": {
"max_allowable_version": 315,
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
"sha256": "4674c3f02c5b785102dd9e8a442c1cb0f8c3692d1e1ab3997c6c1e52679754b8",
"type": "query",
"version": 216
}
},
"rule_name": "PowerShell Suspicious Discovery Related Windows API Functions",
@@ -5490,7 +5303,7 @@
"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "AdminSDHolder SDProp Exclusion Added",
"sha256": "61e5e9cb9893a7e21a7314d6953f624a9d9e7e05e283ac34d508735fddcf87b7",
@@ -5506,7 +5319,7 @@
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "2a4625ab52d97815dbf70120074de6b41c8cfa8646f7fbdf64a43f2154a56dba",
@@ -5522,7 +5335,7 @@
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
"sha256": "1c55d7f1db000719100662727934048ed282c6ca81a2401c68eb6de8edb1d08e",
@@ -5544,7 +5357,7 @@
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "09003a6823150f57bc5b81c6c0599e50317ea46ebabc44f362e8adf0ca9a0b62",
@@ -5596,7 +5409,7 @@
"63e65ec3-43b1-45b0-8f2d-45b34291dc44": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Network Connection via Signed Binary",
"sha256": "a46c6b82143566c72c64c8288c549942594363613f856106a1b1e22b529caf49",
@@ -5642,7 +5455,7 @@
"65432f4a-e716-4cc1-ab11-931c4966da2d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "MsiExec Service Child Process With Network Connection",
"sha256": "861bc19c8f4196effc1ddc59a6929d979c132b0e3a3507da3f10ac1d760a1287",
@@ -5683,7 +5496,7 @@
"6649e656-6f85-11ef-8876-f661ea17fbcc": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials",
"sha256": "e69ee03fc010f4a8437a4f96b609e58a06e6818ab1fd78adaae4882647086576",
@@ -5699,7 +5512,7 @@
"665e7a4f-c58e-4fc6-bc83-87a7572670ac": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "WebServer Access Logs Deleted",
"sha256": "3d487bb5d79f8850a52e52a4d8158c8d8fd68de886f1709be2af9495356e8977",
@@ -5739,7 +5552,7 @@
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 112,
"rule_name": "Modification of the msPKIAccountCredentials",
"sha256": "d53d5a4467e47eb48356c3b13a7d5a888133b68942c45901923d5d26b6a21804",
@@ -5755,7 +5568,7 @@
"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Modify an Okta Policy",
"sha256": "b6e97191c4de2f2e5ddb2ad2426d48f084ef3a9096a0593590dd4bf268ef7a48",
@@ -5777,7 +5590,7 @@
"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Revoke Okta API Token",
"sha256": "0c69c152fc76613c96c79e36913708ea34f396735cc588e6ad49a07839524a93",
@@ -5811,7 +5624,7 @@
"6839c821-011d-43bd-bd5b-acff00257226": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Image File Execution Options Injection",
"sha256": "4cd0be97857d8107806320934a41077bc479799bc584f29bf9c272ef1159fdf3",
@@ -5840,7 +5653,7 @@
"6885d2ae-e008-4762-b98a-e8e1cd3a81e9": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Okta ThreatInsight Threat Suspected Promotion",
"sha256": "82e79c7b28c004e1294491aede3c75647ae912425ed24c651c009748c8d7cd6f",
@@ -5856,7 +5669,7 @@
"68921d85-d0dc-48b3-865f-43291ca2c4f2": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Persistence via TelemetryController Scheduled Task Hijack",
"sha256": "aea25737ded0865363c221c0d1752131a0e908cbb4968ff2138d90d22cb790f1",
@@ -5885,7 +5698,7 @@
"689b9d57-e4d5-4357-ad17-9c334609d79a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Scheduled Task Created by a Windows Script",
"sha256": "4bd38dec94cb3868fe998ecf73e90de54d119a585ab9bed8788b9ddd7f43fc07",
@@ -5907,7 +5720,7 @@
"68ad737b-f90a-4fe5-bda6-a68fa460044e": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Suspicious Access to LDAP Attributes",
"sha256": "10e88814957853e67c86294608c1f7ca56213481a2da75dd1c2ef998722a8bef",
@@ -5929,7 +5742,7 @@
"68d56fdc-7ffa-4419-8e95-81641bd6f845": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface",
"sha256": "e54698612562724862eabf289b6a0256473aa6af882b84aa9a4fdc520b15c22e",
@@ -5970,7 +5783,7 @@
"69c251fb-a5d6-4035-b5ec-40438bd829ff": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Modification of Boot Configuration",
"sha256": "47544b67e85088392633e552971d8cc2b2ae0beadfdbd26d254c16d5c94b8672",
@@ -6011,7 +5824,7 @@
"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Unusual Service Host Child Process - Childless Service",
"sha256": "0cbf30f69775dd636ba9c9be86e859682567566370db71ea6b1ebb0b4d69b38d",
@@ -6034,7 +5847,7 @@
"6aace640-e631-4870-ba8e-5fdda09325db": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Exporting Exchange Mailbox via PowerShell",
"sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a",
@@ -6069,7 +5882,7 @@
"6bed021a-0afb-461c-acbe-ffdb9574d3f3": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Remote Computer Account DnsHostName Update",
"sha256": "a51928cc4f489accb73c5623006f11d187ddfced85856c1753810c11a3e6ad96",
@@ -6091,7 +5904,7 @@
"6cd1779c-560f-4b68-a8f1-11009b27fe63": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Microsoft Exchange Server UM Writing Suspicious Files",
"sha256": "304d7c35a3c501afafb6d576d39db8a71ffa761de1d2e4ea5cf2ef4937b103ca",
@@ -6112,16 +5925,6 @@
"version": 308
},
"6cea88e4-6ce2-4238-9981-a54c140d6336": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "GitHub Repo Created",
"sha256": "51c2e55a0721646f1d729d916086c9574f76dff3a8c826d5d3295432d0ed3b09",
"type": "eql",
"version": 3
}
},
"rule_name": "GitHub Repo Created",
"sha256": "9c57ec5b44ac7672c65aed3037e55ef4d50dd74364153a908f67c92bdf8f4126",
"type": "eql",
@@ -6130,7 +5933,7 @@
"6d448b96-c922-4adb-b51c-b767f1ea5b76": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Unusual Process For a Windows Host",
"sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203",
@@ -6158,7 +5961,7 @@
"6e1a2cc4-d260-11ed-8829-f661ea17fbcc": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "First Time Seen Commonly Abused Remote Access Tool Execution",
"sha256": "b287f162d06d726f7736822c18f2a4f4f45ee9e83f43e4e42155e3584e43c1e6",
@@ -6174,7 +5977,7 @@
"6e40d56f-5c0e-4ac6-aece-bee96645b172": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Anomalous Process For a Windows Population",
"sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623",
@@ -6190,7 +5993,7 @@
"6e9130a5-9be6-48e5-943a-9628bfc74b18": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "AdminSDHolder Backdoor",
"sha256": "e93289cdea358a09e2f778fc7c8e54c33ba01ad48013526945a7614333f52abe",
@@ -6212,7 +6015,7 @@
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Potential Windows Error Manager Masquerading",
"sha256": "cf3d387a14b5aca9831a6255aa43fa4f3dfabf5b2660333a9750792f6a8acb75",
@@ -6228,7 +6031,7 @@
"6ea55c81-e2ba-42f2-a134-bccf857ba922": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Security Software Discovery using WMIC",
"sha256": "c320306a1610f531069193dac0fa021f55391c66d46b5d296b5e2c380817fd31",
@@ -6256,7 +6059,7 @@
"6f024bde-7085-489b-8250-5957efdf1caf": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Active Directory Group Modification by SYSTEM",
"sha256": "2ee2291d359018227fac96405ae5bd6ac5dba317d4dc3822fa5bd4382a4dddce",
@@ -6278,7 +6081,7 @@
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "83e0d8f3803e360f309ed8e89f6b91964a5cc4b6b2f0fd21638ded2c5341312d",
@@ -6318,7 +6121,7 @@
"708c9d92-22a3-4fe0-b6b9-1f861c55502d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Suspicious Execution via MSIEXEC",
"sha256": "c4f5fe8318695f565656b31a0fdcf38991cdd94e72a60ba5abb460557280dd27",
@@ -6358,7 +6161,7 @@
"71bccb61-e19b-452f-b104-79a60e546a95": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 214,
"rule_name": "Unusual File Creation - Alternate Data Stream",
"sha256": "b88514bbe2cf6ea8319648c67d83c00801179f31734024fd4661549db9e00297",
@@ -6381,7 +6184,7 @@
"71c5cb27-eca5-4151-bb47-64bc3f883270": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Suspicious RDP ActiveX Client Loaded",
"sha256": "64895d38f16c2e624a0463473d0bd2e81114b05911dc5179734a38c2df5c25c8",
@@ -6422,7 +6225,7 @@
"729aa18d-06a6-41c7-b175-b65b739b1181": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Reset MFA Factors for an Okta User Account",
"sha256": "fd9dd19e7456e3e02e208354daf6b7002b2a66a65557246ea14db8ef4f247cb2",
@@ -6450,7 +6253,7 @@
"730ed57d-ae0f-444f-af50-78708b57edd5": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Suspicious JetBrains TeamCity Child Process",
"sha256": "54016ee23f49287a4fae596a255b45db62a996943f8881ff1dfb1fd2fb8920e7",
@@ -6485,7 +6288,7 @@
"7405ddf1-6c8e-41ce-818f-48bea6bcaed8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Potential Modification of Accessibility Binaries",
"sha256": "d92a7d07cb5e81322f02fb2a7166dbdd70da750fa76141da1b95cb31663d9448",
@@ -6556,7 +6359,7 @@
"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 111,
"rule_name": "Access to a Sensitive LDAP Attribute",
"sha256": "77281c68463fbc2c835a7a2749c534aa6aec79a75e0597d4199b96137ca5e191",
@@ -6578,7 +6381,7 @@
"76ddb638-abf7-42d5-be22-4a70b0bf7241": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Privilege Escalation via Rogue Named Pipe Impersonation",
"sha256": "77deaf0de198677613cb4ea5ded34296802b16789afb9856cbe3114220f9e4fb",
@@ -6600,7 +6403,7 @@
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Potential Remote Desktop Tunneling Detected",
"sha256": "fd323ccf6885bb8208a092bc4453726707a9556bc41e3a2427bcd38bbe67cb2a",
@@ -6623,7 +6426,7 @@
"770e0c4d-b998-41e5-a62e-c7901fd7f470": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Enumeration Command Spawned via WMIPrvSE",
"sha256": "817ef65a6a910511dbe215f836ed060a2efe5a05e206abf2224a2480ce861487",
@@ -6694,7 +6497,7 @@
"78de1aeb-5225-4067-b8cc-f4a1de8a8546": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Suspicious ScreenConnect Client Child Process",
"sha256": "cd3cb9cd7b2638583883de2da1aec04b010b4d8dc850d4e9344f2016ef1f0446",
@@ -6753,7 +6556,7 @@
"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Potential File Transfer via Certreq",
"sha256": "0fa34695e7e58ab411a32781540d80e8b93e9a6162cc9ceaa18a072942d6e319",
@@ -6776,7 +6579,7 @@
"79f97b31-480e-4e63-a7f4-ede42bf2c6de": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Potential Shadow Credentials added to AD Object",
"sha256": "4644f2023e8d78c8af11d80cefe47e3b0fb58668952193d57ec1d6bc11df7e4e",
@@ -6828,7 +6631,7 @@
"7b8bfc26-81d2-435e-965c-d722ee397ef1": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Windows Network Enumeration",
"sha256": "2bd4c58be4ce436e2d00994654b5252ddc7e40ee04cda79c22e1632ab1dcb486",
@@ -6850,7 +6653,7 @@
"7ba58110-ae13-439b-8192-357b0fcfa9d7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Suspicious LSASS Access via MalSecLogon",
"sha256": "fa0f15538180301dcc99fb3677d8ac7ad2d789d612e23c816f0908956028b3c1",
@@ -6920,20 +6723,13 @@
"7e23dfef-da2c-4d64-b11d-5f285b638853": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91",
"type": "eql",
"version": 4
},
"8.12": {
"max_allowable_version": 203,
"rule_name": "Microsoft Management Console File from Unusual Path",
"sha256": "74712d6b5a8f373b5bae6e8f885811bb6146ae69ede42dd304c6b79b7be83e91",
"type": "eql",
"version": 105
},
"8.13": {
"max_allowable_version": 304,
"rule_name": "Microsoft Management Console File from Unusual Path",
@@ -6956,7 +6752,7 @@
"7f370d54-c0eb-4270-ac5a-9a6020585dc6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious WMIC XSL Script Execution",
"sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2",
@@ -7003,7 +6799,7 @@
"8025db49-c57c-4fc0-bd86-7ccd6d10a35a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential PowerShell Obfuscated Script",
"sha256": "3750bd0f420e04cc5b48056c7e39fda3d29f6f4d5427f19dfbae2a2d94dbb8b5",
@@ -7025,7 +6821,7 @@
"808291d3-e918-4a3a-86cd-73052a0c9bdc": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Suspicious Troubleshooting Pack Cabinet Execution",
"sha256": "70cb8aeef7011beb9cbd55faf6160037ba6c072935e5f73404df35820c44f059",
@@ -7059,7 +6855,7 @@
"818e23e6-2094-4f0e-8c01-22d30f3506c6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "PowerShell Script Block Logging Disabled",
"sha256": "e35e69e41855d8858d5ae3ebe2faaa97f0b2ec25d6211a2998a8ea57f7b9f7bc",
@@ -7088,19 +6884,12 @@
"81fe9dc6-a2d7-4192-a2d8-eed98afc766a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de",
"type": "query",
"version": 111
},
"8.12": {
"max_allowable_version": 313,
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
"sha256": "fb000841d858dfe2aa8256f76db575885b1bc4d004bce5256e3746ebd4f09dc5",
"type": "query",
"version": 214
}
},
"rule_name": "PowerShell Suspicious Payload Encoded and Compressed",
@@ -7111,7 +6900,7 @@
"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Temporarily Scheduled Task Creation",
"sha256": "4162c0f3ecc6a4c881309a1c579888218ab3995f564f72409e538076f2e26c78",
@@ -7151,7 +6940,7 @@
"83bf249e-4348-47ba-9741-1202a09556ad": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Suspicious Windows Powershell Arguments",
"sha256": "67fac684b46bd0e1e592ed5fb64523fe9b1b6c8bbf695fa5a8c2ca93c45ebeff",
@@ -7186,7 +6975,7 @@
"846fe13f-6772-4c83-bd39-9d16d4ad1a81": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Microsoft Exchange Transport Agent Install Script",
"sha256": "6c50456e5c405b545f31c8c93d71b2f1614b64bd732ca548127db4db6230c412",
@@ -7214,7 +7003,7 @@
"84da2554-e12a-11ec-b896-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Enumerating Domain Trusts via NLTEST.EXE",
"sha256": "edbf1332772ff82f1ca2598dd8a01f2db70fbc0b0fc319db2140d545aeb1a4f0",
@@ -7272,7 +7061,7 @@
"871ea072-1b71-4def-b016-6278b505138d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Enumeration of Administrator Accounts",
"sha256": "043665e2ef98b00727f9e07b55549bee2d56066daf42ca2553e2b1bfa8aaf20e",
@@ -7330,7 +7119,7 @@
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Suspicious WMI Image Load from MS Office",
"sha256": "ce3fa8639f8be47fdbd516d085eb1359d5c76c41cc11e38b92a58495b3340443",
@@ -7346,7 +7135,7 @@
"894326d2-56c0-4342-b553-4abfaf421b5b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential WPAD Spoofing via DNS Record Creation",
"sha256": "7c29cdef0a6ebeafbe4e910b112d583288fc53752af7e0be673133e731c7b6ed",
@@ -7368,7 +7157,7 @@
"897dc6b5-b39f-432a-8d75-d3730d50c782": {
"min_stack_version": "8.13",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Kerberos Traffic from Unusual Process",
"sha256": "2013e3e6c582953aa80b60a4839fd4a71480f61227c7c5eea6a58e6835031b50",
@@ -7384,7 +7173,7 @@
"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Command Prompt Network Connection",
"sha256": "85227491b3d44bf45d31d60e2dd5bfe543b04cc13549ad5abd43164d69fbe271",
@@ -7412,7 +7201,7 @@
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "058b07f279981af8faa8daebc191b1c9c562d8f901a11b43f11f53a152c36031",
@@ -7426,16 +7215,6 @@
"version": 106
},
"8a0fd93a-7df8-410d-8808-4cc5e340f2b9": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "GitHub PAT Access Revoked",
"sha256": "2da8385cb4225c3a080f85def407322ed423d41cdeaec25622ddcced2bad28a4",
"type": "eql",
"version": 3
}
},
"rule_name": "GitHub PAT Access Revoked",
"sha256": "ce7ded3ad0a0a070017efa54dff9afe6f0d43284222f27cd5eaedfb2ad660df5",
"type": "eql",
@@ -7450,7 +7229,7 @@
"8a1d4831-3ce6-4859-9891-28931fa6101d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Suspicious Execution from a Mounted Device",
"sha256": "78673e3f95e690470a888733b99665c1ceb566b839d08ffa96c74f670db2afb3",
@@ -7466,7 +7245,7 @@
"8a5c1e5f-ad63-481e-b53a-ef959230f7f1": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Network Zone",
"sha256": "c78e844b887965fd68d2c04803f41f76a3a9fac485e964ab32eb920ff59c394c",
@@ -7494,7 +7273,7 @@
"8b2b3a62-a598-4293-bc14-3d5fa22bb98f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Executable File Creation with Multiple Extensions",
"sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0",
@@ -7517,7 +7296,7 @@
"8b4f0816-6a65-4630-86a6-c21c179c0d09": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Enable Host Network Discovery via Netsh",
"sha256": "9ce5994792151c28626d0f425f8e0bce511165c1596d5abe844a65343516481d",
@@ -7552,7 +7331,7 @@
"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Unusual Child Process of dns.exe",
"sha256": "3e7ec0c52dab161d210c5a8c1871fb05710c9a0fc8e713a61ec2b46834a99460",
@@ -7623,7 +7402,7 @@
"8e2485b6-a74f-411b-bf7f-38b819f3a846": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential WSUS Abuse for Lateral Movement",
"sha256": "6df7ece3cdab24f89e189532be69d11605eb972d6f81b444017c7202ba4024a3",
@@ -7652,7 +7431,7 @@
"8eec4df1-4b4b-4502-b6c3-c788714604c9": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Bitsadmin Activity",
"sha256": "5b0252807a2fe30f852e9467564c981179272010b0d5b4a8fbddcfcd5713fd6e",
@@ -7668,7 +7447,7 @@
"8f242ffb-b191-4803-90ec-0f19942e17fd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential ADIDNS Poisoning via Wildcard Record Creation",
"sha256": "69eda3393bec929f1158fe872d2aac7cd1fb162a851c342ba041fa666a8a09b7",
@@ -7690,7 +7469,7 @@
"8f919d4b-a5af-47ca-a594-6be59cd924a4": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows",
"sha256": "feec1ce2bdf4dbddf251d9f16a07f5123eb30116c1ee43415fafe3390499db68",
@@ -7736,7 +7515,7 @@
"90babaa8-5216-4568-992d-d4a01a105d98": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "InstallUtil Activity",
"sha256": "6f7157de8bdb8a54f183dd25c580741a6975960ce6320bb1e64d9a04b082b30f",
@@ -7794,19 +7573,12 @@
"92984446-aefb-4d5e-ad12-598042ca80ba": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548",
"type": "query",
"version": 8
},
"8.12": {
"max_allowable_version": 209,
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
"sha256": "85b4d7774d3dfb59ebe89003974ca0946860cd98d777fdd46fbdb3ebfa77815f",
"type": "query",
"version": 110
}
},
"rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities",
@@ -7817,7 +7589,7 @@
"92a6faf5-78ec-4e25-bea1-73bacc9b59d9": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "A scheduled task was created",
"sha256": "51fc451b7a928144398a72653372d93f57fc18535dfb3a3667e6e7c3ec10f052",
@@ -7833,7 +7605,7 @@
"92d3a04e-6487-4b62-892d-70e640a590dc": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Potential Evasion via Windows Filtering Platform",
"sha256": "4c1a9ea8c710b1e04ca1f0f4c3ded936d6b02249faca0a7424388c37e4c3782e",
@@ -7867,7 +7639,7 @@
"93b22c0a-06a0-4131-b830-b10d5e166ff4": {
"min_stack_version": "8.13",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Suspicious SolarWinds Child Process",
"sha256": "6f65d57f4b54ada16ae7a6bf781a64d84a83409df693cadbcf9a736633154606",
@@ -7883,7 +7655,7 @@
"93c1ce76-494c-4f01-8167-35edfb52f7b1": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Encoded Executable Stored in the Registry",
"sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4",
@@ -7930,7 +7702,7 @@
"94a401ba-4fa2-455c-b7ae-b6e037afc0b7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Group Policy Discovery via Microsoft GPResult Utility",
"sha256": "92f99ada650ca1643ca9d74eeb044541cd01943858f78c837320f22b52db65d1",
@@ -7975,7 +7747,7 @@
"951779c2-82ad-4a6c-82b8-296c1f691449": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Potential PowerShell Pass-the-Hash/Relay Script",
"sha256": "094d5839307d9e9f979d87f04da382a99499e6932f5c04d08583d33439593897",
@@ -7991,7 +7763,7 @@
"954ee7c8-5437-49ae-b2d6-2960883898e9": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Remote Scheduled Task Creation",
"sha256": "48228fde14a00d80993e815c4517cda88186986de1c72b6ab1503cfbced929f8",
@@ -8007,7 +7779,7 @@
"959a7353-1129-4aa7-9084-30746b256a70": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "PowerShell Suspicious Script with Screenshot Capabilities",
"sha256": "ec182387ccb79ee33c05281674fdc60fea9112866634a0782d814363c238711c",
@@ -8057,7 +7829,7 @@
"96b9f4ea-0e8c-435b-8d53-2096e75fcac5": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Attempt to Create Okta API Token",
"sha256": "f4de9d3ab038aa89e893c49c11b5d115923ae5c2bf45c488fd4538636cc5a17d",
@@ -8085,7 +7857,7 @@
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "SeDebugPrivilege Enabled by a Suspicious Process",
"sha256": "59ac20ddf0ad6c973682600530ec32145c00eecd4dadbd7760ff440d6eaee57c",
@@ -8125,7 +7897,7 @@
"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 311,
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "8a7ee34a8a996304a6a02fb42164407adaa2ec59ef82c157e9237d869562a7ee",
@@ -8141,7 +7913,7 @@
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Suspicious Zoom Child Process",
"sha256": "5f50216e837aebb5103936a65d7bb07f9ef153d873db29761cc5fe034c150aea",
@@ -8206,7 +7978,7 @@
"98843d35-645e-4e66-9d6a-5049acd96ce1": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Indirect Command Execution via Forfiles/Pcalua",
"sha256": "4281493e0e1c2e1d8da0462e3464ee6477d337993c3844b7ac96f49510e498dc",
@@ -8252,7 +8024,7 @@
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score",
"sha256": "295b6b5f0bcc7c346200669736ff41d92683604648d0d0c729da6030e1edd0c3",
@@ -8268,7 +8040,7 @@
"9960432d-9b26-409f-972b-839a959e79e2": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Potential Credential Access via LSASS Memory Dump",
"sha256": "ef4ab01243093fb107143c9c879d95c94d0a15e29c620d322d4436d62edd5db3",
@@ -8320,7 +8092,7 @@
"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious Explorer Child Process",
"sha256": "73643376218cb6a9dc9c17dcbc0e1e2a68c19dba4b20e180663b4a7c2a5953b7",
@@ -8343,7 +8115,7 @@
"9aa0e1f6-52ce-42e1-abb3-09657cee2698": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Scheduled Tasks AT Command Enabled",
"sha256": "51c952240fcbd97d71e3989752daabd44ef67ec404062d9ac0aa77ec5eefbd88",
@@ -8371,16 +8143,6 @@
"version": 4
},
"9b343b62-d173-4cfd-bd8b-e6379f964ca4": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 104,
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "a4b8ee93d7e52d2b59d4df47a27d69a9e5fba2c405d327006dddd367e0aedf2c",
"type": "eql",
"version": 5
}
},
"rule_name": "GitHub Owner Role Granted To User",
"sha256": "558e67c243e29f42d2e6f835e01185da82c48dc95e4322d0b21ab5addfe04e68",
"type": "eql",
@@ -8389,7 +8151,7 @@
"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Persistence via WMI Event Subscription",
"sha256": "f84d0750e79c7e23c031d4418102d9813c8bf40cf0c1c297bb68b2e68ecd6662",
@@ -8418,7 +8180,7 @@
"9c260313-c811-4ec8-ab89-8f6530e0246c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Hosts File Modified",
"sha256": "9857acc6de8b05c65a249bb32fb2aa5bb50283f5ac6aa34dfc4285a8a1abb5e2",
@@ -8440,7 +8202,7 @@
"9c865691-5599-447a-bac9-b3f2df5f9a9d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Remote Scheduled Task Creation via RPC",
"sha256": "247721b2ad4e7f9a94e9bbd1effaef53279a2504856ed04ae48b17a46729cccb",
@@ -8462,7 +8224,7 @@
"9ccf3ce0-0057-440a-91f5-870c6ad39093": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Command Shell Activity Started via RunDLL32",
"sha256": "c9b88b1d61f94153253dffb64b83381cc6f37396d6969056f29e0e983d7f0057",
@@ -8497,7 +8259,7 @@
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "Microsoft Build Engine Started by a Script Process",
"sha256": "927ea94b2491233b45213f4d45a252a511d8929778022d54b8ce9c55b572508c",
@@ -8513,7 +8275,7 @@
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Microsoft Build Engine Started by a System Process",
"sha256": "dbaff78cc444435417a8dc117e92fac3f383f660e8ec2efc3882be4df7be8641",
@@ -8536,7 +8298,7 @@
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Microsoft Build Engine Using an Alternate Name",
"sha256": "a49d6fb17cca15bf6ca569b7a9ed627b4ac76c4508e50fca28a4a267dc420ad4",
@@ -8552,7 +8314,7 @@
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Potential Credential Access via Trusted Developer Utility",
"sha256": "b1e378c91ed40734538a8f0ef48435f4f5e8446ac71e923e12737fe89f84b8c5",
@@ -8568,7 +8330,7 @@
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 313,
"rule_name": "Microsoft Build Engine Started an Unusual Process",
"sha256": "357cfd30e6d72e8067b8fd85480960fc82ed8f8735df37e327c18110e32d637e",
@@ -8584,7 +8346,7 @@
"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Process Injection by the Microsoft Build Engine",
"sha256": "eb466a234b50a51692e4c5678572f202d8d11c886c5676f92df089866b6613dc",
@@ -8624,7 +8386,7 @@
"9f962927-1a4f-45f3-a57b-287f2c7029c1": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 214,
"rule_name": "Potential Credential Access via DCSync",
"sha256": "388a01708d3869a0ca1119a2328e6a9e032e23d91d96db063212e6f69e863921",
@@ -8652,7 +8414,7 @@
"a02cb68e-7c93-48d1-93b2-2c39023308eb": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "A scheduled task was updated",
"sha256": "c135f8efdd7137ef937b19eb29aa4a88640d556690f529620d1c24f6c391ec3f",
@@ -8680,7 +8442,7 @@
"a13167f1-eec2-4015-9631-1fee60406dcf": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "InstallUtil Process Making Network Connections",
"sha256": "f8829b614b96a55bdf35e84d28329b3efdbd1d18224ab1987b6e6dc5aabea65f",
@@ -8702,7 +8464,7 @@
"a16612dd-b30e-4d41-86a0-ebe70974ec00": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Potential LSASS Clone Creation via PssCaptureSnapShot",
"sha256": "11b482716d805d5718f0923dc1b0127ca26a5c89ac02df96dab7fe8a371199d2",
@@ -8718,7 +8480,7 @@
"a1699af0-8e1e-4ed0-8ec1-89783538a061": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Windows Subsystem for Linux Distribution Installed",
"sha256": "254753d1734938715fc36fb23e5d45f5d37a5b2accd3f353a456fa14849072d9",
@@ -8765,7 +8527,7 @@
"a22a09c2-2162-4df0-a356-9aacbeb56a04": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "DNS-over-HTTPS Enabled via Registry",
"sha256": "65d599f0ff2e8109bbdc28ad1f87017cebf9333caf2acc9368f2051f87e9cf36",
@@ -8800,7 +8562,7 @@
"a2d04374-187c-4fd9-b513-3ad4e7fdd67a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "PowerShell Mailbox Collection Script",
"sha256": "9da52a8d28edcb2f709109145e35bbb279d16227c6d4836c727a6764e3fffd58",
@@ -8816,7 +8578,7 @@
"a3ea12f3-0d4e-4667-8b44-4230c63f3c75": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Execution via local SxS Shared Module",
"sha256": "68739f82fe835d6e8e546e396bd6b7166cab6ffb7af01ccc3d402c7b23ab1525",
@@ -8899,7 +8661,7 @@
"a624863f-a70d-417f-a7d2-7a404638d47f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Suspicious MS Office Child Process",
"sha256": "3c33d3c17dd17722da2beb479065e86e20568514289f6b08fa02d682146ad1ed",
@@ -8946,7 +8708,7 @@
"a7e7bfa3-088e-4f13-b29e-3986e0e756b8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Credential Acquisition via Registry Hive Dumping",
"sha256": "065a55514fdc9035ad658a5e591fa4c6fa510746aa52a1f262714061676b6d4d",
@@ -9023,7 +8785,7 @@
"a9b05c3b-b304-4bf9-970d-acdfaef2944c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Persistence via Hidden Run Key Detected",
"sha256": "a1e28dabfeef53ea08300663108d337b108ffbf92c169af41ac29938f2ad0d5d",
@@ -9057,7 +8819,7 @@
"aa9a274d-6b53-424d-ac5e-cb8ca4251650": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Remotely Started Services via RPC",
"sha256": "f3aa0fe1214d034e842ff8839a0f07ba427b7c6f884aa08ce89c3802c4d4c6d0",
@@ -9098,7 +8860,7 @@
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Process Calling the Metadata Service",
"sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676",
@@ -9120,7 +8882,7 @@
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Suspicious WerFault Child Process",
"sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10",
@@ -9149,7 +8911,7 @@
"ac5a2759-5c34-440a-b0c4-51fe674611d6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Outlook Home Page Registry Modification",
"sha256": "a21b4408a3539687dc2e34b0165fd2633928f3f84e0389722ccb822dc45dae83",
@@ -9172,7 +8934,7 @@
"ac6bc744-e82b-41ad-b58d-90654fa4ebfb": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "WPS Office Exploitation via DLL Hijack",
"sha256": "006e257e7f3f415df5102ead250e9554e6755e192771f58bdab3c554075b7ae5",
@@ -9200,7 +8962,7 @@
"ac96ceb8-4399-4191-af1d-4feeac1f1f46": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Potential Invoke-Mimikatz PowerShell Script",
"sha256": "e7b750985f6d8f290b5b3c9331448fc6c0e52c65dfa753ddf117fd70bd624e21",
@@ -9234,7 +8996,7 @@
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "fe186a9faacc6e9e3e6491c59ba7d7f453f702cf162e0e4ae49354149e80326a",
@@ -9257,7 +9019,7 @@
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Signed Proxy Execution via MS Work Folders",
"sha256": "810a8c957958d6e605deb047daa6566df4f3fc373fd5b47f4840489c8b1d76d4",
@@ -9298,7 +9060,7 @@
"ad84d445-b1ce-4377-82d9-7c633f28bf9a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Suspicious Portable Executable Encoded in Powershell Script",
"sha256": "d2271c15f1bcae13cb2632e4449638ff23a1e373ff5e0cd32c8722354646975d",
@@ -9344,7 +9106,7 @@
"ae8a142c-6a1d-4918-bea7-0b617e99ecfa": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Suspicious Execution via Microsoft Office Add-Ins",
"sha256": "6fce50e87a921fa949cd422fb8a0d0e0232051f30329df181dbebb37b5e5a184",
@@ -9385,7 +9147,7 @@
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Local Scheduled Task Creation",
"sha256": "49119f3e32864392ca8bba4c86bdc7d44cfa6076f3e6390401a646767f3b45a0",
@@ -9425,7 +9187,7 @@
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Netsh Helper DLL",
"sha256": "5019bcc4c8001cf98d0d6df1626edce949e6bd8d7c18fbbc38b2a53cf847a5a9",
@@ -9467,7 +9229,7 @@
"b2318c71-5959-469a-a3ce-3a0768e63b9c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Potential Network Share Discovery",
"sha256": "d9f7984d4c89a14a40266258ea1b410241ad8120b38c698f8df2b0b38685c01c",
@@ -9489,7 +9251,7 @@
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"min_stack_version": "8.13",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "a29d0b9a977b708aa1a61691d747913dbec9f7c2b91dbc0a40e511177f53deab",
@@ -9511,7 +9273,7 @@
"b29ee2be-bf99-446c-ab1a-2dc0183394b8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Network Connection via Compiled HTML File",
"sha256": "0c4011e34ae723b0d5fbd00bd1e354badeb76adb69e7c4a44dd7e7cb1acc480b",
@@ -9539,7 +9301,7 @@
"b41a13c6-ba45-4bab-a534-df53d0cfed6a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Suspicious Endpoint Security Parent Process",
"sha256": "8dcb7952ad32b417b17af0842d510e13cc6cdbc53392b0faf1d86f3f4ed08817",
@@ -9562,7 +9324,7 @@
"b43570de-a908-4f7f-8bdb-b2df6ffd8c80": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Code Signing Policy Modification Through Built-in tools",
"sha256": "168f65fff8c879d2ac1d9d8f75f943f5bfc82f8f42fb32accf1cafe4fa2f394b",
@@ -9597,7 +9359,7 @@
"b483365c-98a8-40c0-92d8-0458ca25058a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "At.exe Command Lateral Movement",
"sha256": "2abb4b86050fb28a5ecd1b9b0c29831409dc9f84f79ea5b162542a3f3e371402",
@@ -9613,7 +9375,7 @@
"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Policy",
"sha256": "477e3762a7205a2acdb25a27b55e30e562430a576cb8828546ddda6b8c94295e",
@@ -9635,7 +9397,7 @@
"b5877334-677f-4fb9-86d5-a9721274223b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Clearing Windows Console History",
"sha256": "31a8236d386d194b359d207af5df1bf72482fd394b73f8560ec1fc6de98072eb",
@@ -9658,7 +9420,7 @@
"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Volume Shadow Copy Deleted or Resized via VssAdmin",
"sha256": "4466accbd5ff400c7b23c229e6337d6832b2b1ec20954ba16572704e2f965837",
@@ -9693,7 +9455,7 @@
"b64b183e-1a76-422d-9179-7b389513e74d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Windows Script Interpreter Executing Process via WMI",
"sha256": "aa213b08606a60ecaa3893813321313519164133eef986d6e7514b6d32df9abc",
@@ -9709,7 +9471,7 @@
"b661f86d-1c23-4ce7-a59e-2edbdba28247": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Potential Veeam Credential Access Command",
"sha256": "b3f8b7e37e939e3cd6163ab49a982617cbd2281cc8245da41d7f0b07ffb9ac0d",
@@ -9732,7 +9494,7 @@
"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Potential Privilege Escalation via Service ImagePath Modification",
"sha256": "050e1cfaf93c6b295453f348901119d4394b12f7e0cab4e059bd351a1b69dd62",
@@ -9754,7 +9516,7 @@
"b719a170-3bdb-4141-b0e3-13e3cf627bfe": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Policy",
"sha256": "c47529d65e905842112a5d39f9e08eb335d9a8b351fd619b3fc43409d2ec9a5d",
@@ -9776,7 +9538,7 @@
"b8075894-0b62-46e5-977c-31275da34419": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Administrator Privileges Assigned to an Okta Group",
"sha256": "67e6cd6cb7adda43f8503c30592825e8fafeed049f9746a421e91661fb162a60",
@@ -9798,7 +9560,7 @@
"b8386923-b02c-4b94-986a-d223d9b01f88": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "PowerShell Invoke-NinjaCopy script",
"sha256": "5378b4cd6c7252bdbb61701c4637a20d365562603144a04e17b271ccfaa83a21",
@@ -9814,7 +9576,7 @@
"b83a7e96-2eb3-4edf-8346-427b6858d3bd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Creation or Modification of Domain Backup DPAPI private key",
"sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04",
@@ -9837,7 +9599,7 @@
"b86afe07-0d98-4738-b15d-8d7465f95ff5": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Network Connection via MsXsl",
"sha256": "97661aa1f38ec86767f0b0059ad5aab142c0f1dfcfe79c093165e0dcd8ef1266",
@@ -9853,7 +9615,7 @@
"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Kirbi File Creation",
"sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22",
@@ -9876,7 +9638,7 @@
"b90cdde7-7e0d-4359-8bf0-2c112ce2008a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface",
"sha256": "06cd8a9c2cc711c339f9e9c86a0b0e31950b1620f3c927162433104d644a4a8d",
@@ -9917,7 +9679,7 @@
"b9554892-5e0e-424b-83a0-5aef95aa43bf": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Group Policy Abuse for Privilege Addition",
"sha256": "5971f13dca2e4aa9242197c75db0ea4b322db1fbca63722424ceb9cbd06d0233",
@@ -9939,7 +9701,7 @@
"b9960fef-82c6-4816-befa-44745030e917": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "SolarWinds Process Disabling Services via Registry",
"sha256": "71e9aa09fa89569defb2a149c30bf379e219b2f9cba453977f75c6ab69845847",
@@ -9968,7 +9730,7 @@
"ba342eb2-583c-439f-b04d-1fdd7c1417cc": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows Network Activity",
"sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57",
@@ -9996,7 +9758,7 @@
"baa5d22c-5e1c-4f33-bfc9-efa73bb53022": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Suspicious Image Load (taskschd.dll) from MS Office",
"sha256": "e224bdce56aa39ba7fca19f483ee4080daea489a943e6211cb1ec88aa1754671",
@@ -10096,7 +9858,7 @@
"bd2c86a0-8b61-4457-ab38-96943984e889": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 214,
"rule_name": "PowerShell Keylogging Script",
"sha256": "0a89a374c16157d812750b375b94189e976d23406e4d8b78579bfa2b3128dd7e",
@@ -10112,7 +9874,7 @@
"bd3d058d-5405-4cee-b890-337f09366ba2": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Potential Defense Evasion via CMSTP.exe",
"sha256": "668daa0b262a8a546290c3bcc29fe23cbf7ab05b7089f4dc2d7368a4f98fa04a",
@@ -10128,7 +9890,7 @@
"bd7eefee-f671-494e-98df-f01daf9e5f17": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Suspicious Print Spooler Point and Print DLL",
"sha256": "d3a4fe36f9cfc3992560267e468577a3a244bcf0ef337b17dd9d40cfc525840c",
@@ -10150,7 +9912,7 @@
"bdcf646b-08d4-492c-870a-6c04e3700034": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Potential Privileged Escalation via SamAccountName Spoofing",
"sha256": "88869a90ff8b60cea2e3b311a3cff7348cabd05ea463923dacb7e7810c9063a8",
@@ -10182,7 +9944,7 @@
"bdfebe11-e169-42e3-b344-c5d2015533d3": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a Host",
"sha256": "cc1d705bc605d526d53b66ae99fe04295569f385dba1baf4b454810b18014206",
@@ -10204,7 +9966,7 @@
"be8afaed-4bcd-4e0a-b5f9-5562003dde81": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Searching for Saved Credentials via VaultCmd",
"sha256": "9fccd84e0d8fb3b15fbb84c2772e68bece05e41bf66896555fe409a03f691dd7",
@@ -10245,7 +10007,7 @@
"bfeaf89b-a2a7-48a3-817f-e41829dc61ee": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Suspicious DLL Loaded for Persistence or Privilege Escalation",
"sha256": "7378116f20ca82f38e2d2d44d954660fb4b53cc6eae4276a1084e6a27ae5cf7f",
@@ -10267,7 +10029,7 @@
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Creation or Modification of a new GPO Scheduled Task or Service",
"sha256": "db80515372b13521184021a9451c545f6e530fc191866f76eb9a2c1584f99210",
@@ -10302,7 +10064,7 @@
"c124dc1b-cef2-4d01-8d74-ff6b0d5096b6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "PowerShell Script with Windows Defender Tampering Capabilities",
"sha256": "5c39497f70b4e79c852ff920c53d16372dc40b66f86e903ce98d506347d5aca2",
@@ -10348,7 +10110,7 @@
"c25e9c87-95e1-4368-bfab-9fd34cf867ec": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Microsoft IIS Connection Strings Decryption",
"sha256": "fbee6d2c06dbbfc87ca0b8695bd5b6d9f72acbb751ce228da8e4cb479b01d60f",
@@ -10389,7 +10151,7 @@
"c2d90150-0133-451c-a783-533e736c12d7": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Mshta Making Network Connections",
"sha256": "c874d8e0df6ae897a277a01aff80ac0258b1defdaa7722e37539a516348e7624",
@@ -10417,7 +10179,7 @@
"c3b915e0-22f3-4bf7-991d-b643513c722f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Persistence via BITS Job Notify Cmdline",
"sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87",
@@ -10446,7 +10208,7 @@
"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Mounting Hidden or WebDav Remote Shares",
"sha256": "4f666b4d6483dcf490a23c94ca65dce3962f9a0dc3d482280c676c363d4bf77e",
@@ -10469,7 +10231,7 @@
"c4818812-d44f-47be-aaef-4cfb2f9cc799": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Suspicious Print Spooler File Deletion",
"sha256": "6764db9d99a9d2a1bce0efae356412f7b62f66204dfe3496cf5d8e142aa916ff",
@@ -10498,7 +10260,7 @@
"c55badd3-3e61-4292-836f-56209dc8a601": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Attempted Private Key Access",
"sha256": "b2c8c3e7141403ad662ca97ee2128c56cee7a9922533a8296c69671cb2ce92fa",
@@ -10514,7 +10276,7 @@
"c5677997-f75b-4cda-b830-a75920514096": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Service Path Modification via sc.exe",
"sha256": "d4b7737d66ebdff698638b968d1b299b70f7f6f299ff70afa22ab9d911dada32",
@@ -10530,7 +10292,7 @@
"c57f8579-e2a5-4804-847f-f2732edc5156": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Potential Remote Desktop Shadowing Activity",
"sha256": "2d3a93d4e613dace19446854539467cead96901968f44270796ce546beeb940a",
@@ -10559,7 +10321,7 @@
"c5c9f591-d111-4cf8-baec-c26a39bc31ef": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Potential Credential Access via Renamed COM+ Services DLL",
"sha256": "bd759b2a552a5ce6a16e041b6708cf7215821c978d6c820100f29ff8567b357f",
@@ -10575,7 +10337,7 @@
"c5ce48a6-7f57-4ee8-9313-3d0024caee10": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Installation of Custom Shim Databases",
"sha256": "a4e910236d8c8466806752afee8114c07605a36292529e463c8e66e44fb8eb3b",
@@ -10598,7 +10360,7 @@
"c5dc3223-13a2-44a2-946c-e9dc0aa0449c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Microsoft Build Engine Started by an Office Application",
"sha256": "5153767a496dccc99d12eced8554a65fe9665ecda63cd00274c500bcdadd1281",
@@ -10627,7 +10389,7 @@
"c6453e73-90eb-4fe7-a98c-cde7bbfc504a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Remote File Download via MpCmdRun",
"sha256": "c2186669d5261bfa7c34dc39f93fc099d98e0e2e752839199476fe5c176ccc2c",
@@ -10663,7 +10425,7 @@
"c749e367-a069-4a73-b1f2-43a3798153ad": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Network Zone",
"sha256": "b5104f7ae3ace37e84d9a3b23a48e2695144b6feed203643be712db808db99a4",
@@ -10679,7 +10441,7 @@
"c74fd275-ab2c-4d49-8890-e2943fa65c09": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Attempt to Modify an Okta Application",
"sha256": "16425c2a2a76a6acc54e5d8a82a6d4440c04a74789979a89c722ee29238b5efd",
@@ -10701,7 +10463,7 @@
"c7894234-7814-44c2-92a9-f7d851ea246a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Unusual Network Connection via DllHost",
"sha256": "5bffb108e728d78c04b4974f087af87b6352942f82977a580fcc749a742fffc6",
@@ -10723,7 +10485,7 @@
"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Unusual File Modification by dns.exe",
"sha256": "a52a50c6b43c02c95ace52b42924ca8e064e2f859b4d50fdba2866d47ac9d182",
@@ -10787,7 +10549,7 @@
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Suspicious Startup Shell Folder Modification",
"sha256": "240ef030208238909ed116c65fb35bd1e2c030a6abaa3dffd50c51e79a4e2c78",
@@ -10810,7 +10572,7 @@
"c8cccb06-faf2-4cd5-886e-2c9636cfcb87": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Disabling Windows Defender Security Settings via PowerShell",
"sha256": "0650a9d5a9a0652dfbf6134767ecd50de79b4300912151bf929d62a8487c1c3f",
@@ -10893,7 +10655,7 @@
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Multiple Okta Client Addresses for a Single User Session",
"sha256": "1fd88b6e7c9bf6b2176da46f28e40a91cff9746a635071e899bf47a6176021a5",
@@ -10934,7 +10696,7 @@
"cc92c835-da92-45c9-9f29-b4992ad621a0": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Attempt to Deactivate an Okta Policy Rule",
"sha256": "55337a1b7167b7c1dcc9f5dd03c16e8f33bb1140dac71b90520bd885a4016fdf",
@@ -10956,7 +10718,7 @@
"cd16fb10-0261-46e8-9932-a0336278cdbe": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Modification or Removal of an Okta Application Sign-On Policy",
"sha256": "79838ed35b355cacad06827a8cad3846a6270b6331c8cf0e5f0925e2a841681c",
@@ -10996,7 +10758,7 @@
"cd89602e-9db0-48e3-9391-ae3bf241acd8": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "MFA Deactivation with no Re-Activation for Okta User Account",
"sha256": "61d2a74ac6c506cea833b428367bc8fd3f6c9c320f019009c9c92717e3f38c31",
@@ -11012,7 +10774,7 @@
"cdbebdc1-dc97-43c6-a538-f26a20c0a911": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 309,
"rule_name": "Okta User Session Impersonation",
"sha256": "aab59642eb5e5e9a0adea96789128810c3c79dd6ec8d45944c48ad210858a2b7",
@@ -11028,19 +10790,12 @@
"cde1bafa-9f01-4f43-a872-605b678968b0": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 110,
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa",
"type": "query",
"version": 11
},
"8.12": {
"max_allowable_version": 212,
"rule_name": "Potential PowerShell HackTool Script by Function Names",
"sha256": "635be6f0c0378af6eb3bfd0c7172864e1e2f47cf1f98606720a80f3d6f53e65b",
"type": "query",
"version": 113
}
},
"rule_name": "Potential PowerShell HackTool Script by Function Names",
@@ -11055,16 +10810,6 @@
"version": 2
},
"ce08b55a-f67d-4804-92b5-617b0fe5a5b5": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "557be18d473f0dab21314e36e19724bf288eed2289446960d75923b23429b4ca",
"type": "new_terms",
"version": 3
}
},
"rule_name": "First Occurrence GitHub Event for a Personal Access Token (PAT)",
"sha256": "17f2719c6e034e7a588f73376d1be4be6bbd4e9d1b03c74549ce551686c80a14",
"type": "new_terms",
@@ -11073,7 +10818,7 @@
"ce64d965-6cb0-466d-b74f-8d2c76f47f05": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "New ActiveSyncAllowedDeviceID Added via PowerShell",
"sha256": "d66af889a4f25a88bf895b4dccd150b6e7d236baf15963c969ac201ed5bcbd65",
@@ -11120,7 +10865,7 @@
"cff92c41-2225-4763-b4ce-6f71e5bda5e6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Execution from Unusual Directory - Command Line",
"sha256": "265d820856193f4c1a981afc09dbd2e2455f2585cfa15e0e47b99a46c1e157fe",
@@ -11161,7 +10906,7 @@
"d0e159cf-73e9-40d1-a9ed-077e3158a855": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Registry Persistence via AppInit DLL",
"sha256": "7b61d91f3b32b7c2abf856dc7c191977667022be4b7d6c9bd819615c622a1a35",
@@ -11184,7 +10929,7 @@
"d117cbb4-7d56-41b4-b999-bdf8c25648a0": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Symbolic Link to Shadow Copy Created",
"sha256": "3917ba5bb57ddff2af656072117cadeef74e6d09afc56a3ae5f26106282c7f20",
@@ -11237,7 +10982,7 @@
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Disabling User Account Control via Registry Modification",
"sha256": "34bc05c49fe69684173e6c0af5c4c6df3091c20e5dbbf5a9dd943525aba4fed7",
@@ -11260,7 +11005,7 @@
"d331bbe2-6db4-4941-80a5-8270db72eb61": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Clearing Windows Event Logs",
"sha256": "cfc55cfb48ed78d6c469f7e3ac99f4aceb2d4b827a98a98a4ee7da4b1046e548",
@@ -11283,7 +11028,7 @@
"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Remote Windows Service Installed",
"sha256": "d3d7e72381e6345a67cffab43f821b026927d01ad097fa644718316d8b841386",
@@ -11299,7 +11044,7 @@
"d3551433-782f-4e22-bbea-c816af2d41c6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "WMI WBEMTEST Utility Execution",
"sha256": "5bcaf5dc0f395444215ce0aad01b433014a5a155b896171c1d041df226e51766",
@@ -11327,7 +11072,7 @@
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Attempt to Delete an Okta Application",
"sha256": "0c3561f0d315499992370d9974bc175314ffa72037d52c76bb93df7427912ebb",
@@ -11379,7 +11124,7 @@
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Privilege Escalation via Windir Environment Variable",
"sha256": "60df5eed46bbcf083835c15802642a1d7dc80990487cf8c6f593aeb2bbcd6625",
@@ -11402,7 +11147,7 @@
"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Delete an Okta Policy Rule",
"sha256": "cbab8acc99323949b9c63aa1b75bd6a9769d66ca5df1645bb04da013526fb28e",
@@ -11418,7 +11163,7 @@
"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Service Command Lateral Movement",
"sha256": "a06abd5554d50f0ebc9b99f80159dbf24d97dc6453dab05f27bd09f0e8884f42",
@@ -11458,7 +11203,7 @@
"d68e95ad-1c82-4074-a12a-125fe10ac8ba": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 113,
"rule_name": "System Information Discovery via Windows Command Shell",
"sha256": "b62cb287eba4d616dacf2fdc8e98db08f74415252b83c5346cf1299121dd401e",
@@ -11480,7 +11225,7 @@
"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Modification of WDigest Security Provider",
"sha256": "a44e75aa48733736e80047d4c1c565d7ba7683ae2f63255605eb0a8fc3fd8d5e",
@@ -11496,7 +11241,7 @@
"d72e33fc-6e91-42ff-ac8b-e573268c5a87": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Command Execution via SolarWinds Process",
"sha256": "8fbf7a1dcae87ae50b11fbc90ac978f7238819b6fffdbff9e2762e2ba3cef2a9",
@@ -11573,7 +11318,7 @@
"d93e61db-82d6-4095-99aa-714988118064": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "NTDS Dump via Wbadmin",
"sha256": "34ce5f9596b36a1b992575548e8c62b16a49e5261440a67f784671e4eb4bdbb3",
@@ -11596,7 +11341,7 @@
"d99a037b-c8e2-47a5-97b9-170d076827c4": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Volume Shadow Copy Deletion via PowerShell",
"sha256": "c312ca88ca87b5842950e5a73570f60860a7d415c34293e91196686fbad5e738",
@@ -11619,7 +11364,7 @@
"d9ffc3d6-9de9-4b29-9395-5757d0695ecf": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Suspicious Windows Command Shell Arguments",
"sha256": "0dd9b1e590a4b301d83ffb6fbc022556f692630bef01e7d31223c89a7032ecdb",
@@ -11642,7 +11387,7 @@
"da7733b1-fe08-487e-b536-0a04c6d8b0cd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 110,
"rule_name": "Code Signing Policy Modification Through Registry",
"sha256": "4a1be4588f4264941f314924e28dbfaf3791577f1aa8805dd33a0e1d2a49a53e",
@@ -11671,7 +11416,7 @@
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "2b3b6416e094f6fd0f246cdccd204f657433c0899082d352eee17f0a42c6e5cb",
@@ -11693,7 +11438,7 @@
"daafdf96-e7b1-4f14-b494-27e0d24b11f6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "Potential Pass-the-Hash (PtH) Attempt",
"sha256": "c8d78b9a264919f6a100901cb87b338a1148ed52bb4f422e912c4a9b4c534a5d",
@@ -11715,7 +11460,7 @@
"db65f5ba-d1ef-4944-b9e8-7e51060c2b42": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Network-Level Authentication (NLA) Disabled",
"sha256": "5ba03fd03c459addbd61462891a2464974c59930a12e77a48efb688584584474",
@@ -11738,7 +11483,7 @@
"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Execution via Windows Subsystem for Linux",
"sha256": "86c73ee5160e7e68a9e03ca44a7191655b1ab3644edf3c7468b433eb42722f54",
@@ -11791,7 +11536,7 @@
"dc9c1f74-dac3-48e3-b47f-eb79db358f57": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Volume Shadow Copy Deletion via WMIC",
"sha256": "f0a835fbc3354f77c2f9932da85b594a119039f747e7af1bc8cd8fd0699c3f75",
@@ -11820,7 +11565,7 @@
"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Suspicious Execution from INET Cache",
"sha256": "6890ee7e9f98fd62cb7e5660852cebcf2ec9c6a367072ae8b1660ee40eca75da",
@@ -11843,7 +11588,7 @@
"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Attempt to Install Kali Linux via WSL",
"sha256": "7209db8e30fa81579cc3b28f823b3efc3f48863b31868b2c52ccee2a937887bd",
@@ -11878,7 +11623,7 @@
"ddab1f5f-7089-44f5-9fda-de5b11322e77": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "NullSessionPipe Registry Modification",
"sha256": "2dc4ed28b131d5fcdb67907c89c6524e73a884148e5d5ad792d42e65f619c8c2",
@@ -11908,7 +11653,7 @@
"de9bd7e0-49e9-4e92-a64d-53ade2e66af1": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Unusual Child Process from a System Virtual Process",
"sha256": "64088266c02ecdf9fa7132deb1addf06105d09c902e7ec255a0b536395272ff8",
@@ -11949,7 +11694,7 @@
"df197323-72a8-46a9-a08e-3f5b04a4a97a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Unusual Windows User Calling the Metadata Service",
"sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e",
@@ -11996,7 +11741,7 @@
"dffbd37c-d4c5-46f8-9181-5afdd9172b4c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 102,
"rule_name": "Potential privilege escalation via CVE-2022-38028",
"sha256": "be7d0516427d16d13075a9c6cbeb259c965436b814a3a00c02a5a879e239aaaa",
@@ -12031,7 +11776,7 @@
"e052c845-48d0-4f46-8a13-7d0aba05df82": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "KRBTGT Delegation Backdoor",
"sha256": "5b56188233f9c0e6251065b18ac9a7d80ebd1b7cd9a55d4dfbc2fa8735b403cc",
@@ -12047,7 +11792,7 @@
"e0881d20-54ac-457f-8733-fe0bc5d44c55": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "System Service Discovery through built-in Windows Utilities",
"sha256": "741569f3966efbf4451f3705f1cc486fb78f55422a1766913c2619b70072586e",
@@ -12063,7 +11808,7 @@
"e08ccd49-0380-4b2b-8d71-8000377d6e49": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "Attempts to Brute Force an Okta User Account",
"sha256": "91ded37d974e4de028ec04fa54ba38c79ead6a088bc6384e8e7f081bd19a1068",
@@ -12133,19 +11878,12 @@
"e26f042e-c590-4e82-8e05-41e81bd822ad": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9",
"type": "query",
"version": 112
},
"8.12": {
"max_allowable_version": 315,
"rule_name": "Suspicious .NET Reflection via PowerShell",
"sha256": "0340e6a85d09bbf8fa8fb4f0c4c7bbabbcf56d7196e1c6a8ced5b4922f07f7b2",
"type": "query",
"version": 216
}
},
"rule_name": "Suspicious .NET Reflection via PowerShell",
@@ -12160,7 +11898,6 @@
"version": 4
},
"e29599ee-d6ad-46a9-9c6a-dc39f361890d": {
"min_stack_version": "8.12",
"rule_name": "Suspicious pbpaste High Volume Activity",
"sha256": "a4c8f8bfde8a3b923156ef450b75f64bc7fe03e04671221bd7040e12c3e98c02",
"type": "eql",
@@ -12181,7 +11918,7 @@
"e2e0537d-7d8f-4910-a11d-559bcf61295a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Windows Subsystem for Linux Enabled via Dism Utility",
"sha256": "b9a7b32c3dfb500b067eb62db94be7e669a714213f44475884a5d82188a89576",
@@ -12204,7 +11941,7 @@
"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Suspicious Process Execution via Renamed PsExec Executable",
"sha256": "a78175d51ef889c2e09cfd59e2c1dd26ee7b7467cde848968753b8be8402a5ff",
@@ -12232,7 +11969,7 @@
"e3343ab9-4245-4715-b344-e11c56b0a47f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Process Activity via Compiled HTML File",
"sha256": "433f8b6dbfbb827e6060d659633ff337f13f121b38b71de98f5e0c71cae016bb",
@@ -12267,7 +12004,7 @@
"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Connection to Commonly Abused Free SSL Certificate Providers",
"sha256": "888df58b2f7bdef7997e9bf98f6cefecc8e5dc094ec1c1391fbec5f03fc85d8e",
@@ -12289,7 +12026,7 @@
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "020a011d15d2d0ad7e19782ca05849aee2beece8563925f3c5ecba763271bf0f",
@@ -12305,7 +12042,7 @@
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Modify an Okta Network Zone",
"sha256": "b1e2d03c73734a939284f846dea8d0c59717275736d683ab676fa33d53e87cf3",
@@ -12321,7 +12058,7 @@
"e4e31051-ee01-4307-a6ee-b21b186958f4": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Service Creation via Local Kerberos Authentication",
"sha256": "b0f8db3df27e01d7b12cdd167287aca6d31dcafc2878624cdfc8971185e9c74d",
@@ -12337,7 +12074,7 @@
"e514d8cd-ed15-4011-84e2-d15147e059f1": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Kerberos Pre-authentication Disabled for User",
"sha256": "2a9607c64117bf0a530a215badcbd0b2b71ec685ac068bedc537c920300ebb03",
@@ -12377,7 +12114,7 @@
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Possible Okta DoS Attack",
"sha256": "5ded2187b0cfe73d588eb8981bab8ec9db75d3cd552a3160b7fe638491e2301e",
@@ -12411,7 +12148,7 @@
"e7125cea-9fe1-42a5-9a05-b0792cf86f5a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 206,
"rule_name": "Execution of Persistent Suspicious Program",
"sha256": "bae068bbb951844f6a723136dec199140d6d35b62406b5deddbe6208895a7478",
@@ -12427,7 +12164,7 @@
"e72f87d0-a70e-4f8d-8443-a6407bc34643": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Suspicious WMI Event Subscription Created",
"sha256": "4f033d8b97bebdd4d3f7dfb51f5465e5283d687187e643b9e5ad76f243122b20",
@@ -12455,7 +12192,7 @@
"e760c72b-bb1f-44f0-9f0d-37d51744ee75": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Unusual Execution via Microsoft Common Console File",
"sha256": "2d88a1a1afbd362333b27616ad60ef7198d3e854a31723b98ad96fb451d7fb35",
@@ -12496,7 +12233,7 @@
"e8571d5f-bea1-46c2-9f56-998de2d3ed95": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Service Control Spawned via Script Interpreter",
"sha256": "23319cac9de2bde953f91039aa5aaf01a9dee132682c44d6c32a15b80a48bc70",
@@ -12512,7 +12249,7 @@
"e86da94d-e54b-4fb5-b96c-cecff87e8787": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Installation of Security Support Provider",
"sha256": "d43ac925cacf9d6a9f783a2368854c53d33a41aad5cc37d722423671a5f4d0b7",
@@ -12535,7 +12272,7 @@
"e88d1fe9-b2f4-48d4-bace-a026dc745d4b": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Host Files System Changes via Windows Subsystem for Linux",
"sha256": "f650cdefd5366db74cbb8b10fcdc442ca99580255059225a70906d7069dcc006",
@@ -12563,7 +12300,7 @@
"e90ee3af-45fc-432e-a850-4a58cf14a457": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 310,
"rule_name": "High Number of Okta User Password Reset or Unlock Attempts",
"sha256": "568146e376ee07a8ab11dfb397d318d7d05ede6ad35892d78bca3b64ae4df8b4",
@@ -12591,7 +12328,7 @@
"e94262f2-c1e9-4d3f-a907-aeab16712e1a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Unusual Executable File Creation by a System Critical Process",
"sha256": "039641e8c7b1e6c8242b90a66989c99c2f7e958b18bbb211f172b588af3a6f3f",
@@ -12644,7 +12381,7 @@
"ea09ff26-3902-4c53-bb8e-24b7a5d029dd": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Unusual Process Spawned by a Parent Process",
"sha256": "d2146dbc0bf3635a79dd508efbeac1edd36c749e19d592d10ca7e5bdd1be2879",
@@ -12684,7 +12421,7 @@
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 105,
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "492442b9a011a2f12dba2f025284191a27457dc32fa61c4cdae57c2efe1bf9ad",
@@ -12700,7 +12437,7 @@
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "PowerShell Kerberos Ticket Request",
"sha256": "1eca5c1ab4882b5bcf2dd344dafbd75a680f7fd7cb7bceb1c7c448fe80765bbb",
@@ -12728,7 +12465,7 @@
"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Mimikatz Memssp Log File Detected",
"sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140",
@@ -12751,7 +12488,7 @@
"ebf1adea-ccf2-4943-8b96-7ab11ca173a5": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "IIS HTTP Logging Disabled",
"sha256": "1d1a052986ba865ecb1849338b1b869d684513a6631e04cab4c9db4a1eed568f",
@@ -12774,7 +12511,7 @@
"ebfe1448-7fac-4d59-acea-181bd89b1f7f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Process Execution from an Unusual Directory",
"sha256": "410db635d79cd7e1e9e08c48ec74e3d535e371c84cceb06dcf0bca6f5a3c36ce",
@@ -12833,7 +12570,7 @@
"eda499b8-a073-4e35-9733-22ec71f57f3a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "AdFind Command Activity",
"sha256": "c46b6502090d25c7bb5161cdb2c5e4487119fface180acbec85cd9f704de19b1",
@@ -12856,7 +12593,7 @@
"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 308,
"rule_name": "Attempt to Deactivate an Okta Application",
"sha256": "4a88d4ac8ebf748a1a4f8d50aef2324ce844b7381d83fad2cdbffc4763277b05",
@@ -12872,7 +12609,7 @@
"edf8ee23-5ea7-4123-ba19-56b41e424ae3": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "ImageLoad via Windows Update Auto Update Client",
"sha256": "d9390521fb8ec490fd84fdba1668ebb433862673b898bc446455d90b71cd13a8",
@@ -12901,7 +12638,7 @@
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 205,
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "4fc8575bfa9aca1a9f10798c799d9b2bd4c64285c239241532c61f81b90bab7c",
@@ -12917,7 +12654,7 @@
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Unusual Print Spooler Child Process",
"sha256": "1c4b115ce0bde803fa63edbabb634df01af0720cabb3012ed329a5031cd7c961",
@@ -12969,7 +12706,7 @@
"ef862985-3f13-4262-a686-5f357bbb9bc2": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Whoami Process Activity",
"sha256": "85fc0e0d9af73aa5f5fc4dd729db10425c22c61214f864625a235cffcca9c508",
@@ -12991,7 +12728,7 @@
"f036953a-4615-4707-a1ca-dc53bf69dcd5": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Unusual Child Processes of RunDLL32",
"sha256": "0713731667d50b24bd145385b0d83cf8936b4173b1eb789f87e15798fb329cbe",
@@ -13013,7 +12750,7 @@
"f06414a6-f2a4-466d-8eba-10f85e8abf71": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Administrator Role Assigned to an Okta User",
"sha256": "5d3602038f3d411392475d7a76fba8b7ceb34b83667e8c374ee4dd8cf01614a6",
@@ -13071,7 +12808,7 @@
"f243fe39-83a4-46f3-a3b6-707557a102df": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 104,
"rule_name": "Service Path Modification",
"sha256": "06058f2cf2dfe450db263b15625ad4168b83e231f35bec57b51213ffbd1be599",
@@ -13099,7 +12836,7 @@
"f2c7b914-eda3-40c2-96ac-d23ef91776ca": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "SIP Provider Modification",
"sha256": "e7285256bf0c38b5fbb2b1c6f458037f9fed88e1e8238438993dd0b6347aa48e",
@@ -13122,7 +12859,7 @@
"f2f46686-6f3c-4724-bd7d-24e31c70f98f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "LSASS Memory Dump Creation",
"sha256": "7e795307c7ee80d811f2bdbe317f0b5e563dbd232e6ff795ecb0a1f21dd1e2c4",
@@ -13163,7 +12900,7 @@
"f3475224-b179-4f78-8877-c2bd64c26b88": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "WMI Incoming Lateral Movement",
"sha256": "109358ad6d085e83bf9097861e3961e3e5afbbbf94504500826ad12ea1e6cf0e",
@@ -13210,7 +12947,7 @@
"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Persistence via Microsoft Office AddIns",
"sha256": "0a7bcf99db3af18ca1936e60cad4e3c6dcc4b560f8173850784204f8e4a631cc",
@@ -13239,7 +12976,7 @@
"f494c678-3c33-43aa-b169-bb3d5198c41d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 212,
"rule_name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User",
"sha256": "30ba3d2c92f6f824dc2745bf9a9f728b5d08a4fd8af315800636042be2f05a3d",
@@ -13280,7 +13017,7 @@
"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Windows Script Executing PowerShell",
"sha256": "f655edd21d9ffc790dddeea99c917b3ff512004a2bce04fff2d18e285cb7554c",
@@ -13309,7 +13046,7 @@
"f580bf0a-2d23-43bb-b8e1-17548bb947ec": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 107,
"rule_name": "Rare SMB Connection to the Internet",
"sha256": "0994ac029d0e0256082d0a61be3696ee4a982af12e3efc1a96d975cb575ce7c2",
@@ -13332,7 +13069,7 @@
"f5861570-e39a-4b8a-9259-abd39f84cb97": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "WRITEDAC Access on Active Directory Object",
"sha256": "333be162aecfbad2bbd9669d7b3a4cd1351d709be0aaeae0bf00799471195531",
@@ -13348,7 +13085,7 @@
"f59668de-caa0-4b84-94c1-3a1549e1e798": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "WMIC Remote Command",
"sha256": "824ed78aea5ddf39cae5d2dc171b0f9f632d21b3e248777f36b5c884e141a689",
@@ -13370,7 +13107,7 @@
"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "Suspicious Windows Process Cluster Spawned by a Parent Process",
"sha256": "6ee5d0b1cbc2f8f3b11a2689ab4c8e4651d061d0f7728c67b6b86642eb5afc60",
@@ -13398,7 +13135,7 @@
"f63c8e3c-d396-404f-b2ea-0379d3942d73": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Windows Firewall Disabled via PowerShell",
"sha256": "b677759be5d31d2da13e1a1902fc4d9047723a793205cdaf229d6fe6c9ac5088",
@@ -13427,7 +13164,7 @@
"f675872f-6d85-40a3-b502-c0d2ef101e92": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Delete Volume USN Journal with Fsutil",
"sha256": "405bde7c6d0f3ef9dcfc7e1924b27101ba6c8b94fad77b6398bd191d56a95503",
@@ -13492,7 +13229,7 @@
"f7c4dc5a-a58d-491d-9f14-9b66507121c0": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Persistent Scripts in the Startup Directory",
"sha256": "3e8f291e2a3c067b9b355896116b130d4aea64f67e03fe8b2c4551ddfb9c83ac",
@@ -13521,7 +13258,7 @@
"f81ee52c-297e-46d9-9205-07e66931df26": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "Microsoft Exchange Worker Spawning Suspicious Processes",
"sha256": "7f50567407f055ba5fe3ae2e6d27cdcffac7fd9f9eb3dedda702f6f9a3fb15ec",
@@ -13556,7 +13293,7 @@
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 211,
"rule_name": "Modification of AmsiEnable Registry Key",
"sha256": "ed1762609d805dc2007ca323d72bbe93b721d54a113d04206e0fda5abb3ce0fd",
@@ -13579,7 +13316,7 @@
"f8822053-a5d2-46db-8c96-d460b12c36ac": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 103,
"rule_name": "Potential Active Directory Replication Account Backdoor",
"sha256": "2a62a3a177beecf69edfd14fc1bbccd14a17f2f6228349c6766b2dc90ca8fa03",
@@ -13595,7 +13332,7 @@
"f909075d-afc7-42d7-b399-600b94352fd9": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Untrusted DLL Loaded by Azure AD Sync Service",
"sha256": "d8dfe4f7a77d80cdf2454af910950a75588c1c7ad2eb770140cdf8c992dcf6ea",
@@ -13609,16 +13346,6 @@
"version": 101
},
"f94e898e-94f1-4545-8923-03e4b2866211": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "3e68a069ea98921ba60e3b258f21b0a94dc7d42b38ee50c7332daad964e6b5d0",
"type": "new_terms",
"version": 3
}
},
"rule_name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User",
"sha256": "165212d6d0e75e131667eef40c52817e2d905ecd2fcb315d1a8d243d1f439737",
"type": "new_terms",
@@ -13639,7 +13366,7 @@
"f97504ac-1053-498f-aeaa-c6d01e76b379": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 101,
"rule_name": "Browser Extension Install",
"sha256": "8d12e1186966462c8fa942c5ea6e8bb556922c22f3a8426371112487df44ca7a",
@@ -13662,7 +13389,7 @@
"f9790abf-bd0c-45f9-8b5f-d0b74015e029": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 109,
"rule_name": "Privileged Account Brute Force",
"sha256": "e5f51f4e2b82a0b05641ba03fe55a1433a719fe509d21bb8023368ef4e81425e",
@@ -13678,7 +13405,7 @@
"f994964f-6fce-4d75-8e79-e16ccc412588": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 307,
"rule_name": "Suspicious Activity Reported by Okta User",
"sha256": "dcd8ed2631e7ec313bd453ed2a9634447c11194385e6c1af66ddf01b0c22eb7b",
@@ -13694,7 +13421,7 @@
"fa01341d-6662-426b-9d0c-6d81e33c8a9d": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Remote File Copy to a Hidden Share",
"sha256": "b5403c097f3e0017c48a4a4c0745a2c73e8cf2922e3c43377e79ecc1dd37eeca",
@@ -13729,7 +13456,7 @@
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 108,
"rule_name": "Suspicious Antimalware Scan Interface DLL",
"sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc",
@@ -13764,7 +13491,7 @@
"fb02b8d3-71ee-4af1-bacd-215d23f17efa": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "Network Connection via Registration Utility",
"sha256": "cb733e3ad55b691ce6c736d0ab0c7b2f050a61f7c333533ad68e45882396c78d",
@@ -13778,16 +13505,6 @@
"version": 208
},
"fb0afac5-bbd6-49b0-b4f8-44e5381e1587": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "3fcf7a11e62e1413f109707eddf5ca8210aa4788b88623b7f1a905fb84193234",
"type": "threshold",
"version": 3
}
},
"rule_name": "High Number of Cloned GitHub Repos From PAT",
"sha256": "7ef0cd45faf26e657565c4ed3d9ed77f2d43bf6697cbb7d9b4c20369025ac2c4",
"type": "threshold",
@@ -13808,7 +13525,7 @@
"fc7c0fa4-8f03-4b3e-8336-c5feab0be022": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 208,
"rule_name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer",
"sha256": "66652b44a53ed252944d30e221056e1a86dd85654176778bffc526603112d74e",
@@ -13829,16 +13546,6 @@
"version": 309
},
"fc909baa-fb34-4c46-9691-be276ef4234c": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "b8f1378c21d3e35e4db3d9cde9f1583494304e86dc8dbb9a39468206794f91bf",
"type": "new_terms",
"version": 3
}
},
"rule_name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)",
"sha256": "88ee00977794183d05cd85d41e19dab9c8d4b4a87b094f87b878f06f3dc6f010",
"type": "new_terms",
@@ -13851,16 +13558,6 @@
"version": 3
},
"fd01b949-81be-46d5-bcf8-284395d5f56d": {
"min_stack_version": "8.12",
"previous": {
"8.11": {
"max_allowable_version": 102,
"rule_name": "GitHub App Deleted",
"sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960",
"type": "eql",
"version": 3
}
},
"rule_name": "GitHub App Deleted",
"sha256": "e753f36a6cb3de3d832b482c3fe3daf064a993d627e5b844c6f2993f5bd15de7",
"type": "eql",
@@ -13881,7 +13578,7 @@
"fd4a992d-6130-4802-9ff8-829b89ae801f": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 210,
"rule_name": "Potential Application Shimming via Sdbinst",
"sha256": "9f7d06cfbaaf01ad88f6a276c277892a422e7537769e0d96e7070b2598e9ad63",
@@ -13904,7 +13601,7 @@
"fd70c98a-c410-42dc-a2e3-761c71848acf": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 209,
"rule_name": "Suspicious CertUtil Commands",
"sha256": "65a47d83fe08648f0df1cee5903ebfd3630543555b6fd161876fa448da9c527c",
@@ -13927,7 +13624,7 @@
"fd7a6052-58fa-4397-93c3-4795249ccfa2": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 317,
"rule_name": "Svchost spawning Cmd",
"sha256": "e120819a00740e66d735aed46354c8c204941e187fffe5705afac9bc20b2c37f",
@@ -13962,7 +13659,7 @@
"fddff193-48a3-484d-8d35-90bb3d323a56": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "PowerShell Kerberos Ticket Dump",
"sha256": "e706f825293f97ffcf09c0d6cf29360f290b2af6f4fd63321077a785996970b3",
@@ -13978,7 +13675,7 @@
"fe25d5bc-01fa-494a-95ff-535c29cc4c96": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 106,
"rule_name": "PowerShell Script with Password Policy Discovery Capabilities",
"sha256": "549dac6c269368c82ba41a9b89a211dab398c0448459487fd6c8c7d2b19c4cf9",
@@ -13994,7 +13691,7 @@
"fe794edd-487f-4a90-b285-3ee54f2af2d3": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 213,
"rule_name": "Microsoft Windows Defender Tampering",
"sha256": "1f2195434989e3990924d92909511eadf813d2f24724f6cb94b7aab7d20bfada",
@@ -14029,7 +13726,7 @@
"feeed87c-5e95-4339-aef1-47fd79bcfbe3": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 207,
"rule_name": "MS Office Macro Security Registry Modifications",
"sha256": "d89feb920d5a0d3e030a96c263df8d04776b80b8b6ba19c208082ea006e19329",
@@ -14088,7 +13785,7 @@
"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029": {
"min_stack_version": "8.14",
"previous": {
"8.11": {
"8.12": {
"max_allowable_version": 100,
"rule_name": "Alternate Data Stream Creation/Execution at Volume Root Directory",
"sha256": "b84b07ea9bb5fca4cc1522b6f29f121b0a4dc4e0b59d3c48a6b7a2cab83f18bb",
detection_rules/schemas/__init__.py
+18
View File
@@ -287,6 +287,24 @@ def migrate_to_8_14(version: Version, api_contents: dict) -> dict:
return strip_additional_properties(version, api_contents)
@migrate("8.15")
def migrate_to_8_15(version: Version, api_contents: dict) -> dict:
"""Default migration for 8.15."""
return strip_additional_properties(version, api_contents)
@migrate("8.16")
def migrate_to_8_16(version: Version, api_contents: dict) -> dict:
"""Default migration for 8.16."""
return strip_additional_properties(version, api_contents)
@migrate("8.17")
def migrate_to_8_17(version: Version, api_contents: dict) -> dict:
"""Default migration for 8.17."""
return strip_additional_properties(version, api_contents)
def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict:
"""Downgrade a rule to a target stack version."""
from ..packaging import current_stack_version
pyproject.toml
+1 -1
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "0.3.0"
version = "0.3.1"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules/integrations/github/execution_github_app_deleted.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules/integrations/github/execution_new_github_app_installed.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules/integrations/github/impact_github_repository_deleted.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
updated_date = "2024/12/03"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules/integrations/github/persistence_github_org_owner_added.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2023/09/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules/integrations/github/persistence_organization_owner_role_granted.toml
+1 -3
View File
@@ -2,9 +2,7 @@
creation_date = "2023/09/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules/macos/credential_access_high_volume_of_pbpaste.toml
+10 -13
View File
@@ -2,17 +2,15 @@
creation_date = "2024/09/12"
integration = ["endpoint", "jamf_protect"]
maturity = "production"
min_stack_comments = "The jamf integration is available for stack versions 8.12 and above"
min_stack_version = "8.12.0"
updated_date = "2024/09/12"
updated_date = "2024/12/09"
[transform]
[[transform.investigate]]
label = "Show events having the same responsible process"
providers = [
[
{field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"},
{field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string"}
{ excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" },
{ excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string" }
]
]
@@ -20,24 +18,23 @@ providers = [
label = "Show events having the same parent process"
providers = [
[
{field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"},
{field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string"}
{ excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" },
{ excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
]
]
[rule]
author = ["Thijs Xhaflaire"]
description = """
Identifies a high volume of `pbpaste` executions, which may indicate a bash loop continuously collecting clipboard contents, potentially allowing an attacker to harvest user credentials or other sensitive information.
Identifies a high volume of `pbpaste` executions, which may indicate a bash loop continuously collecting clipboard
contents, potentially allowing an attacker to harvest user credentials or other sensitive information.
"""
from = "now-9m"
index = ["logs-jamf_protect*", "logs-endpoint.events.process-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious pbpaste High Volume Activity"
references = [
"https://www.loobins.io/binaries/pbpaste/"
]
note = """## Triage and analysis
To investigate `pbpaste` activity, focus on determining whether the binary is being used maliciously to collect clipboard data. Follow these steps:
@@ -69,6 +66,7 @@ To investigate `pbpaste` activity, focus on determining whether the binary is be
By thoroughly investigating these aspects of `pbpaste` activity, you can determine whether this is part of a legitimate process or a potential security threat that needs to be addressed.
"""
references = ["https://www.loobins.io/binaries/pbpaste/"]
risk_score = 47
rule_id = "e29599ee-d6ad-46a9-9c6a-dc39f361890d"
setup = """## Setup
@@ -96,7 +94,7 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Jamf Protect",
"Data Source: Elastic Defend"
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
@@ -115,7 +113,6 @@ name = "Input Capture"
reference = "https://attack.mitre.org/techniques/T1056/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
rules/macos/privilege_escalation_user_added_to_admin_group.toml
+14 -18
View File
@@ -2,27 +2,25 @@
creation_date = "2024/09/12"
integration = ["jamf_protect"]
maturity = "production"
min_stack_comments = "The jamf integration is available for stack versions 8.12 and above"
min_stack_version = "8.12.0"
updated_date = "2024/09/12"
updated_date = "2024/12/09"
[transform]
[[transform.investigate]]
label = "Show events after Privilege Escalation"
relativeFrom = "now"
relativeTo = "now+30m"
providers = [
[
{field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"}
{ excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" }
]
]
relativeFrom = "now"
relativeTo = "now+30m"
[[transform.investigate]]
label = "Show events having the same reponsible process"
providers = [
[
{field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"},
{field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string"}
{ excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" },
{ excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string" }
]
]
@@ -30,26 +28,20 @@ providers = [
label = "Show events having the same parent process"
providers = [
[
{field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"},
{field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string"}
{ excluded = false, field = "host.hostname", queryType = "phrase", value = "{{host.hostname}}", valueType = "string" },
{ excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
]
]
[rule]
author = ["Thijs Xhaflaire"]
description = """
Identifies users being added to the admin group. This could be an indication of privilege
escalation activity.
"""
description = "Identifies users being added to the admin group. This could be an indication of privilege\nescalation activity.\n"
from = "now-9m"
index = ["logs-jamf_protect*"]
language = "eql"
license = "Elastic License v2"
name = "User Added to the Admin Group"
references = [
"https://www.loobins.io/binaries/dscl/",
"https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"
]
note = """## Triage and analysis
To thoroughly investigate the actions that occurred **after a user was elevated to administrator**, it's essential to conduct a search on the Timeline. This allows you to review and understand the sequence of events that followed the elevation, helping to identify any potentially malicious or unauthorized activities that might have taken place. **Analyzing these actions is crucial for maintaining security and ensuring that the elevation was not exploited for harmful purposes.**
@@ -67,6 +59,10 @@ $investigate_0
$investigate_1
$investigate_2
"""
references = [
"https://www.loobins.io/binaries/dscl/",
"https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/",
]
risk_score = 21
rule_id = "04e65517-16e9-4fc4-b7f1-94dc21ecea0d"
setup = """## Setup
rules_building_block/execution_github_new_event_action_for_pat.toml
+1 -3
View File
@@ -3,9 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules_building_block/execution_github_new_repo_interaction_for_pat.toml
+1 -3
View File
@@ -3,9 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules_building_block/execution_github_new_repo_interaction_for_user.toml
+1 -3
View File
@@ -3,9 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules_building_block/execution_github_repo_created.toml
+1 -3
View File
@@ -3,9 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules_building_block/execution_github_repo_interaction_from_new_ip.toml
+1 -3
View File
@@ -3,9 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules_building_block/impact_github_member_removed_from_organization.toml
+1 -3
View File
@@ -3,9 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules_building_block/impact_github_pat_access_revoked.toml
+1 -3
View File
@@ -3,9 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules_building_block/impact_github_user_blocked_from_organization.toml
+1 -3
View File
@@ -3,9 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]
rules_building_block/initial_access_github_new_ip_address_for_pat.toml
+1 -3
View File
@@ -3,9 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2024/11/27"
min_stack_version = "8.12.0"
min_stack_comments = "Breaking change at 8.12.0 for the Github Integration."
updated_date = "2024/12/09"
[rule]
author = ["Elastic"]

Some files were not shown because too many files have changed in this diff Show More